aboutsummaryrefslogtreecommitdiffstats
path: root/roles/pf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/pf')
-rw-r--r--roles/pf/defaults/main.yml1
-rw-r--r--roles/pf/handlers/main.yml2
-rw-r--r--roles/pf/tasks/main.yml25
-rw-r--r--roles/pf/templates/pf.conf.j224
4 files changed, 52 insertions, 0 deletions
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
new file mode 100644
index 0000000..777717d
--- /dev/null
+++ b/roles/pf/defaults/main.yml
@@ -0,0 +1 @@
+pf_configuration_file: /etc/pf.conf
diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml
new file mode 100644
index 0000000..187e769
--- /dev/null
+++ b/roles/pf/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: lint pf configuration
+ command: "pfctl -nf {{ pf_configuration_file }}"
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
new file mode 100644
index 0000000..4fafb77
--- /dev/null
+++ b/roles/pf/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: generate pf configuration
+ template:
+ src: pf.conf.j2
+ dest: "{{ pf_configuration_file }}"
+ owner: 0
+ group: 0
+ mode: 0600
+ notify:
+ - lint pf configuration
+
+- name: enable pf
+ command: pfctl -e
+ register: result
+ failed_when:
+ - result.rc != 0
+ - "'already enabled' not in result.stderr"
+
+- name: restart pf
+ command: pfctl -f "{{ pf_configuration_file }}"
+
+- name: test ssh connection on new pf rule
+ wait_for:
+ port: 22
+ delay: 2
+ state: started
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
new file mode 100644
index 0000000..6bc936a
--- /dev/null
+++ b/roles/pf/templates/pf.conf.j2
@@ -0,0 +1,24 @@
+# managed by Ansible
+{% import 'macros.j2' as macros with context %}
+
+# common configuration
+set block-policy drop
+set loginterface egress
+set skip on { lo wg0 }
+block all
+
+# force ssh if not present below
+pass in quick on egress proto tcp to port 22
+
+# host services
+{% for service in __services %}
+pass in quick on egress proto {{ service["protocol"] }} to port {{ service["port"] }}
+{% endfor %}
+
+# wireguard
+pass in on egress inet proto udp from any to any port 50000
+pass out quick on egress inet from (wg0:network) nat-to (egress:0)
+
+# output network
+pass out quick inet
+pass in proto { icmp, icmp6 } all
remember that computers suck.