aboutsummaryrefslogtreecommitdiff
path: root/files/etc/pf.conf.nfs_server
diff options
context:
space:
mode:
authorCullum Smith <cullum@sacredheartsc.com>2024-10-22 22:01:49 -0400
committerCullum Smith <cullum@sacredheartsc.com>2024-10-22 22:01:49 -0400
commitf9301e0fe52313581920026a186955c78fcbe831 (patch)
tree9a9d8ea8df1bbf2e5d1253d2398ad469acd96b12 /files/etc/pf.conf.nfs_server
parent39358af4e65a0bcd193797ac5003b0adc9b4225b (diff)
downloadinfrastructure-f9301e0fe52313581920026a186955c78fcbe831.tar.gz
zfs autosnapshots, syncthing, pam cleanup
Diffstat (limited to 'files/etc/pf.conf.nfs_server')
-rw-r--r--files/etc/pf.conf.nfs_server52
1 files changed, 52 insertions, 0 deletions
diff --git a/files/etc/pf.conf.nfs_server b/files/etc/pf.conf.nfs_server
new file mode 100644
index 0000000..628ed7c
--- /dev/null
+++ b/files/etc/pf.conf.nfs_server
@@ -0,0 +1,52 @@
+$(if [ -n "${pf_egress_interfaces:-}" ]; then
+ printf 'egress = "{ %s }"\n' "$(join ', ' $pf_egress_interfaces)"
+ else
+ printf 'egress = "%s"\n' "$BOXCONF_DEFAULT_INTERFACE"
+ fi)
+allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
+allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"
+
+$([ "${acme_standalone:-}" = true ] && cat <<EOF
+acme_standalone_port = ${acme_standalone_port}
+acme_standalone_user = $(id -u "$acme_user")
+EOF
+)
+nfscbd_port = ${nfscbd_port}
+
+set block-policy return
+set skip on lo
+$([ -n "${pf_skip_interfaces:-}" ] && printf \
+ 'set skip on %s\n' $pf_skip_interfaces)
+
+scrub in on \$egress all fragment reassemble no-df
+
+$([ "${acme_standalone:-}" = true ] && echo \
+ 'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'
+
+[ -n "${redirect_tcp_ports:-}" ] && printf \
+ 'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports
+
+[ -n "${redirect_udp_ports:-}" ] && printf \
+ 'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)
+
+antispoof quick for \$egress
+
+block all
+pass out quick on \$egress inet
+pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }
+
+$([ "${acme_standalone:-}" = true ] && echo \
+ 'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'
+
+[ -n "${allowed_tcp_ports:-}" ] && echo \
+ 'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'
+
+[ -n "${allowed_udp_ports:-}" ] && echo \
+ 'pass in quick on $egress inet proto udp to port $allowed_udp_ports'
+
+[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
+ 'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port'
+
+for user in ${syncthing_users:-}; do uid=$(id -u "$user"); eval "port=\$syncthing_${user}_port"; printf \
+ 'pass in quick on $egress inet proto { tcp, udp } to port %s user %s\n' "$port" "$(id -u "$user")"
+done)