From 2e4c2c3f9b46208726dfc5856c145057f876399f Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Mon, 19 Jun 2023 22:16:09 -0400
Subject: [PATCH] Improve firewall config.

---
 ansible/roles/firewall/files/mrmanager_pf.conf | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf
index 3e481e1..fe38ea6 100644
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@@ -18,7 +18,7 @@ set skip on lo
 # redirections
 nat pass on lagg0 inet from $jail_nat_v4 to $not_jail_nat_v4 -> (lagg0)
 nat pass on $not_ext_if inet from $jail_nat_v4 to 10.215.1.1 port 53 -> ($ext_if)
-rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+rdr pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.1 port 53 -> 1.1.1.1 port 53
 
 rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 6443 -> 10.215.1.204 port 6443
 rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 6443 -> 10.215.1.204 port 6443
@@ -30,8 +30,7 @@ rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to $not_jail_nat_v4 port 6
 # nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
 # nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (lagg0)
 
-rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to $not_jail_nat_v4 port 53 -> 10.215.1.211 port 53
-rdr pass on jail_nat inet proto {tcp, udp} from $jail_nat_v4 to $not_jail_nat_v4 port 53 -> 10.215.1.211 port 53
+rdr pass inet proto {tcp, udp} from any to ($ext_if) port 53 -> 10.215.1.211 port 53
 
 
 # filtering