ansible-playbooks

another attempt to have everything organized ...
git clone https://git.e1e0.net/ansible-playbooks.git
Log | Files | Refs | README | LICENSE
commit b6b3f53c75816998713848d7c1310d17cdf2bd23
parent ace9480ee67da48e9f44eb59fadb5a3ba3145d66
Author: Paco Esteban <paco@e1e0.net>
Date:   Fri,  3 Apr 2020 11:46:22 +0200

better pf config for vms

Diffstat:

Mmailserver.yml | 8++++++++


Mroles/pf/defaults/main.yml | 4++++


Mroles/pf/templates/pf.conf.j2 | 12++++++++++--


Mutils.yml | 10++++++++++


Mwebsite.yml | 1-


5 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/mailserver.yml b/mailserver.yml
@@ -6,5 +6,13 @@
   become_method: doas
   roles:
     - motd-figlet
+    - pf
   vars:
     - motd_figlet_group: wheel
+    - pf_tcp_ports_allowed:
+      - "http"
+      - "submission"
+      - "imaps"
+      - "smtp"
+      - "smtps"
+      - 5232
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
@@ -6,3 +6,7 @@ pf_tcp_ports_allowed:
   - 443
 
 pf_udp_ports_allowed: []
+
+pf_tcp_trusted_ports_allowed: []
+
+pf_udp_trusted_ports_allowed: []
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
@@ -27,14 +27,22 @@ antispoof quick for $ext_if
 
 pass in quick proto { icmp, icmp6 } all
 
-# ssh is allowed to trusted hosts
+# list of ports open to trusted hosts.  ssh is always trusted, so it has its own rule.
 pass in inet6 proto tcp from <trusted_v6> to $ext_if port ssh
 pass in inet proto tcp from <trusted_v4> to $ext_if port ssh
+{% if pf_tcp_trusted_ports_allowed|length > 0 %}
+pass in inet6 proto tcp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+pass in inet proto tcp from <trusted_v4> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+{% endif %}
+{% if pf_udp_trusted_ports_allowed|length > 0 %}
+pass in inet6 proto udp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+pass in inet proto udp from <trusted_v4> to $ext_if port { {% for p in pf_udp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+{% endif %}
 
 # other ports allowed
 {% if pf_tcp_ports_allowed|length > 0 %}
 pass in proto tcp from any to $ext_if port { {% for p in pf_tcp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
 {% endif %}
 {% if pf_udp_ports_allowed|length > 0 %}
-pass in proto tcp from any to $ext_if port { {% for p in pf_udp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+pass in proto udp from any to $ext_if port { {% for p in pf_udp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
 {% endif %}
diff --git a/utils.yml b/utils.yml
@@ -7,8 +7,18 @@
   roles:
     - motd-figlet
     - taskwarrior-daemon
+    - pf
   vars:
     - motd_figlet_group: wheel
+    - pf_tcp_ports_allowed:
+      - "http"
+      - "https"
+      - 655
+    - pf_udp_ports_allowed:
+      - 655
+    - pf_tcp_trusted_ports_allowed:
+      - 53589
+      - 6679
 
 - name: Set up httpd server
   hosts: utils
diff --git a/website.yml b/website.yml
@@ -17,7 +17,6 @@
       - 5222
       - 5269
       - 5281
-      - 53589
 
 - name: Set up httpd server
   hosts: web