diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf index 5e7b2f7..ea6f03f 100644 --- a/ansible/roles/firewall/files/homeserver_pf.conf +++ b/ansible/roles/firewall/files/homeserver_pf.conf @@ -2,6 +2,8 @@ ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }" not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }" jail_nat_v4 = "{ 10.215.1.0/24 }" not_jail_nat_v4 = "{ any, !10.215.1.0/24 }" +restricted_nat_v4 = "{ 10.215.2.0/24 }" +not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }" dhcp = "{ bootpc, bootps }" allow = "{ wgh wgf }" @@ -23,7 +25,8 @@ rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1 nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0) rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 1.1.1.1 port 53 -rdr pass on $ext_if inet proto tcp from any to any port 8081 -> 10.215.2.2 port 8081 +rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8081 -> 10.215.2.2 port 8081 +nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 -> 10.215.2.1 # Forward ports for unifi controller # rdr pass on $ext_if inet proto tcp from any to any port 65022 -> 10.213.177.8 port 22 @@ -36,6 +39,8 @@ pass out on $ext_if pass in on jail_nat # Allow traffic from my machine to the jails/virtual machines pass out on jail_nat from $jail_nat_v4 +pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports +pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081 pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }