From f4e07b45784b5eb7de1ec6ff43d3fc47f0d0c7e0 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Wed, 18 May 2022 09:57:56 +0200 Subject: [PATCH] pf : reorder some rules, more details on some comments --- CHANGELOG | 1 + roles/pf/templates/pf.conf.j2 | 25 ++++++++++++------------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index ed00a94..e9d2596 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - etc-git: add versioning for /usr/share/scripts - nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state - evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file +- pf : reorder some rules, more details on some comments ### Fixed diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 index f75a81e..91dee4e 100644 --- a/roles/pf/templates/pf.conf.j2 +++ b/roles/pf/templates/pf.conf.j2 @@ -1,5 +1,3 @@ -# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST - ###################### ##### INTERFACES ##### ###################### @@ -24,7 +22,6 @@ tcp_in = "{ http, https }" #udp_in = "{ domain, ntp, 33433><33626 }" udp_in = "{ 33433><33626 }" - ################### ##### OPTIONS ##### ################### @@ -39,12 +36,15 @@ set optimization normal set skip on lo match in all scrub (no-df) -#################### -##### FILTRAGE ##### -#################### +########################### +##### FILTRAGE GLOBAL ##### +########################### -# politiques par defaut +# politique par defaut : on autorise l'icmp en entrée puis on ne filtre que le WAN en entrée, tout le reste est autorisé block log all +pass out quick on $ext_if +#pass on $lan_if +pass in proto { icmp, icmp6 } # filter rules and anchor for ftp-proxy(8) #anchor "ftp-proxy/*" @@ -53,22 +53,21 @@ block log all #pass quick proto carp #pass quick on $pfsync_if proto pfsync -pass out -# 5666 = nrpe +# Autorisations pour Evolix pass in on $ext_if proto tcp from to (self) port { ssh, 5666 } # Block Attack # China 144.0.0.0/16 --> SSH block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh -# Autorisation des protocoles +# Autorisation des protocoles en entrée pass in on $ext_if proto tcp to !(self) port $tcp_in pass in on $ext_if proto udp to !(self) port $udp_in # FTP actif # pass in on $ext_if proto tcp from any port 20 to any port 1024:65535 - -# Acces public -pass in proto { icmp, icmp6 } +############################### +##### FILTRAGE SPECIFIQUE ##### +###############################