~sirn/ansible-freebsd-pf

Ansible role for configuring pf firewall on FreeBSD host
template: allow ipv6 forwarding
template: allow specify only sources in allow ports
templates: fix syntax

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~sirn/ansible-freebsd-pf
read/write
git@git.sr.ht:~sirn/ansible-freebsd-pf

You can also use your local clone with git send-email.

#ansible-freebsd-pf

builds.sr.ht status

Configure pf firewall.

#Variables

#pf_allow_ipv4
pf_allow_ipv4: true

Allow IPv4 access.

#pf_allow_ipv6
pf_allow_ipv6: false

Allow IPv6 access.

#pf_allowed_ifaces
pf_allowed_ifaces: []

Allow the given interface name to accept any connections. Useful for jails.

#pf_anchors
pf_anchors: []

Name of pf anchors to allow rules to be dynamically added under this name. pf_anchors will add an anchor in the form of name/* by default, which allows any anchors with the name/ prefix to be added.

#pf_anchors_single
pf_anchors_single: []

Name of pf anchors to allow rules to be added under this name. pf_anchor_single will add an anchor in the form of name by default, which only accept anchor of the name of itself.

#pf_ext_iface
pf_ext_iface: em0

Name of the external interface. You must change this variable otherwise it will render the system unaccessible.

#pf_ipv4_allowed_ports
pf_ipv4_allowed_ports: []

Allow incoming connection for the given IPv4 port. The array must be configured in this format:

pf_ipv4_allowed_ports:
    - proto: tcp
      source: 192.168.1.1/24
      to_address: 192.168.1.1
      to_port: 80
  • proto specifies the protocol (tcp, udp, see also man 5 pf.conf)
  • source specifies source IP for this rule (default: any)
  • to_address specifies destination IP for this rule (default: any)
  • to_port specifies destination port for this rule

Minimal configuration for allowed ports could be written as:

pf_ipv4_allowed_ports:
    - proto: tcp
      to_port: 80
    - proto: tcp
      to_port: 443
#pf_ipv4_forwarded_ports
pf_ipv4_forwarded_ports: []

Forward connection from the given IPv4 port to the given IPv4 port. The array must be configured in this format:

pf_ipv4_forwarded_ports:
    - proto: tcp
      to_address: 192.168.1.1
      to_port: 80
      dest_address: 198.168.50.1
      dest_port: 8080
  • proto specifies the protocol (tcp, udp, see also man 5 pf.conf)
  • to_address specifies destination IP for this rule (default: pf_ext_if)
  • to_port specifies destination port for this rule
  • dest_address specifies redirection destination IP for this rule
  • dest_port specifies redirection destination port for this rule

In the example above, this rule will redirect a TCP connection to 192.168.1.1 port 80 to 192.168.50.1 port 8080 (e.g. inside a jail). Note this setting will implicitly allow incoming connection to the given to_port.

#pf_ipv4_nat
pf_ipv4_nat: []

Enable NAT for the given IPv4 address or IPv4 CIDR, for example:

pf_ipv4_nat:
    - 192.168.50.1/24
#pf_ipv6_allowed_ports
pf_ipv6_allowed_ports: []

Allow incoming connection for the given IPv6 port. The array must be configured in this format:

pf_ipv6_allowed_ports:
    - proto: tcp
      source: fc00::1/7
      to_address: fc00::1
      to_port: 80
  • proto specifies the protocol (tcp, udp, see also man 5 pf.conf)
  • source specifies source IP for this rule (default: any)
  • to_address specifies destination IP for this rule (default: any)
  • to_port specifies destination port for this rule

Minimal configuration for allowed ports could be written as:

pf_ipv6_allowed_ports:
    - proto: tcp
      to_port: 80
    - proto: tcp
      to_port: 443
#pf_ipv6_forwarded_ports
pf_ipv6_forwarded_ports: []

Forward connection from the given Ipv6 port to the given Ipv6 port. The array must be configured in this format:

pf_ipv6_forwarded_ports:
    - proto: tcp
      to_address: 2100:db8::1
      to_port: 80
      dest_address: 2100:db8::e8f4
      dest_port: 8080
  • proto specifies the protocol (tcp, udp, see also man 5 pf.conf)
  • to_address specifies destination IP for this rule (default: pf_ext_if)
  • to_port specifies destination port for this rule
  • dest_address specifies redirection destination IP for this rule
  • dest_port specifies redirection destination port for this rule

In the example above, this rule will redirect a TCP connection to 2100:db8::1 port 80 to 2100:db8::e8f4 port 8080 (e.g. inside a jail). Note this setting will implicitly allow incoming connection to the given to_port.

#pf_load
pf_load: true

Configure loading of pf module. You will want to disable this within VNET jails.

#pf_nat_anchors
pf_nat_anchors: []

Name of pf NAT anchors to allow rules to be dynamically added under this name. Unlike pf_anchors, NAT anchors only allow NAT rules. pf_nat_anchors will add an anchor in the form of name/* by default, which allows any anchors with the name/ prefix to be added.

#pf_nat_anchors_single
pf_nat_anchors_single: []

Name of pf NAT anchors to allow rules to be added under this name. Unlike pf_anchors_single, NAT anchors only allow NAT rules. pf_nat_anchor_single will add an anchor in the form of name by default, which only accept anchor of the name of itself.

#pf_rdr_anchors
pf_rdr_anchors: []

Name of pf RDR anchors to allow rules to be dynamically added under this name. Unlike pf_anchors, RDR anchors only allow RDR rules. pf_rdr_anchors will add an anchor in the form of name/* by default, which allows any anchors with the name/ prefix to be added.

#pf_rdr_anchors_single
pf_rdr_anchors_single: []

Name of pf RDR anchors to allow rules to be added under this name. Unlike pf_anchors_single, RDR anchors only allow RDR rules. pf_rdr_anchor_single will add an anchor in the form of name by default, which only accept anchor of the name of itself.

#pf_ssh_port
pf_ssh_port: 22

SSH port to allow by default for both IPv4 and IPv6. Set this to false will disable SSH access.