Update for pkgbase rebuild of homeserver.
This commit is contained in:
Tom Alexander
@@ -1,9 +1,20 @@
|
||||
ext_if = "{ igb0 igb1 ix0 ix1 linfi_host }"
|
||||
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !linfi_host }"
|
||||
jail_nat_v4 = "{ 10.215.1.0/24 }"
|
||||
not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
|
||||
restricted_nat_v4 = "{ 10.215.2.0/24 }"
|
||||
not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
|
||||
# TODO: ipv6 RFC 6296 - Network Prefix Translation?
|
||||
# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
|
||||
# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
|
||||
|
||||
#
|
||||
# restricted_nat 10.215.2.1/24
|
||||
# jail_nat 10.215.1.1/24
|
||||
#
|
||||
|
||||
#
|
||||
# External connections -> 172.16.16.32:8081
|
||||
# rdr to bastion 10.215.1.217
|
||||
# snat to bridge?
|
||||
#
|
||||
|
||||
ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
|
||||
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
|
||||
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
|
||||
|
||||
dhcp = "{ bootpc, bootps }"
|
||||
@@ -11,69 +22,29 @@ allow = "{ wgh wgf }"
|
||||
|
||||
tcp_pass_in = "{ 22 }"
|
||||
udp_pass_in = "{ 53 51820 }"
|
||||
unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
|
||||
|
||||
# Rules must be in order: options, normalization, queueing, translation, filtering
|
||||
|
||||
# options
|
||||
set skip on lo
|
||||
|
||||
# normalization
|
||||
|
||||
# queueing
|
||||
# altq on linfi_host cbq queue { def, stuff }
|
||||
# queue def cbq(default borrow)
|
||||
# queue stuff bandwidth 8Mb cbq { dagger }
|
||||
# queue dagger cbq(borrow)
|
||||
|
||||
# redirections
|
||||
nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (linfi_host)
|
||||
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
|
||||
# translation
|
||||
nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
|
||||
nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
|
||||
nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
|
||||
|
||||
# cloak
|
||||
nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (linfi_host)
|
||||
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
|
||||
|
||||
# bastion
|
||||
rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
|
||||
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
|
||||
nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
|
||||
|
||||
|
||||
# cloak -> olddagger
|
||||
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
|
||||
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
|
||||
|
||||
# cloak -> dagger old
|
||||
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8083 -> 10.215.2.2 port 8083
|
||||
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8083 -> 10.215.2.1
|
||||
|
||||
# -> sftp
|
||||
# TODO: Limit bandwidth for sftp
|
||||
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
|
||||
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
|
||||
|
||||
# Forward ports for unifi controller
|
||||
# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
|
||||
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
|
||||
|
||||
# -> momlaptop
|
||||
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8033 -> 10.215.1.218 port 443
|
||||
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.218 port 443 -> 10.215.1.1
|
||||
# external -> bastion
|
||||
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
|
||||
# external -> sftp
|
||||
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
|
||||
|
||||
# filtering
|
||||
# match in on jail_nat from any to any dnpipe(1, 2)
|
||||
# match in on restricted_nat from any to any dnpipe(1, 2)
|
||||
|
||||
block log all
|
||||
pass out on $ext_if
|
||||
|
||||
pass in on jail_nat
|
||||
# Allow traffic from my machine to the jails/virtual machines
|
||||
pass out on jail_nat from $jail_nat_v4
|
||||
pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
|
||||
pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
|
||||
|
||||
# TODO: limit bandwidth for dagger here
|
||||
pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
|
||||
pass out on $ext_if from (wlan0)
|
||||
|
||||
# We pass on the interfaces listed in allow rather than skipping on
|
||||
# them because changes to pass rules will update when running a
|
||||
@@ -85,5 +56,11 @@ pass quick on $allow
|
||||
pass on $ext_if proto icmp all
|
||||
pass on $ext_if proto icmp6 all
|
||||
|
||||
pass in on $ext_if proto tcp to any port $tcp_pass_in
|
||||
pass in on $ext_if proto udp to any port $udp_pass_in
|
||||
pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
|
||||
pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
|
||||
|
||||
|
||||
# Allow DNS and wireguard from cloak
|
||||
pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
|
||||
# bastion -> cloak
|
||||
pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED
|
||||
|
||||
Reference in New Issue
Block a user