bsdnix/roles/firewall/templates/pf.conf.j2

# 
# Look at past logs                tcpdump -n -e -ttt -r /var/log/pflog
# Look at live logs (aka tail -f): tcpdump -n -e -ttt -i pflog0
#
# Look at entries in table <bad_hosts> (SSH Limit Block):
#   pfctl -t bad_hosts -T show
# Delete an ip from table:
#   pfctl -t bad_hosts -T delete $ip  

ext_if="{{ ansible_default_ipv6.interface }}"
jail_net="{{ jailnet.stdout }}"

### Default block policy is to return a reset packet
set block-policy drop

# fairness my ass
set optimization aggressive

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Ignore loopback interface
set skip on lo

### Allow empty table to exist
table <jails> persist

### Block on incoming traffic
block in log all

### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state
pass out inet6 keep state

# FIXME: does not survice reboots, that is: pf blocks after a reboot, pf must be reloaded, then it works
pass out quick on $ext_if keep state
pass out on $ext_if inet6 keep state

### Allow traffic coming from jails
pass in on $ext_if inet6 from $jail_net keep state

### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
### And block incoming traffic from $ext_if IP on $ext_if interface
antispoof for $ext_if inet6

### Allow SSH
table <bad_hosts> persist
pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
     flags S/SAFR keep state \
     (max-src-conn-rate 10/60, \
     overload <bad_hosts> flush global) label ServicesTCP

# allow ansible answers
pass out on $ext_if proto tcp from port 22 to any flags any
     
# ipv6 icmp
pass in quick inet6 proto icmp6 all keep state
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`#`
			`# Look at past logs tcpdump -n -e -ttt -r /var/log/pflog`
			`# Look at live logs (aka tail -f): tcpdump -n -e -ttt -i pflog0`
			`#`
			`# Look at entries in table <bad_hosts> (SSH Limit Block):`
			`# pfctl -t bad_hosts -T show`
			`# Delete an ip from table:`
			`# pfctl -t bad_hosts -T delete $ip`

got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00			`ext_if="{{ ansible_default_ipv6.interface }}"`
fixes: - finally fixed pf.conf - got Bastillefile working (sshd_config missing yet) - re-activated network role to set net variables - fixed make [all] - use hetzner volume for jail home - use ramdisk for /tmp inside jail 2024-11-21 19:38:55 +01:00			`jail_net="{{ jailnet.stdout }}"`
got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00
			`### Default block policy is to return a reset packet`
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`set block-policy drop`

			`# fairness my ass`
			`set optimization aggressive`

got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00			`### Reassemble fragmented packets`
			`scrub in on $ext_if all fragment reassemble`
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00
got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00			`### Ignore loopback interface`
			`set skip on lo`

			`### Allow empty table to exist`
			`table <jails> persist`

			`### Block on incoming traffic`
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`block in log all`
got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00
			`### Allow outgoing, skip others rules if match, and track connections`
			`pass out quick keep state`
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`pass out inet6 keep state`
fixed resolv.conf, user creation, pf, added skel files (fails) 2024-11-24 13:12:51 +01:00
			`# FIXME: does not survice reboots, that is: pf blocks after a reboot, pf must be reloaded, then it works`
fixes: - finally fixed pf.conf - got Bastillefile working (sshd_config missing yet) - re-activated network role to set net variables - fixed make [all] - use hetzner volume for jail home - use ramdisk for /tmp inside jail 2024-11-21 19:38:55 +01:00			`pass out quick on $ext_if keep state`
			`pass out on $ext_if inet6 keep state`

			`### Allow traffic coming from jails`
			`pass in on $ext_if inet6 from $jail_net keep state`
got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00
			`### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface`
			`### And block incoming traffic from $ext_if IP on $ext_if interface`
			`antispoof for $ext_if inet6`

			`### Allow SSH`
finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`table <bad_hosts> persist`
			`pass in quick on $ext_if inet6 proto tcp from any to any port ssh \`
			`flags S/SAFR keep state \`
			`(max-src-conn-rate 10/60, \`
			`overload <bad_hosts> flush global) label ServicesTCP`

fixes: - finally fixed pf.conf - got Bastillefile working (sshd_config missing yet) - re-activated network role to set net variables - fixed make [all] - use hetzner volume for jail home - use ramdisk for /tmp inside jail 2024-11-21 19:38:55 +01:00			`# allow ansible answers`
			`pass out on $ext_if proto tcp from port 22 to any flags any`

finally got the ipv6 jail stuff working, yeah 2024-11-20 18:15:48 +01:00			`# ipv6 icmp`
			`pass in quick inet6 proto icmp6 all keep state`