talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity
Files
a8822d0bfb6d3372ebc07a7da9af21e2223ead8b
machine_setup/ansible/roles/firewall/files/homeserver_pf.conf
Tom Alexander a8822d0bfb Update for pkgbase rebuild of homeserver.
2026-04-14 15:39:22 -04:00

67 lines
2.0 KiB
Plaintext
Raw Blame History

# TODO: ipv6 RFC 6296 - Network Prefix Translation?
# match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48
# TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view
#
# restricted_nat 10.215.2.1/24
# jail_nat 10.215.1.1/24
#
#
# External connections -> 172.16.16.32:8081
# rdr to bastion 10.215.1.217
# snat to bridge?
#
ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
dhcp = "{ bootpc, bootps }"
allow = "{ wgh wgf }"
tcp_pass_in = "{ 22 }"
udp_pass_in = "{ 53 51820 }"
# Rules must be in order: options, normalization, queueing, translation, filtering
# options
set skip on lo
# normalization
# queueing
# translation
nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0)
nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat)
nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat)
# external -> bastion
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443
# external -> sftp
rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22
# filtering
block log all
pass out on $ext_if from (wlan0)
# We pass on the interfaces listed in allow rather than skipping on
# them because changes to pass rules will update when running a
# `service pf reload` but interfaces that we `skip` will not update (I
# forget if its from adding, removing, or both. TODO: test to figure
# it out)
pass quick on $allow
pass on $ext_if proto icmp all
pass on $ext_if proto icmp6 all
pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in
pass in on $ext_if proto udp to (wlan0) port $udp_pass_in
# Allow DNS and wireguard from cloak
pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT
# bastion -> cloak
pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED
Reference in New Issue View Git Blame Copy Permalink