From f8dba6d387c1f83da8cc89b50405517f9b9e924d Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sat, 2 Aug 2025 18:24:34 +0000
Subject: [PATCH] pf: Open node_exporter to allow proxying

---
 roles/pf/templates/pf.conf.gw_dna.j2 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2
index 46ddf60..53514da 100644
--- a/roles/pf/templates/pf.conf.gw_dna.j2
+++ b/roles/pf/templates/pf.conf.gw_dna.j2
@@ -46,8 +46,7 @@ pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
 pass in quick on $ext_if proto tcp from {{ gw_home_ip }}/32 to self port ssh
 pass in quick on $ext_if proto tcp from {{ gw_lan_ip }}/32 to self port ssh
 
-# node_exporter and unbound_exporter from internal network
-pass in quick on $int_if proto tcp from $int_net to self port 9100
+# unbound_exporter from internal network
 pass in quick on $int_if proto tcp from $int_net to self port 9167
 
 # allow dhcpd failover
@@ -69,6 +68,9 @@ pass in quick on $int_if proto udp from $int_net to self port ntp
 pass in quick proto tcp from any to self port http
 pass in quick proto tcp from any to self port https
 
+# allow node exporter from outside (to proxy clients)
+pass in quick proto tcp from $int_net to self port 9100
+
 # block rest of packets coming to me
 block in quick from any to self