starting work on gw group
This commit is contained in:
parent
81df3e7c10
commit
7d45cde22e
6 changed files with 92 additions and 0 deletions
4
group_vars/gw.yml
Normal file
4
group_vars/gw.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
# use custom firewall config
|
||||
firewall_src: pf.conf.gw_home
|
||||
3
host_vars/gw01.home.foo.sh.yml
Normal file
3
host_vars/gw01.home.foo.sh.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
interfaces: [[20, "52:54:00:ac:dc:01"], [103, "52:54:00:ad:bc:01"]]
|
||||
vmhost: vmhost01.home.foo.sh
|
||||
6
hosts
6
hosts
|
|
@ -4,6 +4,12 @@ mirror01.home.foo.sh
|
|||
[git]
|
||||
git02.home.foo.sh
|
||||
|
||||
[gw]
|
||||
gw01.home.foo.sh
|
||||
|
||||
[centos7:children]
|
||||
git
|
||||
mirror
|
||||
|
||||
[openbsd:children]
|
||||
gw
|
||||
|
|
|
|||
13
playbooks/gw.yml
Normal file
13
playbooks/gw.yml
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- import_playbook: "include/vm-create.yml myhosts=gw"
|
||||
|
||||
- name: configure instance
|
||||
hosts: gw
|
||||
user: root
|
||||
gather_facts: true
|
||||
|
||||
vars_files:
|
||||
- /srv/ansible-private/vars.yml
|
||||
|
||||
roles:
|
||||
- base
|
||||
65
roles/pf/files/pf.conf.gw_home
Normal file
65
roles/pf/files/pf.conf.gw_home
Normal file
|
|
@ -0,0 +1,65 @@
|
|||
# interfaces
|
||||
int_if = "vio0"
|
||||
ext_if = "vio1"
|
||||
|
||||
# networks
|
||||
int_net = "(" $int_if:network ")"
|
||||
ext_net = "(" $ext_if:network ")"
|
||||
|
||||
# my addrss
|
||||
int_me = "(" $int_if:0 ")"
|
||||
ext_me = "(" $ext_if:0 ")"
|
||||
|
||||
# options
|
||||
set block-policy return
|
||||
set loginterface $int_if
|
||||
set skip on lo0
|
||||
|
||||
# assemble fragmented packets
|
||||
match in all scrub (no-df)
|
||||
|
||||
# ftp proxy
|
||||
anchor "ftp-proxy/*"
|
||||
|
||||
# nat outgoing traffic
|
||||
match out on $ext_if inet from $int_net nat-to $ext_me
|
||||
|
||||
# allow carp traffic
|
||||
pass out quick on $int_if proto carp
|
||||
|
||||
# allow icmp
|
||||
pass quick inet proto icmp
|
||||
pass quick inet6 proto icmp6
|
||||
|
||||
# allow dhcpv6 to myself
|
||||
pass in quick inet6 proto udp from any to $ext_me port dhcpv6-client
|
||||
|
||||
# antispoof at this point
|
||||
antispoof for lo0
|
||||
antispoof for vio0
|
||||
antispoof for vio1
|
||||
|
||||
# admin connection (internal, fsol and arc office)
|
||||
pass in quick on $int_if proto tcp from $int_net to self port ssh
|
||||
pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh
|
||||
pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
|
||||
pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh
|
||||
|
||||
# allow dns queries from internal net
|
||||
pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
|
||||
|
||||
# block rest of packets coming to me
|
||||
block in quick from any to self
|
||||
|
||||
# allow communication from internal to world
|
||||
pass in quick on $int_if from $int_net to !$int_net
|
||||
|
||||
# allow myself to communicate outside
|
||||
pass out quick on $ext_if from self to any
|
||||
|
||||
# allow traffic from outside
|
||||
pass out quick on $int_if from any to $int_net
|
||||
|
||||
# drop rest
|
||||
block in quick log all
|
||||
block out quick log all
|
||||
1
site.yml
1
site.yml
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
- import_playbook: playbooks/gw.yml
|
||||
- import_playbook: playbooks/git.yml
|
||||
- import_playbook: playbooks/mirror.yml
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue