commit 1565f996081bb009e8e96987c1d542bd01218e64
parent 7c915015c4f574d18e795da96e9bace32479a237
Author: Paco Esteban <paco@e1e0.net>
Date: Mon, 6 Jan 2020 17:25:03 +0100
new pf role
Diffstat:
4 files changed, 61 insertions(+), 0 deletions(-)
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+pf_external_interface: "vio0"
+
+pf_tcp_ports_allowed:
+ - 80
+ - 443
+
+pf_udp_ports_allowed: []
diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: load pf rules
+ command: /sbin/pfctl -f /etc/pf.conf
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Create pf.conf
+ template:
+ src: templates/pf.conf.j2
+ dest: /etc/pf.conf
+ owner: root
+ group: wheel
+ mode: 0640
+ notify:
+ - load pf rules
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
@@ -0,0 +1,40 @@
+# {{ ansible_managed }}
+
+ext_if = "{{ pf_external_interface }}"
+
+table <trusted_v6> { 2001:470:c980:10::/64 2001:470:c980:20::/64 \
+ 2001:470:1f13:363::e1e0/128 2607:5300:60:823f::48/64 \
+ 2001:41d0:302:1100::c:2aa7/64 }
+table <trusted_v4> { 159.69.146.152/32 51.79.32.48/32 54.37.151.90/32 }
+
+# scanners
+table <scanners> { 104.152.52.21 104.152.52.22 104.152.52.23 104.152.52.24 \
+ 104.152.52.25 104.152.52.26 104.152.52.27 104.152.52.28 \
+ 104.152.52.29 104.152.52.30 104.152.52.31 104.152.52.32 \
+ 104.152.52.33 104.152.52.34 104.152.52.35 104.152.52.36 \
+ 104.152.52.37 104.152.52.38 104.152.52.39 }
+
+set loginterface none
+set block-policy return
+set skip on lo
+match in all scrub (no-df)
+
+block in quick inet proto { tcp, udp } from <scanners>
+block all
+pass out on $ext_if
+
+antispoof quick for $ext_if
+
+pass in quick proto { icmp, icmp6 } all
+
+# ssh is allowed to trusted hosts
+pass in inet6 proto tcp from <trusted_v6> to $ext_if port ssh
+pass in inet proto tcp from <trusted_v4> to $ext_if port ssh
+
+# other ports allowed
+{% if pf_tcp_ports_allowed|length > 0 %}
+pass in proto tcp from any to $ext_if port { {% for p in pf_tcp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+{% endif %}
+{% if pf_udp_ports_allowed|length > 0 %}
+pass in proto tcp from any to $ext_if port { {% for p in pf_udp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+{% endif %}