Cleanup mrmanager firewall config.

2023-07-06 21:04:23 -04:00 · 2023-07-06 21:04:23 -04:00 · 16eb703f68
parent c34f7c0912
commit 16eb703f68
2 changed files with 59 additions and 41 deletions
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@ -73,25 +73,25 @@
    - sudo
    - doas
    - users
-    - package_manager
-    - zfs
-    - zrepl
-    - zsh
-    - network
-    - sshd
-    - base
+    # - package_manager
+    # - zfs
+    # - zrepl
+    # - zsh
+    # - network
+    # - sshd
+    # - base
    - firewall
-    - cpu
-    - ntp
-    - nvme
-    - hosts
-    - build
-    - devfs
-    - jail
-    - bhyve
-    - wireguard
-    - plainmacs
-    - mrmanager
+    # - cpu
+    # - ntp
+    # - nvme
+    # - hosts
+    # - build
+    # - devfs
+    # - jail
+    # - bhyve
+    # - wireguard
+    # - plainmacs
+    # - mrmanager

 - hosts: admin_git:public_dns
  vars:
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@ -14,29 +14,56 @@ udp_pass_in = "{ 53 51820 51821 51822 }"

 # options
 set skip on lo
+set optimization conservative
+set block-policy return
+set fail-policy drop
+
+# normalization
+scrub in on $ext_if all fragment reassemble
+
+# translation
+
+# Evaluation order of the translation rules is dependent on the type
+# of the translation rules and of the direction of a packet.  binat
+# rules are always evaluated first.  Then either the rdr rules are
+# evaluated on an inbound packet or the nat rules on an outbound
+# packet.  Rules of the same type are evaluated in the same order in
+# which they appear in the ruleset.  The first matching rule decides
+# what action is taken.

 # redirections
-nat pass on lagg0 inet from $jail_nat_v4 to $not_jail_nat_v4 -> (lagg0)
-nat pass on $not_ext_if inet from $jail_nat_v4 to 10.215.1.1 port 53 -> ($ext_if)
-rdr pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
+rdr pass proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53

-rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 6443 -> 10.215.1.204 port 6443
-rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 6443 -> 10.215.1.204 port 6443
-nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)
-nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
+rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
+# rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 6443 -> 10.215.1.204 port 6443
+# rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443

-rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to $not_jail_nat_v4 port 65099 -> 10.215.1.210 port 22
-rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to $not_jail_nat_v4 port 65099 -> 10.215.1.210 port 22
-# nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
-# nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (lagg0)
+rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993
+rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
+# rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 19993 -> 10.215.1.204 port 19993
+# rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
+
+rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22
+rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22

 rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
-nat pass proto {tcp, udp} tagged REDIRINTERNAL -> (jail_nat)
+
+nat pass tagged REDIRINTERNAL -> (jail_nat)
+nat pass tagged REDIREXTERNAL -> ($ext_if)

 # filtering
 block log all
-pass out on $ext_if
+pass quick proto {icmp, icmp6} all
+pass out quick on $ext_if
+# We pass on the interfaces listed in allow rather than skipping on
+# them because changes to pass rules will update when running a
+# `service pf reload` but interfaces that we `skip` will not update (I
+# forget if its from adding, removing, or both. TODO: test to figure
+# it out). Also skipped interfaces are not subject to nat/rdr rules.
+pass quick on $allow

 # Single interface kubernetes cluster is working with the following run on mrmanager:
 #   doas route add -host 74.80.180.139 -interface jail_nat
@ -47,17 +74,8 @@ pass quick from any to $pub_k8s

 pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
-pass out on jail_nat from $jail_nat_v4
+pass out on jail_nat from (jail_nat:network)

-# We pass on the interfaces listed in allow rather than skipping on
-# them because changes to pass rules will update when running a
-# `service pf reload` but interfaces that we `skip` will not update (I
-# forget if its from adding, removing, or both. TODO: test to figure
-# it out). Also skipped interfaces are not subject to nat/rdr rules.
-pass quick on $allow
-
-pass on $ext_if proto icmp all
-pass on $ext_if proto icmp6 all

 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in