🎉 Initial commit of infraHEADmain

1 files changed, 56 insertions, 0 deletions

diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
new file mode 100644
index 0000000..8819ee0
--- /dev/null
+++ b/roles/pf/templates/pf.conf.j2
@@ -0,0 +1,56 @@
+# our interface
+ext_if = "em0"
+
+# IPv6 link local prefix.
+PFX_LNKLOC = "fe80::/10"
+
+# IPv6 Solicited Node Multicast Prefix.
+MC_SOLNOD = "ff02::1:ff00:0/104"
+
+# IPv6 All Nodes Link Local Multicast Address.
+MC_NODLNK = "ff02::1"
+
+# skip loopback
+set skip on lo0
+set loginterface $ext_if
+set block-policy drop
+
+scrub in on $ext_if
+
+## RULES ##
+
+# block and log all traffic not matching below rules
+block in
+
+# allow ssh traffic to the host on the custom port
+pass in quick proto tcp to port 2223
+
+# allow http/https
+pass in quick proto {tcp, udp} to port { http, https }
+
+# allow ssh for gubbhub
+pass in quick proto tcp to port 2224
+
+# ping
+pass in quick inet6 proto icmp6 icmp6-type echoreq
+pass in quick inet proto icmp icmp-type echoreq
+
+# ipv6 stuff
+
+# Allow NS from unspecified to solicited node multicast address (DAD).
+pass quick inet6 proto icmp6 from :: to $MC_SOLNOD icmp6-type neighbrsol no state
+
+# Allow IPv6 Router Discovery.
+pass in quick inet6 proto icmp6 from $PFX_LNKLOC to $MC_NODLNK icmp6-type routeradv no state
+
+# Allow IPv6 Neighbor Discovery (ND/NUD/DAD).
+pass in quick inet6 proto icmp6 to { ($ext_if), $MC_SOLNOD } icmp6-type { neighbrsol, neighbradv } no state
+
+# Allow any outgoing traffic
+pass out
+
+# TODO: We seem to not only get neighbor advertisements from the local subnet? How does
+# this work?
+#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_SOLNOD } icmp6-type neighbrsol no state
+#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_NODLNK } icmp6-type neighbradv no state
+