🎉 Initial commit of infraHEADmain

3 files changed, 90 insertions, 0 deletions

diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml
new file mode 100644
index 0000000..4baf234
--- /dev/null
+++ b/roles/pf/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+- name: start pflog
+  service:
+    name: pflog
+    state: started
+
+- name: start pf
+  service:
+    name: pf
+    state: started
+  async: 45
+  poll: 5
+
+- name: reload pf
+  shell: pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
new file mode 100644
index 0000000..b7c405a
--- /dev/null
+++ b/roles/pf/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: enable pf
+  community.general.sysrc:
+    name: pf_enable
+    value: "YES"
+  notify: start pf
+
+- name: enable pflog
+  community.general.sysrc:
+    name: pflog_enable
+    value: "YES"
+  notify: start pflog
+
+- name: template pf.conf
+  template:
+    src: pf.conf.j2
+    dest: /etc/pf.conf
+  notify: reload pf
+
+- meta: flush_handlers
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
new file mode 100644
index 0000000..8819ee0
--- /dev/null
+++ b/roles/pf/templates/pf.conf.j2
@@ -0,0 +1,56 @@
+# our interface
+ext_if = "em0"
+
+# IPv6 link local prefix.
+PFX_LNKLOC = "fe80::/10"
+
+# IPv6 Solicited Node Multicast Prefix.
+MC_SOLNOD = "ff02::1:ff00:0/104"
+
+# IPv6 All Nodes Link Local Multicast Address.
+MC_NODLNK = "ff02::1"
+
+# skip loopback
+set skip on lo0
+set loginterface $ext_if
+set block-policy drop
+
+scrub in on $ext_if
+
+## RULES ##
+
+# block and log all traffic not matching below rules
+block in
+
+# allow ssh traffic to the host on the custom port
+pass in quick proto tcp to port 2223
+
+# allow http/https
+pass in quick proto {tcp, udp} to port { http, https }
+
+# allow ssh for gubbhub
+pass in quick proto tcp to port 2224
+
+# ping
+pass in quick inet6 proto icmp6 icmp6-type echoreq
+pass in quick inet proto icmp icmp-type echoreq
+
+# ipv6 stuff
+
+# Allow NS from unspecified to solicited node multicast address (DAD).
+pass quick inet6 proto icmp6 from :: to $MC_SOLNOD icmp6-type neighbrsol no state
+
+# Allow IPv6 Router Discovery.
+pass in quick inet6 proto icmp6 from $PFX_LNKLOC to $MC_NODLNK icmp6-type routeradv no state
+
+# Allow IPv6 Neighbor Discovery (ND/NUD/DAD).
+pass in quick inet6 proto icmp6 to { ($ext_if), $MC_SOLNOD } icmp6-type { neighbrsol, neighbradv } no state
+
+# Allow any outgoing traffic
+pass out
+
+# TODO: We seem to not only get neighbor advertisements from the local subnet? How does
+# this work?
+#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_SOLNOD } icmp6-type neighbrsol no state
+#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_NODLNK } icmp6-type neighbradv no state
+