initial commit of hypervisor configs

1 files changed, 37 insertions, 0 deletions

diff --git a/files/etc/pf.conf.freebsd b/files/etc/pf.conf.freebsd
new file mode 100644
index 0000000..633f3ef
--- /dev/null
+++ b/files/etc/pf.conf.freebsd
@@ -0,0 +1,37 @@
+egress = "${BOXCONF_DEFAULT_INTERFACE}"
+allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
+allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"
+acme_standalone_port = ${acme_standalone_port}
+acme_standalone_user = ${acme_uid}
+nfscbd_port = ${nfscbd_port}
+
+set block-policy return
+set skip on lo
+scrub in on \$egress all fragment reassemble no-df
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'
+
+[ -n "${redirect_tcp_ports:-}" ] && printf \
+  'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports
+
+[ -n "${redirect_udp_ports:-}" ] && printf \
+  'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)
+
+antispoof quick for \$egress
+
+block all
+pass out quick on \$egress inet
+pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'
+
+[ -n "${allowed_tcp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'
+
+[ -n "${allowed_udp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto udp to port $allowed_udp_ports'
+
+[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
+  'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port')