machine_setup/ansible/roles/firewall/files/homeserver_pf.conf
2024-07-12 23:03:53 -04:00

83 lines
3.1 KiB
Plaintext

ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
jail_nat_v4 = "{ 10.215.1.0/24 }"
not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
restricted_nat_v4 = "{ 10.215.2.0/24 }"
not_restricted_nat_v4 = "{ any, !10.215.2.0/24 }"
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
dhcp = "{ bootpc, bootps }"
allow = "{ wgh wgf }"
tcp_pass_in = "{ 22 }"
udp_pass_in = "{ 53 51820 }"
unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
# Rules must be in order: options, normalization, queueing, translation, filtering
# options
set skip on lo
# queueing
# altq on wlan0 cbq queue { def, stuff }
# queue def cbq(default borrow)
# queue stuff bandwidth 8Mb cbq { dagger }
# queue dagger cbq(borrow)
# redirections
nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53
# cloak
nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0)
rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53
# bastion
rdr pass on $ext_if inet proto {tcp, udp} from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1
nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1
# cloak -> olddagger
rdr pass on $ext_if inet proto {tcp, udp} from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082
nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1
# -> sftp
# TODO: Limit bandwidth for sftp
rdr pass on $ext_if inet proto {tcp, udp} from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22
nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1
# Forward ports for unifi controller
# rdr pass on $ext_if inet proto {tcp, udp} from any to any port 65022 -> 10.213.177.8 port 22
rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports -> 10.215.1.202
# filtering
block log all
pass out on $ext_if
# match in on jail_nat from any to any dnpipe 1
# match in on jail_nat from any to $rfc1918 dnpipe 2
# match in on restricted_nat from any to any dnpipe 1
pass in on jail_nat
# Allow traffic from my machine to the jails/virtual machines
pass out on jail_nat from $jail_nat_v4
pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports
pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081
# TODO: limit bandwidth for dagger here
pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 }
# We pass on the interfaces listed in allow rather than skipping on
# them because changes to pass rules will update when running a
# `service pf reload` but interfaces that we `skip` will not update (I
# forget if its from adding, removing, or both. TODO: test to figure
# it out)
pass quick on $allow
pass on $ext_if proto icmp all
pass on $ext_if proto icmp6 all
pass in on $ext_if proto tcp to any port $tcp_pass_in
pass in on $ext_if proto udp to any port $udp_pass_in