pf module
This commit is contained in:
Solene Rapenne
parent
cc919a9bfa
commit
0e3f6e6ff0
|
|
@ -0,0 +1,88 @@
|
|||
use Rex -feature => ['1.4'];
|
||||
use Rex::Commands::File;
|
||||
use Rex::Commands::Run;
|
||||
use Rex::Template::NG;
|
||||
|
||||
user "root";
|
||||
|
||||
my %pfvars = (
|
||||
# list of TCP ports to open
|
||||
"TCPports" => [22, 80, 443],
|
||||
|
||||
# list of UDP ports to open
|
||||
"UDPports" => ["2000:20010"],
|
||||
|
||||
# allow ping?
|
||||
"allow_icmp" => 1,
|
||||
|
||||
# enable nat? 0= disabled, 1=enabled
|
||||
"nat" => 0,
|
||||
|
||||
# interface that is behind the NAT
|
||||
"nat_from_interface" => "wg0",
|
||||
|
||||
# interface that will be used as exit for the NAT
|
||||
"nat_to_interface", => "em0",
|
||||
);
|
||||
|
||||
desc "Deploying PF configuration";
|
||||
task "configure", sub {
|
||||
file "/etc/pf.conf.new",
|
||||
content => template('@pfconf', \%pfvars),
|
||||
mode => 400, owner => "root", group => "wheel";
|
||||
|
||||
run "Checking new config file",
|
||||
command => "pfctl -n -f /etc/pf.conf.new",
|
||||
auto_die => TRUE;
|
||||
|
||||
run "Installing files and loading config",
|
||||
command => "mv /etc/pf.conf /etc/pf.conf.old && mv /etc/pf.conf.new /etc/pf.conf",
|
||||
auto_die => TRUE;
|
||||
};
|
||||
|
||||
__DATA__
|
||||
@pfconf
|
||||
<% if (@{$TCPports}) {
|
||||
%>
|
||||
services_tcp="{ <%= join(" ",@{$TCPports}) %> }"
|
||||
<% } %>
|
||||
|
||||
<% if (@{$UDPports}) {
|
||||
%>
|
||||
services_udp="{ <%= join(" ",@{$UDPports}) %> }"
|
||||
<% } %>
|
||||
|
||||
set skip on lo
|
||||
set block-policy drop
|
||||
|
||||
# block incoming by default
|
||||
block return log
|
||||
pass out quick
|
||||
|
||||
<% if ($nat) { %>
|
||||
pass in from <%= $nat_from_interface %>
|
||||
pass out quick on egress from <%= $nat_from_interface %>:network to any nat-to <%= $nat_to_interface %>
|
||||
<% } %>
|
||||
|
||||
<% if (@{$TCPports}) { %>
|
||||
# allow TCP
|
||||
pass in on egress inet proto tcp from any to (egress) port $services_tcp
|
||||
<% } %>
|
||||
|
||||
<% if (@{$UDPports}) { %>
|
||||
# allow UDP
|
||||
pass in on egress inet proto udp from any to (egress) port $services_udp
|
||||
<% } %>
|
||||
|
||||
<% if ($allow_icmp) { %>
|
||||
# allow ICMP (over ipv4)
|
||||
pass in on egress inet proto icmp from any to (egress)
|
||||
<% } %>
|
||||
|
||||
# <-- default rules --->
|
||||
# By default, do not permit remote connections to X11
|
||||
block return in on ! lo0 proto tcp to port 6000:6010
|
||||
|
||||
## Port build user does not need network
|
||||
block return out log proto {tcp udp} user _pbuild
|
||||
@end
|
||||
Loading…
Reference in New Issue