pf module
This commit is contained in:
parent
cc919a9bfa
commit
0e3f6e6ff0
|
@ -0,0 +1,88 @@
|
||||||
|
use Rex -feature => ['1.4'];
|
||||||
|
use Rex::Commands::File;
|
||||||
|
use Rex::Commands::Run;
|
||||||
|
use Rex::Template::NG;
|
||||||
|
|
||||||
|
user "root";
|
||||||
|
|
||||||
|
my %pfvars = (
|
||||||
|
# list of TCP ports to open
|
||||||
|
"TCPports" => [22, 80, 443],
|
||||||
|
|
||||||
|
# list of UDP ports to open
|
||||||
|
"UDPports" => ["2000:20010"],
|
||||||
|
|
||||||
|
# allow ping?
|
||||||
|
"allow_icmp" => 1,
|
||||||
|
|
||||||
|
# enable nat? 0= disabled, 1=enabled
|
||||||
|
"nat" => 0,
|
||||||
|
|
||||||
|
# interface that is behind the NAT
|
||||||
|
"nat_from_interface" => "wg0",
|
||||||
|
|
||||||
|
# interface that will be used as exit for the NAT
|
||||||
|
"nat_to_interface", => "em0",
|
||||||
|
);
|
||||||
|
|
||||||
|
desc "Deploying PF configuration";
|
||||||
|
task "configure", sub {
|
||||||
|
file "/etc/pf.conf.new",
|
||||||
|
content => template('@pfconf', \%pfvars),
|
||||||
|
mode => 400, owner => "root", group => "wheel";
|
||||||
|
|
||||||
|
run "Checking new config file",
|
||||||
|
command => "pfctl -n -f /etc/pf.conf.new",
|
||||||
|
auto_die => TRUE;
|
||||||
|
|
||||||
|
run "Installing files and loading config",
|
||||||
|
command => "mv /etc/pf.conf /etc/pf.conf.old && mv /etc/pf.conf.new /etc/pf.conf",
|
||||||
|
auto_die => TRUE;
|
||||||
|
};
|
||||||
|
|
||||||
|
__DATA__
|
||||||
|
@pfconf
|
||||||
|
<% if (@{$TCPports}) {
|
||||||
|
%>
|
||||||
|
services_tcp="{ <%= join(" ",@{$TCPports}) %> }"
|
||||||
|
<% } %>
|
||||||
|
|
||||||
|
<% if (@{$UDPports}) {
|
||||||
|
%>
|
||||||
|
services_udp="{ <%= join(" ",@{$UDPports}) %> }"
|
||||||
|
<% } %>
|
||||||
|
|
||||||
|
set skip on lo
|
||||||
|
set block-policy drop
|
||||||
|
|
||||||
|
# block incoming by default
|
||||||
|
block return log
|
||||||
|
pass out quick
|
||||||
|
|
||||||
|
<% if ($nat) { %>
|
||||||
|
pass in from <%= $nat_from_interface %>
|
||||||
|
pass out quick on egress from <%= $nat_from_interface %>:network to any nat-to <%= $nat_to_interface %>
|
||||||
|
<% } %>
|
||||||
|
|
||||||
|
<% if (@{$TCPports}) { %>
|
||||||
|
# allow TCP
|
||||||
|
pass in on egress inet proto tcp from any to (egress) port $services_tcp
|
||||||
|
<% } %>
|
||||||
|
|
||||||
|
<% if (@{$UDPports}) { %>
|
||||||
|
# allow UDP
|
||||||
|
pass in on egress inet proto udp from any to (egress) port $services_udp
|
||||||
|
<% } %>
|
||||||
|
|
||||||
|
<% if ($allow_icmp) { %>
|
||||||
|
# allow ICMP (over ipv4)
|
||||||
|
pass in on egress inet proto icmp from any to (egress)
|
||||||
|
<% } %>
|
||||||
|
|
||||||
|
# <-- default rules --->
|
||||||
|
# By default, do not permit remote connections to X11
|
||||||
|
block return in on ! lo0 proto tcp to port 6000:6010
|
||||||
|
|
||||||
|
## Port build user does not need network
|
||||||
|
block return out log proto {tcp udp} user _pbuild
|
||||||
|
@end
|
Loading…
Reference in New Issue