From 7d45cde22e8ea04c188d98c2c564b29dfe5772e8 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 22 May 2019 23:53:35 +0300
Subject: [PATCH] starting work on gw group

---
 group_vars/gw.yml              |  4 +++
 host_vars/gw01.home.foo.sh.yml |  3 ++
 hosts                          |  6 ++++
 playbooks/gw.yml               | 13 +++++++
 roles/pf/files/pf.conf.gw_home | 65 ++++++++++++++++++++++++++++++++++
 site.yml                       |  1 +
 6 files changed, 92 insertions(+)
 create mode 100644 group_vars/gw.yml
 create mode 100644 host_vars/gw01.home.foo.sh.yml
 create mode 100644 playbooks/gw.yml
 create mode 100644 roles/pf/files/pf.conf.gw_home

diff --git a/group_vars/gw.yml b/group_vars/gw.yml
new file mode 100644
index 0000000..4a0b42f
--- /dev/null
+++ b/group_vars/gw.yml
@@ -0,0 +1,4 @@
+---
+
+# use custom firewall config
+firewall_src: pf.conf.gw_home
diff --git a/host_vars/gw01.home.foo.sh.yml b/host_vars/gw01.home.foo.sh.yml
new file mode 100644
index 0000000..c5b0513
--- /dev/null
+++ b/host_vars/gw01.home.foo.sh.yml
@@ -0,0 +1,3 @@
+---
+interfaces: [[20, "52:54:00:ac:dc:01"], [103, "52:54:00:ad:bc:01"]]
+vmhost: vmhost01.home.foo.sh
diff --git a/hosts b/hosts
index 6e38a08..202022f 100644
--- a/hosts
+++ b/hosts
@@ -4,6 +4,12 @@ mirror01.home.foo.sh
 [git]
 git02.home.foo.sh
 
+[gw]
+gw01.home.foo.sh
+
 [centos7:children]
 git
 mirror
+
+[openbsd:children]
+gw
diff --git a/playbooks/gw.yml b/playbooks/gw.yml
new file mode 100644
index 0000000..d1973ce
--- /dev/null
+++ b/playbooks/gw.yml
@@ -0,0 +1,13 @@
+---
+- import_playbook: "include/vm-create.yml myhosts=gw"
+
+- name: configure instance
+  hosts: gw
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - /srv/ansible-private/vars.yml
+
+  roles:
+    - base
diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home
new file mode 100644
index 0000000..3af990f
--- /dev/null
+++ b/roles/pf/files/pf.conf.gw_home
@@ -0,0 +1,65 @@
+# interfaces
+int_if = "vio0"
+ext_if = "vio1"
+
+# networks
+int_net = "(" $int_if:network ")"
+ext_net = "(" $ext_if:network ")"
+
+# my addrss
+int_me = "(" $int_if:0 ")"
+ext_me = "(" $ext_if:0 ")"
+
+# options
+set block-policy return
+set loginterface $int_if
+set skip on lo0
+
+# assemble fragmented packets
+match in all scrub (no-df)
+
+# ftp proxy
+anchor "ftp-proxy/*"
+
+# nat outgoing traffic
+match out on $ext_if inet from $int_net nat-to $ext_me
+
+# allow carp traffic
+pass out quick on $int_if proto carp
+
+# allow icmp
+pass quick inet proto icmp
+pass quick inet6 proto icmp6
+
+# allow dhcpv6 to myself
+pass in quick inet6 proto udp from any to $ext_me port dhcpv6-client
+
+# antispoof at this point
+antispoof for lo0
+antispoof for vio0
+antispoof for vio1
+
+# admin connection (internal, fsol and arc office)
+pass in quick on $int_if proto tcp from $int_net to self port ssh
+pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh
+pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
+pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh
+
+# allow dns queries from internal net
+pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
+
+# block rest of packets coming to me
+block in quick from any to self
+
+# allow communication from internal to world
+pass in quick on $int_if from $int_net to !$int_net
+
+# allow myself to communicate outside
+pass out quick on $ext_if from self to any
+
+# allow traffic from outside
+pass out quick on $int_if from any to $int_net
+
+# drop rest
+block in quick log all
+block out quick log all
diff --git a/site.yml b/site.yml
index eacb80d..d8dfba5 100644
--- a/site.yml
+++ b/site.yml
@@ -1,3 +1,4 @@
 ---
+- import_playbook: playbooks/gw.yml
 - import_playbook: playbooks/git.yml
 - import_playbook: playbooks/mirror.yml