talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix firewall blocking to host machine.

Browse Source 
The firewall was not working so all traffic was making it through to the host system.
This commit is contained in:
Tom Alexander 2025-08-30 14:19:59 -04:00
parent 4633a97262
commit 97149b9196
No known key found for this signature in database
GPG Key ID: D3A179C9A53C0EDE
3 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/environments/colo/host_vars/mrmanager
View File

@ -14,6 +14,8 @@ pf_config: "mrmanager_pf.conf"
pflog_conf:
- name: 0
dev: pflog0
- name: 1
dev: pflog1
cputype: "amd"
hwpstate: true
etc_hosts: {}

14
ansible/roles/firewall/files/mrmanager_pf.conf
View File

@ -2,7 +2,8 @@ ext_if = "lagg0"
not_ext_if = "{ !lagg0 }"
jail_nat_v4 = "{ 10.215.1.0/24 }"
not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
# pub_k8s = "{ 74.80.180.136/29, !74.80.180.138 }"
pub_k8s = "{ 74.80.180.137, 74.80.180.139, 74.80.180.140, 74.80.180.141, 74.80.180.142 }"
dhcp = "{ bootpc, bootps }"
allow = "{ colo }"
@ -35,19 +36,20 @@ scrub in on $ext_if all fragment reassemble
nat on $ext_if inet from ! ($ext_if) to ! ($ext_if) -> ($ext_if)
rdr pass on jail_nat proto {tcp, udp} from any to 10.215.1.1 port 53 tag REDIREXTERNAL -> 1.1.1.1 port 53
rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 -> 10.215.1.204 port 6443
rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 6443 tag REDIRINTERNAL -> 10.215.1.204 port 6443
rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 -> 10.215.1.204 port 19993
rdr pass on $ext_if proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
rdr pass on jail_nat proto {tcp, udp} to ($ext_if) port 19993 tag REDIRINTERNAL -> 10.215.1.204 port 19993
rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 -> 10.215.1.210 port 22
rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65099 tag REDIRINTERNAL -> 10.215.1.210 port 22
rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 -> 10.215.1.211 port 53
# log (to pflog1)
rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 53 tag REDIRINTERNAL -> 10.215.1.211 port 53
rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65122 -> 10.215.1.219 port 22
rdr pass proto {tcp, udp} from $not_jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
rdr pass proto {tcp, udp} from $jail_nat_v4 to ($ext_if) port 65122 tag REDIRINTERNAL -> 10.215.1.219 port 22
nat pass tagged REDIRINTERNAL -> (jail_nat)

3
ansible/roles/mrmanager/files/nfsd_rc.conf
View File

@ -1 +1,4 @@
nfs_server_enable="YES"
# nfsv4_server_enable="YES"
# nfsv4_server_only="YES"
nfs_server_flags="-u -t --minthreads 1 --maxthreads 32"