From c6f2fd36e0a8188e1f6b2a15b292e3d0a5610ac4 Mon Sep 17 00:00:00 2001 From: Albert Cervin Date: Sun, 19 Mar 2023 17:18:01 +0100 Subject: =?UTF-8?q?=F0=9F=8E=89=20Initial=20commit=20of=20infra?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/pf/handlers/main.yml | 15 ++++++++++++ roles/pf/tasks/main.yml | 19 +++++++++++++++ roles/pf/templates/pf.conf.j2 | 56 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 roles/pf/handlers/main.yml create mode 100644 roles/pf/tasks/main.yml create mode 100644 roles/pf/templates/pf.conf.j2 (limited to 'roles/pf') diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml new file mode 100644 index 0000000..4baf234 --- /dev/null +++ b/roles/pf/handlers/main.yml @@ -0,0 +1,15 @@ +--- +- name: start pflog + service: + name: pflog + state: started + +- name: start pf + service: + name: pf + state: started + async: 45 + poll: 5 + +- name: reload pf + shell: pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml new file mode 100644 index 0000000..b7c405a --- /dev/null +++ b/roles/pf/tasks/main.yml @@ -0,0 +1,19 @@ +- name: enable pf + community.general.sysrc: + name: pf_enable + value: "YES" + notify: start pf + +- name: enable pflog + community.general.sysrc: + name: pflog_enable + value: "YES" + notify: start pflog + +- name: template pf.conf + template: + src: pf.conf.j2 + dest: /etc/pf.conf + notify: reload pf + +- meta: flush_handlers diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 new file mode 100644 index 0000000..8819ee0 --- /dev/null +++ b/roles/pf/templates/pf.conf.j2 @@ -0,0 +1,56 @@ +# our interface +ext_if = "em0" + +# IPv6 link local prefix. +PFX_LNKLOC = "fe80::/10" + +# IPv6 Solicited Node Multicast Prefix. +MC_SOLNOD = "ff02::1:ff00:0/104" + +# IPv6 All Nodes Link Local Multicast Address. +MC_NODLNK = "ff02::1" + +# skip loopback +set skip on lo0 +set loginterface $ext_if +set block-policy drop + +scrub in on $ext_if + +## RULES ## + +# block and log all traffic not matching below rules +block in + +# allow ssh traffic to the host on the custom port +pass in quick proto tcp to port 2223 + +# allow http/https +pass in quick proto {tcp, udp} to port { http, https } + +# allow ssh for gubbhub +pass in quick proto tcp to port 2224 + +# ping +pass in quick inet6 proto icmp6 icmp6-type echoreq +pass in quick inet proto icmp icmp-type echoreq + +# ipv6 stuff + +# Allow NS from unspecified to solicited node multicast address (DAD). +pass quick inet6 proto icmp6 from :: to $MC_SOLNOD icmp6-type neighbrsol no state + +# Allow IPv6 Router Discovery. +pass in quick inet6 proto icmp6 from $PFX_LNKLOC to $MC_NODLNK icmp6-type routeradv no state + +# Allow IPv6 Neighbor Discovery (ND/NUD/DAD). +pass in quick inet6 proto icmp6 to { ($ext_if), $MC_SOLNOD } icmp6-type { neighbrsol, neighbradv } no state + +# Allow any outgoing traffic +pass out + +# TODO: We seem to not only get neighbor advertisements from the local subnet? How does +# this work? +#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_SOLNOD } icmp6-type neighbrsol no state +#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_NODLNK } icmp6-type neighbradv no state + -- cgit v1.2.3