Add pf playbook and role

author: binary <me@rgoncalves.se> 2020-11-02 13:27:47 +0100
committer: binary <me@rgoncalves.se> 2020-11-02 13:27:47 +0100
commit: 8b29860208438a77af8a974a72e688599ca484c1 (patch)
tree: 075ff7c7dc695ed4f6ed56b169a50bcd0016c670 /roles/pf/templates/pf.conf.j2
parent: cfe4db7482bd7e3be8fa406aa6080e10710ab648 (diff)
download: infrastructure-8b29860208438a77af8a974a72e688599ca484c1.tar.gz
1 files changed, 35 insertions, 0 deletions
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
new file mode 100644
index 0000000..64001cf
--- /dev/null
+++ b/roles/pf/templates/pf.conf.j2
@@ -0,0 +1,35 @@
+
+{# pf ~~ templates/pf.conf.j2 #}
+
+# pf ~~ /etc/pf.conf
+
+# ========================= #
+# common config. by Ansible
+# ========================= #
+
+set block-policy drop
+set loginterface egress
+set skip on { lo tun0 }
+
+block all
+
+{% for key, value in services.tcp.items() %}
+pass in quick on egress proto tcp to port {{ value }}
+{% endfor %}
+{% for key, value in services.udp.items() %}
+pass in quick on egress proto udp to port {{ value }}
+{% endfor %}
+
+# ====================== #
+# sub-config. by Ansible
+# ====================== #
+
+{% include "templates/" + inventory_hostname + "/etc/pf.conf.j2" %}
+
+# ========================= #
+# out. interface by Ansible 
+# ========================= #
+
+pass out quick inet
+pass in proto { icmp, icmp6 } all
+
author	binary <me@rgoncalves.se>	2020-11-02 13:27:47 +0100
committer	binary <me@rgoncalves.se>	2020-11-02 13:27:47 +0100
commit	8b29860208438a77af8a974a72e688599ca484c1 (patch)
tree	075ff7c7dc695ed4f6ed56b169a50bcd0016c670 /roles/pf/templates/pf.conf.j2
parent	cfe4db7482bd7e3be8fa406aa6080e10710ab648 (diff)
download	infrastructure-8b29860208438a77af8a974a72e688599ca484c1.tar.gz