pf.conf.j2 (2525B)
1 # {{ ansible_managed }} 2 3 ext_if = "{{ pf_external_interface }}" 4 5 table <trusted_v6> { 2001:470:1b0a:10::/64 2001:470:1b0a:22::/64 \ 6 2001:470:1f13:363::e1e0/128 } 7 table <trusted_v4> { 159.69.146.152/32 199.185.137.3/32 } 8 9 # scanners 10 table <scanners> { 104.152.52.21 104.152.52.22 104.152.52.23 104.152.52.24 \ 11 104.152.52.25 104.152.52.26 104.152.52.27 104.152.52.28 \ 12 104.152.52.29 104.152.52.30 104.152.52.31 104.152.52.32 \ 13 104.152.52.33 104.152.52.34 104.152.52.35 104.152.52.36 \ 14 104.152.52.37 104.152.52.38 104.152.52.39 } 15 16 table <offenders_v4> persist 17 table <offenders_v6> persist 18 table <bsdly> persist 19 20 set loginterface none 21 set block-policy return 22 set skip on lo 23 match in all scrub (no-df) 24 25 block in quick inet proto { tcp, udp } from <scanners> 26 block in quick inet proto { tcp, udp } from <offenders_v4> 27 block in quick inet6 proto { tcp, udp } from <offenders_v6> 28 block in quick inet proto { tcp, udp } from <bsdly> 29 block all 30 pass out on $ext_if 31 32 antispoof quick for $ext_if 33 34 pass in quick proto { icmp, icmp6 } all 35 36 # list of ports open to trusted hosts. ssh is always trusted, so it has its own rule. 37 pass in inet6 proto tcp from <trusted_v6> to $ext_if port ssh 38 pass in inet proto tcp from <trusted_v4> to $ext_if port ssh 39 {% if pf_tcp_trusted_ports_allowed|length > 0 %} 40 pass in inet6 proto tcp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} } 41 pass in inet proto tcp from <trusted_v4> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} } 42 {% endif %} 43 {% if pf_udp_trusted_ports_allowed|length > 0 %} 44 pass in inet6 proto udp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} } 45 pass in inet proto udp from <trusted_v4> to $ext_if port { {% for p in pf_udp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} } 46 {% endif %} 47 48 # other ports allowed 49 {% if pf_tcp_ports_allowed|length > 0 %} 50 pass in proto tcp from any to $ext_if port { {% for p in pf_tcp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} } 51 {% endif %} 52 {% if pf_udp_ports_allowed|length > 0 %} 53 pass in proto udp from any to $ext_if port { {% for p in pf_udp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} } 54 {% endif %}