From f9301e0fe52313581920026a186955c78fcbe831 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Tue, 22 Oct 2024 22:01:49 -0400
Subject: zfs autosnapshots, syncthing, pam cleanup

---
 files/etc/pf.conf.nfs_server | 52 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 files/etc/pf.conf.nfs_server

(limited to 'files/etc/pf.conf.nfs_server')

diff --git a/files/etc/pf.conf.nfs_server b/files/etc/pf.conf.nfs_server
new file mode 100644
index 0000000..628ed7c
--- /dev/null
+++ b/files/etc/pf.conf.nfs_server
@@ -0,0 +1,52 @@
+$(if [ -n "${pf_egress_interfaces:-}" ]; then
+    printf 'egress = "{ %s }"\n' "$(join ', ' $pf_egress_interfaces)"
+  else
+    printf 'egress = "%s"\n' "$BOXCONF_DEFAULT_INTERFACE"
+  fi)
+allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
+allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"
+
+$([ "${acme_standalone:-}" = true ] && cat <<EOF
+acme_standalone_port = ${acme_standalone_port}
+acme_standalone_user = $(id -u "$acme_user")
+EOF
+)
+nfscbd_port = ${nfscbd_port}
+
+set block-policy return
+set skip on lo
+$([ -n "${pf_skip_interfaces:-}" ] && printf \
+  'set skip on %s\n' $pf_skip_interfaces)
+
+scrub in on \$egress all fragment reassemble no-df
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'
+
+[ -n "${redirect_tcp_ports:-}" ] && printf \
+  'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports
+
+[ -n "${redirect_udp_ports:-}" ] && printf \
+  'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)
+
+antispoof quick for \$egress
+
+block all
+pass out quick on \$egress inet
+pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }
+
+$([ "${acme_standalone:-}" = true ] && echo \
+  'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'
+
+[ -n "${allowed_tcp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'
+
+[ -n "${allowed_udp_ports:-}" ] && echo \
+  'pass in quick on $egress inet proto udp to port $allowed_udp_ports'
+
+[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
+  'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port'
+
+for user in ${syncthing_users:-}; do uid=$(id -u "$user"); eval "port=\$syncthing_${user}_port"; printf \
+  'pass in quick on $egress inet proto { tcp, udp } to port %s user %s\n' "$port" "$(id -u "$user")"
+done)
-- 
cgit v1.2.3