pf: Use templates for static firewall configs

roles/pf/templates/pf.conf.gw_dna.j2

@@ -0,0 +1,78 @@
+# interfaces
+int_if = "vio0"
+ext_if = "vio1"
+
+# networks
+int_net = "(" $int_if:network ")"
+ext_net = "(" $ext_if:network ")"
+
+# my addrss
+int_me = "(" $int_if:0 ")"
+ext_me = "(" $ext_if:0 ")"
+
+# options
+set block-policy return
+set loginterface $int_if
+set skip on lo0
+
+# assemble fragmented packets
+match in all scrub (no-df)
+
+# ftp proxy
+anchor "ftp-proxy/*"
+
+# nat outgoing traffic
+match out on $ext_if inet from $int_net nat-to $ext_me
+
+# allow carp traffic
+pass out quick on $int_if proto carp
+
+# allow icmp
+pass quick inet proto icmp
+pass quick inet6 proto icmp6
+
+# allow dhcpv6 to myself
+pass in quick inet6 proto udp from any to $ext_me port dhcpv6-client
+
+# antispoof at this point
+antispoof for lo0
+antispoof for vio0
+antispoof for vio1
+
+# admin connection (internal, arcsec office, dmz, lan)
+pass in quick on $int_if proto tcp from $int_net to self port ssh
+pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh
+pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
+pass in quick on $ext_if proto tcp from 212.149.225.198/32 to self port ssh
+
+# node_exporter and unbound_exporter from internal network
+pass in quick on $int_if proto tcp from $int_net to self port 9100
+pass in quick on $int_if proto tcp from $int_net to self port 9167
+
+# allow dns queries from internal net
+pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
+pass in quick on $int_if proto tcp from $int_net to self port domain-s
+
+# allow tftp from internal net
+pass in quick on $int_if proto udp from $int_net to self port tftp
+
+# allow http and https from outside
+pass in quick proto tcp from any to self port http
+pass in quick proto tcp from any to self port https
+
+# block rest of packets coming to me
+block in quick from any to self
+
+# allow communication from internal to world
+pass in quick on $int_if from $int_net to !$int_net
+
+# allow myself to communicate outside (both routes)
+pass out quick on $ext_if from self to any
+pass out quick on $int_if from self to any
+
+# allow traffic from outside
+pass out quick on $int_if from any to $int_net
+
+# drop rest
+block in quick log all
+block out quick log all

roles/pf/templates/pf.conf.gw_fsol.j2

@@ -0,0 +1,59 @@
+# interfaces
+int_if = "vio0"
+sync_if = "vio1"
+ext_if = "vio2"
+dmz_if = "vio3"
+fsol_if = "tap0"
+
+# networks
+int_net = "(" $int_if:network ")"
+ext_net = "(" $ext_if:network ")"
+dmz_net = "(" carp145:network ")"
+
+# my addrss
+int_me = "(" $int_if:0 ")"
+ext_me = "(" $ext_if:0 ")"
+
+# options
+set block-policy return
+set loginterface $int_if
+set skip on lo0
+
+# assemble fragmented packets
+match in all scrub (no-df)
+
+# allow icmp
+pass quick inet proto icmp
+pass quick inet6 proto icmp6
+
+# antispoof at this point
+antispoof for lo0
+antispoof for vio0
+
+# admin connection and node_exporter (internal)
+pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync)
+pass in quick on $int_if proto tcp from $int_net to self port 9100 keep state (no-sync)
+
+# internal network
+block in quick from any to self
+pass out quick on $int_if from $int_me to $int_net keep state (no-sync)
+
+# dmz network
+pass quick on $dmz_if proto carp
+pass in quick on $dmz_if inet from $dmz_net to any
+pass out quick on $dmz_if inet from any to $dmz_net
+
+# allow myself to communicate dna network but don't use pfsync
+pass out quick on $ext_if from self to any keep state (no-sync)
+
+# pfsync interface
+pass quick on $sync_if proto pfsync keep state (no-sync)
+
+# fsol (router) network
+pass in quick on $fsol_if inet from any to $dmz_net
+pass out quick on $fsol_if inet from $dmz_net to any
+pass out quick on $fsol_if inet from self to any
+
+# drop rest
+block in quick log all
+block out quick log all