diff options
author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-22 22:01:49 -0400 |
---|---|---|
committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-22 22:01:49 -0400 |
commit | f9301e0fe52313581920026a186955c78fcbe831 (patch) | |
tree | 9a9d8ea8df1bbf2e5d1253d2398ad469acd96b12 /files/etc/pf.conf.nfs_server | |
parent | 39358af4e65a0bcd193797ac5003b0adc9b4225b (diff) | |
download | infrastructure-f9301e0fe52313581920026a186955c78fcbe831.tar.gz |
zfs autosnapshots, syncthing, pam cleanup
Diffstat (limited to 'files/etc/pf.conf.nfs_server')
-rw-r--r-- | files/etc/pf.conf.nfs_server | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/files/etc/pf.conf.nfs_server b/files/etc/pf.conf.nfs_server new file mode 100644 index 0000000..628ed7c --- /dev/null +++ b/files/etc/pf.conf.nfs_server @@ -0,0 +1,52 @@ +$(if [ -n "${pf_egress_interfaces:-}" ]; then + printf 'egress = "{ %s }"\n' "$(join ', ' $pf_egress_interfaces)" + else + printf 'egress = "%s"\n' "$BOXCONF_DEFAULT_INTERFACE" + fi) +allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }" +allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }" + +$([ "${acme_standalone:-}" = true ] && cat <<EOF +acme_standalone_port = ${acme_standalone_port} +acme_standalone_user = $(id -u "$acme_user") +EOF +) +nfscbd_port = ${nfscbd_port} + +set block-policy return +set skip on lo +$([ -n "${pf_skip_interfaces:-}" ] && printf \ + 'set skip on %s\n' $pf_skip_interfaces) + +scrub in on \$egress all fragment reassemble no-df + +$([ "${acme_standalone:-}" = true ] && echo \ + 'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port' + +[ -n "${redirect_tcp_ports:-}" ] && printf \ + 'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports + +[ -n "${redirect_udp_ports:-}" ] && printf \ + 'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports) + +antispoof quick for \$egress + +block all +pass out quick on \$egress inet +pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach } + +$([ "${acme_standalone:-}" = true ] && echo \ + 'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user' + +[ -n "${allowed_tcp_ports:-}" ] && echo \ + 'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports' + +[ -n "${allowed_udp_ports:-}" ] && echo \ + 'pass in quick on $egress inet proto udp to port $allowed_udp_ports' + +[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \ + 'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port' + +for user in ${syncthing_users:-}; do uid=$(id -u "$user"); eval "port=\$syncthing_${user}_port"; printf \ + 'pass in quick on $egress inet proto { tcp, udp } to port %s user %s\n' "$port" "$(id -u "$user")" +done) |