From 271428a6f6b702ea830a5a164937ec35dd576658 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sun, 28 May 2023 16:01:02 -0400
Subject: [PATCH] Add firewall to mrmanager.

---
 ansible/environments/colo/host_vars/mrmanager |  4 ++
 ansible/playbook.yaml                         |  1 +
 .../roles/firewall/files/mrmanager_pf.conf    | 39 +++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 ansible/roles/firewall/files/mrmanager_pf.conf

diff --git a/ansible/environments/colo/host_vars/mrmanager b/ansible/environments/colo/host_vars/mrmanager
index 583ac2e..285145c 100644
--- a/ansible/environments/colo/host_vars/mrmanager
+++ b/ansible/environments/colo/host_vars/mrmanager
@@ -6,3 +6,7 @@ loader_conf: "mrmanager_loader.conf"
 rc_conf: "mrmanager_rc.conf"
 network_rc: "mrmanager_network.conf"
 routing_rc: "mrmanager_routing.conf"
+pf_config: "mrmanager_pf.conf"
+pflog_conf:
+  - name: 0
+    dev: pflog0
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 9c109c3..83c4ecd 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -76,3 +76,4 @@
     - network
     - sshd
     - base
+    - firewall
diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf
new file mode 100644
index 0000000..d2d6ceb
--- /dev/null
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@@ -0,0 +1,39 @@
+ext_if = "lagg0"
+jail_nat_v4 = "{ 10.215.1.0/24 }"
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
+
+dhcp = "{ bootpc, bootps }"
+allow = "{ colo }"
+
+tcp_pass_in = "{ 22 }"
+udp_pass_in = "{ 53 51820 51821 51822 }"
+
+# Rules must be in order: options, normalization, queueing, translation, filtering
+
+# options
+set skip on lo
+
+# redirections
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> ($ext_if)
+rdr pass on !$ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+
+# filtering
+block log all
+pass out on $ext_if
+
+pass in on jail_nat
+# Allow traffic from my machine to the jails/virtual machines
+pass out on jail_nat from $jail_nat_v4
+
+# We pass on the interfaces listed in allow rather than skipping on
+# them because changes to pass rules will update when running a
+# `service pf reload` but interfaces that we `skip` will not update (I
+# forget if its from adding, removing, or both. TODO: test to figure
+# it out). Also skipped interfaces are not subject to nat/rdr rules.
+pass quick on $allow
+
+pass on $ext_if proto icmp all
+pass on $ext_if proto icmp6 all
+
+pass in on $ext_if proto tcp to any port $tcp_pass_in
+pass in on $ext_if proto udp to any port $udp_pass_in