From 6bdbbfa2ac1a5acaf67dee27f7a756b15254a0e1 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Wed, 12 Oct 2022 21:23:40 -0400
Subject: [PATCH 1/2] Create a firewall role that installs a pf.conf on
 FreeBSD.

Does not yet configure pflog nor does it do anything on Linux.
---
 .../environments/home/host_vars/homeserver    |  1 +
 ansible/playbook.yaml                         |  1 +
 .../roles/firewall/files/homeserver_pf.conf   | 33 +++++++++++++++++++
 ansible/roles/firewall/files/rc.conf          |  2 ++
 ansible/roles/firewall/handlers/main.yaml     |  5 +++
 ansible/roles/firewall/tasks/common.yaml      | 14 ++++++++
 ansible/roles/firewall/tasks/freebsd.yaml     | 29 ++++++++++++++++
 ansible/roles/firewall/tasks/linux.yaml       |  6 ++++
 ansible/roles/firewall/tasks/main.yaml        |  2 ++
 ansible/roles/firewall/tasks/peruser.yaml     |  8 +++++
 .../roles/firewall/tasks/peruser_freebsd.yaml |  0
 .../roles/firewall/tasks/peruser_linux.yaml   |  0
 12 files changed, 101 insertions(+)
 create mode 100644 ansible/roles/firewall/files/homeserver_pf.conf
 create mode 100644 ansible/roles/firewall/files/rc.conf
 create mode 100644 ansible/roles/firewall/handlers/main.yaml
 create mode 100644 ansible/roles/firewall/tasks/common.yaml
 create mode 100644 ansible/roles/firewall/tasks/freebsd.yaml
 create mode 100644 ansible/roles/firewall/tasks/linux.yaml
 create mode 100644 ansible/roles/firewall/tasks/main.yaml
 create mode 100644 ansible/roles/firewall/tasks/peruser.yaml
 create mode 100644 ansible/roles/firewall/tasks/peruser_freebsd.yaml
 create mode 100644 ansible/roles/firewall/tasks/peruser_linux.yaml

diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver
index 043f581..a73e2c6 100644
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -3,3 +3,4 @@ zfs_snapshot_datasets:
   - zroot/freebsd/computer/be/default
 sshd_enabled: true
 sshd_conf: "sshd_config"
+pf_config: "homeserver_pf.conf"
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 2dafcac..c91cc75 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -8,3 +8,4 @@
     - zsh
     - sshd
     - base
+    - firewall
diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf
new file mode 100644
index 0000000..fa5f23c
--- /dev/null
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -0,0 +1,33 @@
+ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
+
+dhcp = "{ bootpc, bootps }"
+# allow = "{ }"
+
+tcp_pass_in = "{ 22 }"
+udp_pass_in = "{ 53 51820 }"
+
+# Rules must be in order: options, normalization, queueing, translation, filtering
+
+# options
+set skip on lo
+
+# redirections
+
+# filtering
+block log all
+pass out on $ext_if
+
+# We pass on the interfaces listed in allow rather than skipping on
+# them because changes to pass rules will update when running a
+# `service pf reload` but interfaces that we `skip` will not update (I
+# forget if its from adding, removing, or both. TODO: test to figure
+# it out)
+# pass quick on $allow
+
+pass on $ext_if proto icmp all
+pass on $ext_if proto icmp6 all
+
+pass in on $ext_if proto tcp to any port $tcp_pass_in
+pass in on $ext_if proto udp to any port $udp_pass_in
+
+pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp
diff --git a/ansible/roles/firewall/files/rc.conf b/ansible/roles/firewall/files/rc.conf
new file mode 100644
index 0000000..a070d9b
--- /dev/null
+++ b/ansible/roles/firewall/files/rc.conf
@@ -0,0 +1,2 @@
+pf_enable="YES"
+pf_rules="/etc/pf.conf"
diff --git a/ansible/roles/firewall/handlers/main.yaml b/ansible/roles/firewall/handlers/main.yaml
new file mode 100644
index 0000000..d45cae6
--- /dev/null
+++ b/ansible/roles/firewall/handlers/main.yaml
@@ -0,0 +1,5 @@
+- name: restart pf
+  when: is_pf_running.rc == 0
+  service:
+    name: pf
+    state: reloaded
diff --git a/ansible/roles/firewall/tasks/common.yaml b/ansible/roles/firewall/tasks/common.yaml
new file mode 100644
index 0000000..d7c1735
--- /dev/null
+++ b/ansible/roles/firewall/tasks/common.yaml
@@ -0,0 +1,14 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
diff --git a/ansible/roles/firewall/tasks/freebsd.yaml b/ansible/roles/firewall/tasks/freebsd.yaml
new file mode 100644
index 0000000..412da5d
--- /dev/null
+++ b/ansible/roles/firewall/tasks/freebsd.yaml
@@ -0,0 +1,29 @@
+- name: Install service configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+  loop:
+    - src: rc.conf
+      dest: /etc/rc.conf.d/pf
+
+- name: Install PF configuration
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0644
+    owner: root
+    group: wheel
+    validate: "pfctl -vnf %s"
+  notify: restart pf
+  loop:
+    - src: "{{ pf_config }}"
+      dest: /etc/pf.conf
+
+- name: Check if pf is running
+  shell: service pf status
+  register: is_pf_running
+  failed_when: is_pf_running.rc != 0
+  ignore_errors: true
diff --git a/ansible/roles/firewall/tasks/linux.yaml b/ansible/roles/firewall/tasks/linux.yaml
new file mode 100644
index 0000000..e1835f0
--- /dev/null
+++ b/ansible/roles/firewall/tasks/linux.yaml
@@ -0,0 +1,6 @@
+# - name: Install packages
+#   pacman:
+#     name:
+#       - foo
+#     state: present
+#     update_cache: true
diff --git a/ansible/roles/firewall/tasks/main.yaml b/ansible/roles/firewall/tasks/main.yaml
new file mode 100644
index 0000000..5d36f50
--- /dev/null
+++ b/ansible/roles/firewall/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: (pf_config is defined and os_flavor == "freebsd") or (os_flavor == "linux")
diff --git a/ansible/roles/firewall/tasks/peruser.yaml b/ansible/roles/firewall/tasks/peruser.yaml
new file mode 100644
index 0000000..da9386d
--- /dev/null
+++ b/ansible/roles/firewall/tasks/peruser.yaml
@@ -0,0 +1,8 @@
+- include_role:
+    name: per_user
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/firewall/tasks/peruser_freebsd.yaml b/ansible/roles/firewall/tasks/peruser_freebsd.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/firewall/tasks/peruser_linux.yaml b/ansible/roles/firewall/tasks/peruser_linux.yaml
new file mode 100644
index 0000000..e69de29

From 4d4068c8895c4b655057082afa0ccd54d9db76e2 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Wed, 12 Oct 2022 22:11:39 -0400
Subject: [PATCH 2/2] Add pflog configuration.

---
 .../environments/home/host_vars/homeserver    |  3 ++
 ansible/roles/firewall/defaults/main.yaml     |  1 +
 ansible/roles/firewall/handlers/main.yaml     | 11 +++++
 ansible/roles/firewall/tasks/freebsd.yaml     | 40 +++++++++++++++++++
 4 files changed, 55 insertions(+)
 create mode 100644 ansible/roles/firewall/defaults/main.yaml

diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver
index a73e2c6..d13c4a6 100644
--- a/ansible/environments/home/host_vars/homeserver
+++ b/ansible/environments/home/host_vars/homeserver
@@ -4,3 +4,6 @@ zfs_snapshot_datasets:
 sshd_enabled: true
 sshd_conf: "sshd_config"
 pf_config: "homeserver_pf.conf"
+pflog_conf:
+  - name: 0
+    dev: pflog0
diff --git a/ansible/roles/firewall/defaults/main.yaml b/ansible/roles/firewall/defaults/main.yaml
new file mode 100644
index 0000000..2f0ece9
--- /dev/null
+++ b/ansible/roles/firewall/defaults/main.yaml
@@ -0,0 +1 @@
+pflog_conf: []
diff --git a/ansible/roles/firewall/handlers/main.yaml b/ansible/roles/firewall/handlers/main.yaml
index d45cae6..2ec1a42 100644
--- a/ansible/roles/firewall/handlers/main.yaml
+++ b/ansible/roles/firewall/handlers/main.yaml
@@ -3,3 +3,14 @@
   service:
     name: pf
     state: reloaded
+
+- name: restart pflog
+  when: is_pf_running.rc == 0
+  service:
+    name: pflog
+    state: restarted
+
+- name: stop pflog
+  service:
+    name: pflog
+    state: stopped
diff --git a/ansible/roles/firewall/tasks/freebsd.yaml b/ansible/roles/firewall/tasks/freebsd.yaml
index 412da5d..24406a4 100644
--- a/ansible/roles/firewall/tasks/freebsd.yaml
+++ b/ansible/roles/firewall/tasks/freebsd.yaml
@@ -27,3 +27,43 @@
   register: is_pf_running
   failed_when: is_pf_running.rc != 0
   ignore_errors: true
+
+- name: Enable pflog
+  notify: restart pflog
+  community.general.sysrc:
+    name: pflog_enable
+    value: "YES"
+    path: /etc/rc.conf.d/pflog
+  when: pflog_conf|length > 0
+
+- name: Disable pflog
+  notify: stop pflog
+  community.general.sysrc:
+    name: pflog_enable
+    value: "NO"
+    path: /etc/rc.conf.d/pflog
+  when: pflog_conf|length == 0
+
+- name: Set pflog instances
+  notify: restart pflog
+  community.general.sysrc:
+    name: pflog_instances
+    value: "{{ pflog_conf|community.general.json_query('[].name')|join(' ') }}"
+    path: /etc/rc.conf.d/pflog
+  when: pflog_conf|length > 0
+
+- name: Remove pflog instances
+  notify: stop pflog
+  community.general.sysrc:
+    name: jail_list
+    state: absent
+    path: /etc/rc.conf.d/pflog
+  when: pflog_conf|length == 0
+
+- name: Set pflog device names
+  notify: restart pflog
+  community.general.sysrc:
+    name: "pflog_{{item.name}}_dev"
+    value: "{{ item.dev }}"
+    path: /etc/rc.conf.d/pflog
+  loop: "{{ pflog_conf }}"