diff options
author | Romain Gonçalves <me@rgoncalves.se> | 2021-12-11 18:50:33 +0000 |
---|---|---|
committer | Romain Gonçalves <me@rgoncalves.se> | 2021-12-11 18:50:33 +0000 |
commit | de3373e97d133e0ac76fb44deb5dea27c18d8815 (patch) | |
tree | 5b63b301ff180ef837ca6fb6a676e31cb87d326c /roles/pf | |
parent | e60e99796111ee6d43080b4e48971c08886c0570 (diff) | |
download | rules-de3373e97d133e0ac76fb44deb5dea27c18d8815.tar.gz |
roles: Add pf and relayd roles for domain controller
Diffstat (limited to 'roles/pf')
-rw-r--r-- | roles/pf/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/pf/handlers/main.yml | 2 | ||||
-rw-r--r-- | roles/pf/tasks/main.yml | 25 | ||||
-rw-r--r-- | roles/pf/templates/pf.conf.j2 | 24 |
4 files changed, 52 insertions, 0 deletions
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml new file mode 100644 index 0000000..777717d --- /dev/null +++ b/roles/pf/defaults/main.yml @@ -0,0 +1 @@ +pf_configuration_file: /etc/pf.conf diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml new file mode 100644 index 0000000..187e769 --- /dev/null +++ b/roles/pf/handlers/main.yml @@ -0,0 +1,2 @@ +- name: lint pf configuration + command: "pfctl -nf {{ pf_configuration_file }}" diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml new file mode 100644 index 0000000..4fafb77 --- /dev/null +++ b/roles/pf/tasks/main.yml @@ -0,0 +1,25 @@ +- name: generate pf configuration + template: + src: pf.conf.j2 + dest: "{{ pf_configuration_file }}" + owner: 0 + group: 0 + mode: 0600 + notify: + - lint pf configuration + +- name: enable pf + command: pfctl -e + register: result + failed_when: + - result.rc != 0 + - "'already enabled' not in result.stderr" + +- name: restart pf + command: pfctl -f "{{ pf_configuration_file }}" + +- name: test ssh connection on new pf rule + wait_for: + port: 22 + delay: 2 + state: started diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 new file mode 100644 index 0000000..6bc936a --- /dev/null +++ b/roles/pf/templates/pf.conf.j2 @@ -0,0 +1,24 @@ +# managed by Ansible +{% import 'macros.j2' as macros with context %} + +# common configuration +set block-policy drop +set loginterface egress +set skip on { lo wg0 } +block all + +# force ssh if not present below +pass in quick on egress proto tcp to port 22 + +# host services +{% for service in __services %} +pass in quick on egress proto {{ service["protocol"] }} to port {{ service["port"] }} +{% endfor %} + +# wireguard +pass in on egress inet proto udp from any to any port 50000 +pass out quick on egress inet from (wg0:network) nat-to (egress:0) + +# output network +pass out quick inet +pass in proto { icmp, icmp6 } all |