foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

starting work on gw group

Browse source
This commit is contained in:
Timo Makinen 2019-05-22 23:53:35 +03:00
parent 81df3e7c10
commit 7d45cde22e
6 changed files with 92 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
group_vars/gw.yml Normal file
View file

@ -0,0 +1,4 @@
---
# use custom firewall config
firewall_src: pf.conf.gw_home

3
host_vars/gw01.home.foo.sh.yml Normal file
View file

@ -0,0 +1,3 @@
---
interfaces: [[20, "52:54:00:ac:dc:01"], [103, "52:54:00:ad:bc:01"]]
vmhost: vmhost01.home.foo.sh

6
hosts
View file

@ -4,6 +4,12 @@ mirror01.home.foo.sh
[git] [git]
git02.home.foo.sh git02.home.foo.sh
[gw]
gw01.home.foo.sh
[centos7:children] [centos7:children]
git git
mirror mirror
[openbsd:children]
gw

13
playbooks/gw.yml Normal file
View file

@ -0,0 +1,13 @@
---
- import_playbook: "include/vm-create.yml myhosts=gw"
- name: configure instance
hosts: gw
user: root
gather_facts: true
vars_files:
- /srv/ansible-private/vars.yml
roles:
- base

65
roles/pf/files/pf.conf.gw_home Normal file
View file

@ -0,0 +1,65 @@
# interfaces
int_if = "vio0"
ext_if = "vio1"
# networks
int_net = "(" $int_if:network ")"
ext_net = "(" $ext_if:network ")"
# my addrss
int_me = "(" $int_if:0 ")"
ext_me = "(" $ext_if:0 ")"
# options
set block-policy return
set loginterface $int_if
set skip on lo0
# assemble fragmented packets
match in all scrub (no-df)
# ftp proxy
anchor "ftp-proxy/*"
# nat outgoing traffic
match out on $ext_if inet from $int_net nat-to $ext_me
# allow carp traffic
pass out quick on $int_if proto carp
# allow icmp
pass quick inet proto icmp
pass quick inet6 proto icmp6
# allow dhcpv6 to myself
pass in quick inet6 proto udp from any to $ext_me port dhcpv6-client
# antispoof at this point
antispoof for lo0
antispoof for vio0
antispoof for vio1
# admin connection (internal, fsol and arc office)
pass in quick on $int_if proto tcp from $int_net to self port ssh
pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh
pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh
# allow dns queries from internal net
pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
# block rest of packets coming to me
block in quick from any to self
# allow communication from internal to world
pass in quick on $int_if from $int_net to !$int_net
# allow myself to communicate outside
pass out quick on $ext_if from self to any
# allow traffic from outside
pass out quick on $int_if from any to $int_net
# drop rest
block in quick log all
block out quick log all

1
site.yml
View file

@ -1,3 +1,4 @@
--- ---
- import_playbook: playbooks/gw.yml
- import_playbook: playbooks/git.yml - import_playbook: playbooks/git.yml
- import_playbook: playbooks/mirror.yml - import_playbook: playbooks/mirror.yml