ansible-playbooks

another attempt to have everything organized ...
git clone https://git.e1e0.net/ansible-playbooks.git
Log | Files | Refs | README | LICENSE

pf.conf.j2 (2525B)

      1 # {{ ansible_managed }}
      2 
      3 ext_if = "{{ pf_external_interface }}"
      4 
      5 table <trusted_v6> { 2001:470:1b0a:10::/64 2001:470:1b0a:22::/64 \
      6                      2001:470:1f13:363::e1e0/128 }
      7 table <trusted_v4> { 159.69.146.152/32 199.185.137.3/32 }
      8 
      9 # scanners
     10 table <scanners> { 104.152.52.21 104.152.52.22 104.152.52.23 104.152.52.24 \
     11                    104.152.52.25 104.152.52.26 104.152.52.27 104.152.52.28 \
     12                    104.152.52.29 104.152.52.30 104.152.52.31 104.152.52.32 \
     13                    104.152.52.33 104.152.52.34 104.152.52.35 104.152.52.36 \
     14                    104.152.52.37 104.152.52.38 104.152.52.39 }
     15 
     16 table <offenders_v4> persist
     17 table <offenders_v6> persist
     18 table <bsdly> persist
     19 
     20 set loginterface none
     21 set block-policy return
     22 set skip on lo
     23 match in all scrub (no-df)
     24 
     25 block in quick inet proto { tcp, udp } from <scanners>
     26 block in quick inet proto { tcp, udp } from <offenders_v4>
     27 block in quick inet6 proto { tcp, udp } from <offenders_v6>
     28 block in quick inet proto { tcp, udp } from <bsdly>
     29 block all
     30 pass out on $ext_if
     31 
     32 antispoof quick for $ext_if
     33 
     34 pass in quick proto { icmp, icmp6 } all
     35 
     36 # list of ports open to trusted hosts.  ssh is always trusted, so it has its own rule.
     37 pass in inet6 proto tcp from <trusted_v6> to $ext_if port ssh
     38 pass in inet proto tcp from <trusted_v4> to $ext_if port ssh
     39 {% if pf_tcp_trusted_ports_allowed|length > 0 %}
     40 pass in inet6 proto tcp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
     41 pass in inet proto tcp from <trusted_v4> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
     42 {% endif %}
     43 {% if pf_udp_trusted_ports_allowed|length > 0 %}
     44 pass in inet6 proto udp from <trusted_v6> to $ext_if port { {% for p in pf_tcp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
     45 pass in inet proto udp from <trusted_v4> to $ext_if port { {% for p in pf_udp_trusted_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
     46 {% endif %}
     47 
     48 # other ports allowed
     49 {% if pf_tcp_ports_allowed|length > 0 %}
     50 pass in proto tcp from any to $ext_if port { {% for p in pf_tcp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
     51 {% endif %}
     52 {% if pf_udp_ports_allowed|length > 0 %}
     53 pass in proto udp from any to $ext_if port { {% for p in pf_udp_ports_allowed -%} {{ p }} {%- if not loop.last %},{% endif %} {% endfor -%} }
     54 {% endif %}