83 lines
3.1 KiB
Plaintext
83 lines
3.1 KiB
Plaintext
ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
|
|
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
|
|
jail_nat_v4 = "{ 10.215.1.0/24 }"
|
|
not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
|
|
restricted_nat_v4 = "{ 10.215.2.0/24 }"
|
|
not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
|
|
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
|
|
|
|
dhcp = "{ bootpc, bootps }"
|
|
allow = "{ wgh wgf }"
|
|
|
|
tcp_pass_in = "{ 22 }"
|
|
udp_pass_in = "{ 53 51820 }"
|
|
unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
|
|
|
|
# Rules must be in order: options, normalization, queueing, translation, filtering
|
|
|
|
# options
|
|
set skip on lo
|
|
|
|
# queueing
|
|
# altq on wlan0 cbq queue { def, stuff }
|
|
# queue def cbq(default borrow)
|
|
# queue stuff bandwidth 8Mb cbq { dagger }
|
|
# queue dagger cbq(borrow)
|
|
|
|
# redirections
|
|
nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
|
|
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
|
|
|
|
# cloak
|
|
nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
|
|
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
|
|
|
|
# bastion
|
|
rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
|
|
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
|
|
nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
|
|
|
|
|
|
# cloak -> olddagger
|
|
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
|
|
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
|
|
|
|
# -> sftp
|
|
# TODO: Limit bandwidth for sftp
|
|
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
|
|
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
|
|
|
|
# Forward ports for unifi controller
|
|
# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
|
|
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
|
|
|
|
# filtering
|
|
block log all
|
|
pass out on $ext_if
|
|
|
|
# match in on jail_nat from any to any dnpipe 1
|
|
# match in on jail_nat from any to $rfc1918 dnpipe 2
|
|
# match in on restricted_nat from any to any dnpipe 1
|
|
|
|
pass in on jail_nat
|
|
# Allow traffic from my machine to the jails/virtual machines
|
|
pass out on jail_nat from $jail_nat_v4
|
|
pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
|
|
pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
|
|
|
|
# TODO: limit bandwidth for dagger here
|
|
pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
|
|
|
|
# We pass on the interfaces listed in allow rather than skipping on
|
|
# them because changes to pass rules will update when running a
|
|
# `service pf reload` but interfaces that we `skip` will not update (I
|
|
# forget if its from adding, removing, or both. TODO: test to figure
|
|
# it out)
|
|
pass quick on $allow
|
|
|
|
pass on $ext_if proto icmp all
|
|
pass on $ext_if proto icmp6 all
|
|
|
|
pass in on $ext_if proto tcp to any port $tcp_pass_in
|
|
pass in on $ext_if proto udp to any port $udp_pass_in
|