Starting to transition the home server to the new dynamic netgraph devices.

2023-04-27 14:56:32 -04:00 · 2023-04-27 14:56:32 -04:00 · 24bfa840ff
commit 24bfa840ff
parent 5da4f8fb99
4 changed files with 58 additions and 79 deletions
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@ -1,6 +1,7 @@
 ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
-jail_net_v4 = "10.193.223.0/24"
-full_nat_v4 = "10.213.177.0/24"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
+jail_nat_v4 = "{ 10.215.1.0/24 }"
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"

 dhcp = "{ bootpc, bootps }"
 allow = "{ wgh wgf }"
@ -15,11 +16,8 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 set skip on lo

 # redirections
-nat on $ext_if inet from $jail_net_v4 to { any, !$jail_net_v4 } tag ALLOWED -> (wlan0)
-nat on $ext_if inet from $full_nat_v4 to { any, !$full_nat_v4 } tag ALLOWED -> (wlan0)
-
-rdr pass on host_uplink0 inet proto {tcp, udp} from any to 10.193.223.1 port 53 tag ALLOWED -> 1.1.1.1 port 53
-rdr pass on host_uplink1 inet proto {tcp, udp} from any to 10.213.177.1 port 53 tag ALLOWED -> 1.1.1.1 port 53
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53

 nat pass on host_uplink0 inet proto tcp from any to any port 8081 tag ALLOWED -> (host_uplink0)
 rdr pass on $ext_if inet proto tcp from any to any port 8081 tag ALLOWED -> 10.193.223.20 port 8081
@ -32,6 +30,10 @@ rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports tag
 block log all
 pass out on $ext_if

+pass in on jail_nat
+# Allow traffic from my machine to the jails/virtual machines
+pass out on jail_nat from $jail_nat_v4
+
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
 # `service pf reload` but interfaces that we `skip` will not update (I
@ -45,8 +47,6 @@ pass on $ext_if proto icmp6 all
 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in

-pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp
-
-pass in on host_uplink0 proto udp from any to any port { 53 51820 }
-pass out on host_uplink0 proto tcp from any to any port 8081
-pass on host_uplink1
+# pass in on host_uplink0 proto udp from any to any port { 53 51820 }
+# pass out on host_uplink0 proto tcp from any to any port 8081
+# pass on host_uplink1
--- a/ansible/roles/firewall/files/odofreebsd_pf.conf
+++ b/ansible/roles/firewall/files/odofreebsd_pf.conf
@ -1,7 +1,7 @@
 ext_if = "{ wlan0 }"
 not_ext_if = "{ !wlan0 }"
-jail_nat_v4 = "{ 10.193.223.0/24 10.213.177.0/24 10.215.1.0/24 }"
-not_jail_nat_v4 = "{ any, !10.193.223.0/24 !10.213.177.0/24 !10.215.1.0/24 }"
+jail_nat_v4 = "{ 10.215.1.0/24 }"
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 dns_redirect = "{ 10.193.223.1 10.213.177.1 10.215.1.1 }"

 dhcp = "{ bootpc, bootps }"
@ -29,7 +29,7 @@ pass out on $ext_if

 pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
-pass out on jail_nat from jail_nat
+pass out on jail_nat from $jail_nat_v4

 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
--- a/ansible/roles/jail/files/setup_netgraph_homeserver
+++ b/ansible/roles/jail/files/setup_netgraph_homeserver
@ -1,76 +1,55 @@
 #!/usr/local/bin/bash

 cleanup() {
-    ngctl shutdown host_link2:
-    ngctl shutdown host_uplink0:
-    ngctl shutdown host_bridge0:
-    ngctl shutdown wg_link2:
-    ngctl shutdown wg_uplink0:
-    ngctl shutdown wg_bridge0:
-    ngctl shutdown host_link3:
-    ngctl shutdown host_uplink1:
-    ngctl shutdown host_bridge1:
+    # ngctl shutdown host_link2:
+    # ngctl shutdown host_uplink0:
+    # ngctl shutdown host_bridge0:
+    # ngctl shutdown wg_link2:
+    # ngctl shutdown wg_uplink0:
+    # ngctl shutdown wg_bridge0:
+    echo ""
 }

 setup_netgraph_start() {
    cleanup

-    # Create a bridge for jails that only speak wireguard
-    ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook host_uplink0
-EOF
+#     # Create a bridge for jails that only speak wireguard
+#     ngctl -d -f - <<EOF
+# mkpeer . eiface hook ether
+# name .:hook host_uplink0
+# EOF

-    ngctl -d -f - <<EOF
-mkpeer host_uplink0: bridge ether link0
-name host_uplink0:ether host_bridge0
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer host_uplink0: bridge ether link0
+# name host_uplink0:ether host_bridge0
+# EOF

-    ngctl -d -f - <<EOF
-mkpeer host_bridge0: eiface link2 ether
-name host_bridge0:link2 host_link2
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer host_bridge0: eiface link2 ether
+# name host_bridge0:link2 host_link2
+# EOF

-    ifconfig $(ngctl msg 'host_uplink0:' getifname | grep Args | cut -d '"' -f 2) name host_uplink0 10.193.223.1/24 up
-    ifconfig $(ngctl msg 'host_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name host_link2
+#     ifconfig $(ngctl msg 'host_uplink0:' getifname | grep Args | cut -d '"' -f 2) name host_uplink0 10.193.223.1/24 up
+#     ifconfig $(ngctl msg 'host_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name host_link2

-    # Create internal bridge for jails that are forced through wireguard
-    ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook wg_uplink0
-EOF
+#     # Create internal bridge for jails that are forced through wireguard
+#     ngctl -d -f - <<EOF
+# mkpeer . eiface hook ether
+# name .:hook wg_uplink0
+# EOF

-    ngctl -d -f - <<EOF
-mkpeer wg_uplink0: bridge ether link0
-name wg_uplink0:ether wg_bridge0
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer wg_uplink0: bridge ether link0
+# name wg_uplink0:ether wg_bridge0
+# EOF

-    ngctl -d -f - <<EOF
-mkpeer wg_bridge0: eiface link2 ether
-name wg_bridge0:link2 wg_link2
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer wg_bridge0: eiface link2 ether
+# name wg_bridge0:link2 wg_link2
+# EOF

-    ifconfig $(ngctl msg 'wg_uplink0:' getifname | grep Args | cut -d '"' -f 2) name wg_uplink0 10.241.199.1/24 up
-    ifconfig $(ngctl msg 'wg_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name wg_link2
-
-    # Create a bridge for jails given full access to NAT
-    ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook host_uplink1
-EOF
-
-    ngctl -d -f - <<EOF
-mkpeer host_uplink1: bridge ether link0
-name host_uplink1:ether host_bridge1
-EOF
-
-    ngctl -d -f - <<EOF
-mkpeer host_bridge1: eiface link2 ether
-name host_bridge1:link2 host_link3
-EOF
-
-    ifconfig $(ngctl msg 'host_uplink1:' getifname | grep Args | cut -d '"' -f 2) name host_uplink1 10.213.177.1/24 up
-    ifconfig $(ngctl msg 'host_bridge1:link2' getifname | grep Args | cut -d '"' -f 2) name host_link3
+#     ifconfig $(ngctl msg 'wg_uplink0:' getifname | grep Args | cut -d '"' -f 2) name wg_uplink0 10.241.199.1/24 up
+#     ifconfig $(ngctl msg 'wg_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name wg_link2

 }

--- a/ansible/roles/package_manager/tasks/freebsd.yaml
+++ b/ansible/roles/package_manager/tasks/freebsd.yaml
@ -8,6 +8,12 @@
  loop:
    - /usr/local/etc/pkg
    - /usr/local/etc/pkg/repos
+    
+- name: Install packages
+  package:
+    name:
+      - pkg-provides
+    state: present

 - name: Install Configuration
  register: changed_config
@ -26,9 +32,3 @@
 # - name: Replace all packages with packages from new repo
 #   command: pkg upgrade -f -y
 #   when: changed_config.changed
-
- name: Install packages
-  package:
-    name:
-      - pkg-provides
-    state: present