diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 55bac84..0fde676 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -73,25 +73,25 @@ - sudo - doas - users - - package_manager - - zfs - - zrepl - - zsh - - network - - sshd - - base + # - package_manager + # - zfs + # - zrepl + # - zsh + # - network + # - sshd + # - base - firewall - - cpu - - ntp - - nvme - - hosts - - build - - devfs - - jail - - bhyve - - wireguard - - plainmacs - - mrmanager + # - cpu + # - ntp + # - nvme + # - hosts + # - build + # - devfs + # - jail + # - bhyve + # - wireguard + # - plainmacs + # - mrmanager - hosts: admin_git:public_dns vars: diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf index 7787a95..5c8ae14 100644 --- a/ansible/roles/firewall/files/mrmanager_pf.conf +++ b/ansible/roles/firewall/files/mrmanager_pf.conf @@ -14,29 +14,56 @@ udp_pass_in = "{ 53 51820 51821 51822 }" # options set skip on lo +set optimization conservative +set block-policy return +set fail-policy drop + +# normalization +scrub in on $ext_if all fragment reassemble + +# translation + +# Evaluation order of the translation rules is dependent on the type +# of the translation rules and of the direction of a packet. binat +# rules are always evaluated first. Then either the rdr rules are +# evaluated on an inbound packet or the nat rules on an outbound +# packet. Rules of the same type are evaluated in the same order in +# which they appear in the ruleset. The first matching rule decides +# what action is taken. # redirections -nat pass on lagg0 inet from $jail_nat_v4 to $not_jail_nat_v4 -> (lagg0) -nat pass on $not_ext_if inet from $jail_nat_v4 to 10.215.1.1 port 53 -> ($ext_if) -rdr pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.1 port 53 -> 1.1.1.1 port 53 +nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if) +rdr pass proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53 -rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 6443 -> 10.215.1.204 port 6443 -rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 6443 -> 10.215.1.204 port 6443 -nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat) -nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat) +rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443 +rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443 +# rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 6443 -> 10.215.1.204 port 6443 +# rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443 -rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to $not_jail_nat_v4 port 65099 -> 10.215.1.210 port 22 -rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to $not_jail_nat_v4 port 65099 -> 10.215.1.210 port 22 -# nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat) -# nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (lagg0) +rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993 +rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993 +# rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 19993 -> 10.215.1.204 port 19993 +# rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993 + +rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22 +rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22 rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53 rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53 -nat pass proto {tcp, udp} tagged REDIRINTERNAL -> (jail_nat) + +nat pass tagged REDIRINTERNAL -> (jail_nat) +nat pass tagged REDIREXTERNAL -> ($ext_if) # filtering block log all -pass out on $ext_if +pass quick proto {icmp, icmp6} all +pass out quick on $ext_if +# We pass on the interfaces listed in allow rather than skipping on +# them because changes to pass rules will update when running a +# `service pf reload` but interfaces that we `skip` will not update (I +# forget if its from adding, removing, or both. TODO: test to figure +# it out). Also skipped interfaces are not subject to nat/rdr rules. +pass quick on $allow # Single interface kubernetes cluster is working with the following run on mrmanager: # doas route add -host 74.80.180.139 -interface jail_nat @@ -47,17 +74,8 @@ pass quick from any to $pub_k8s pass in on jail_nat # Allow traffic from my machine to the jails/virtual machines -pass out on jail_nat from $jail_nat_v4 +pass out on jail_nat from (jail_nat:network) -# We pass on the interfaces listed in allow rather than skipping on -# them because changes to pass rules will update when running a -# `service pf reload` but interfaces that we `skip` will not update (I -# forget if its from adding, removing, or both. TODO: test to figure -# it out). Also skipped interfaces are not subject to nat/rdr rules. -pass quick on $allow - -pass on $ext_if proto icmp all -pass on $ext_if proto icmp6 all pass in on $ext_if proto tcp to any port $tcp_pass_in pass in on $ext_if proto udp to any port $udp_pass_in