commit b6b3f53c75816998713848d7c1310d17cdf2bd23
parent ace9480ee67da48e9f44eb59fadb5a3ba3145d66
Author: Paco Esteban <paco@e1e0.net>
Date: Fri, 3 Apr 2020 11:46:22 +0200
better pf config for vms
Diffstat:
5 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/mailserver.yml b/mailserver.yml
@@ -6,5 +6,13 @@
become_method: doas
roles:
- motd-figlet
+ - pf
vars:
- motd_figlet_group: wheel
+ - pf_tcp_ports_allowed:
+ - "http"
+ - "submission"
+ - "imaps"
+ - "smtp"
+ - "smtps"
+ - 5232
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
@@ -6,3 +6,7 @@ pf_tcp_ports_allowed:
- 443
pf_udp_ports_allowed: []
+
+pf_tcp_trusted_ports_allowed: []
+
+pf_udp_trusted_ports_allowed: []
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
@@ -27,14 +27,22 @@ antispoof quick for $ext_if
pass in quick proto { icmp, icmp6 } all
-# ssh is allowed to trusted hosts
+# list of ports open to trusted hosts. ssh is always trusted, so it has its own rule.
pass in inet6 proto tcp from <trusted_v6> to $ext_if port ssh
pass in inet proto tcp from <trusted_v4> to $ext_if port ssh
+{% if pf_tcp_trusted_ports_allowed|length > 0 %}
+pass in inet6 proto tcp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+pass in inet proto tcp from <trusted_v4> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+{% endif %}
+{% if pf_udp_trusted_ports_allowed|length > 0 %}
+pass in inet6 proto udp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+pass in inet proto udp from <trusted_v4> to $ext_if port { {% for p in pf_udp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+{% endif %}
# other ports allowed
{% if pf_tcp_ports_allowed|length > 0 %}
pass in proto tcp from any to $ext_if port { {% for p in pf_tcp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
{% endif %}
{% if pf_udp_ports_allowed|length > 0 %}
-pass in proto tcp from any to $ext_if port { {% for p in pf_udp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
+pass in proto udp from any to $ext_if port { {% for p in pf_udp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
{% endif %}
diff --git a/utils.yml b/utils.yml
@@ -7,8 +7,18 @@
roles:
- motd-figlet
- taskwarrior-daemon
+ - pf
vars:
- motd_figlet_group: wheel
+ - pf_tcp_ports_allowed:
+ - "http"
+ - "https"
+ - 655
+ - pf_udp_ports_allowed:
+ - 655
+ - pf_tcp_trusted_ports_allowed:
+ - 53589
+ - 6679
- name: Set up httpd server
hosts: utils
diff --git a/website.yml b/website.yml
@@ -17,7 +17,6 @@
- 5222
- 5269
- 5281
- - 53589
- name: Set up httpd server
hosts: web