ansible/roles/firewall/files/homeserver_pf.conf

# TODO: ipv6 RFC 6296 - Network Prefix Translation?
# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view

#
# restricted_nat 10.215.2.1/24
# jail_nat 10.215.1.1/24
#

#
# External connections -> 172.16.16.32:8081
# rdr to bastion 10.215.1.217
# snat to bridge?
#

ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"

dhcp = "{ bootpc, bootps }"
allow = "{ wgh wgf }"

tcp_pass_in = "{ 22 }"
udp_pass_in = "{ 53 51820 }"

# Rules must be in order: options, normalization, queueing, translation, filtering

# options
set skip on lo

# normalization

# queueing

# translation
nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)

# external -> bastion
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
# external -> sftp
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22

# filtering
block log all
pass out on $ext_if from (wlan0)

# We pass on the interfaces listed in allow rather than skipping on
# them because changes to pass rules will update when running a
# `service pf reload` but interfaces that we `skip` will not update (I
# forget if its from adding, removing, or both. TODO: test to figure
# it out)
pass quick on $allow

pass on $ext_if proto icmp all
pass on $ext_if proto icmp6 all

pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
pass in on $ext_if proto udp to (wlan0) port $udp_pass_in


# Allow DNS and wireguard from cloak
pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
# bastion -> cloak
pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED
Update for pkgbase rebuild of homeserver. 2026-04-11 12:49:59 -04:00			`# TODO: ipv6 RFC 6296 - Network Prefix Translation?`
			`# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48`
			`# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view`

			`#`
			`# restricted_nat 10.215.2.1/24`
			`# jail_nat 10.215.1.1/24`
			`#`

			`#`
			`# External connections -> 172.16.16.32:8081`
			`# rdr to bastion 10.215.1.217`
			`# snat to bridge?`
			`#`

			`ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"`
			`not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"`
Enable ipv6 on homeserver. 2024-07-12 21:44:43 -04:00			`rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"`
Create a firewall role that installs a pf.conf on FreeBSD. Does not yet configure pflog nor does it do anything on Linux. 2022-10-12 21:23:40 -04:00
			`dhcp = "{ bootpc, bootps }"`
Allow the wireguard interfaces. 2022-12-04 02:12:10 -05:00			`allow = "{ wgh wgf }"`
Create a firewall role that installs a pf.conf on FreeBSD. Does not yet configure pflog nor does it do anything on Linux. 2022-10-12 21:23:40 -04:00
			`tcp_pass_in = "{ 22 }"`
			`udp_pass_in = "{ 53 51820 }"`

			`# Rules must be in order: options, normalization, queueing, translation, filtering`

			`# options`
			`set skip on lo`

Update for pkgbase rebuild of homeserver. 2026-04-11 12:49:59 -04:00			`# normalization`
Add nix support to emacs. 2024-11-29 21:27:08 -05:00
Update for pkgbase rebuild of homeserver. 2026-04-11 12:49:59 -04:00			`# queueing`
Add sftp jail. 2024-06-30 23:02:23 -04:00
Update for pkgbase rebuild of homeserver. 2026-04-11 12:49:59 -04:00			`# translation`
			`nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)`
			`nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)`
			`nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)`
Update firewall for unifi controller virtual machine. 2023-01-16 17:05:47 -05:00
Update for pkgbase rebuild of homeserver. 2026-04-11 12:49:59 -04:00			`# external -> bastion`
			`rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443`
			`# external -> sftp`
			`rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22`
Add jail for momlaptop. 2024-08-14 21:25:49 -04:00
Create a firewall role that installs a pf.conf on FreeBSD. Does not yet configure pflog nor does it do anything on Linux. 2022-10-12 21:23:40 -04:00			`# filtering`
			`block log all`
Update for pkgbase rebuild of homeserver. 2026-04-11 12:49:59 -04:00			`pass out on $ext_if from (wlan0)`
Transition the home server to the dynamic netgraph devices. 2023-04-27 16:58:06 -04:00
Create a firewall role that installs a pf.conf on FreeBSD. Does not yet configure pflog nor does it do anything on Linux. 2022-10-12 21:23:40 -04:00			`# We pass on the interfaces listed in allow rather than skipping on`
			`# them because changes to pass rules will update when running a`
			# `service pf reload` but interfaces that we `skip` will not update (I
			`# forget if its from adding, removing, or both. TODO: test to figure`
			`# it out)`
Allow the wireguard interfaces. 2022-12-04 02:12:10 -05:00			`pass quick on $allow`
Create a firewall role that installs a pf.conf on FreeBSD. Does not yet configure pflog nor does it do anything on Linux. 2022-10-12 21:23:40 -04:00
			`pass on $ext_if proto icmp all`
			`pass on $ext_if proto icmp6 all`

Update for pkgbase rebuild of homeserver. 2026-04-11 12:49:59 -04:00			`pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in`
			`pass in on $ext_if proto udp to (wlan0) port $udp_pass_in`


			`# Allow DNS and wireguard from cloak`
			`pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT`
			`# bastion -> cloak`
			`pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED`