evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity

pf : reorder some rules, more details on some comments

Browse source
This commit is contained in:
Jérémy Dubois 2022-05-18 09:57:56 +02:00
parent b220c1934d
commit f4e07b4578
2 changed files with 13 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG
View file

@ -26,6 +26,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- etc-git: add versioning for /usr/share/scripts - etc-git: add versioning for /usr/share/scripts
- nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state - nagios-nrpe: add a wraper to check_dhcpd to define the number of dhcpd processes that must be running depending on the CARP state
- evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file - evocheck: renamed install.yml to main.yml and add evocheck cron at the beginning of the daily.local file
- pf : reorder some rules, more details on some comments
### Fixed ### Fixed

25
roles/pf/templates/pf.conf.j2
View file

@ -1,5 +1,3 @@
# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST
###################### ######################
##### INTERFACES ##### ##### INTERFACES #####
###################### ######################
@ -24,7 +22,6 @@ tcp_in = "{ http, https }"
#udp_in = "{ domain, ntp, 33433><33626 }" #udp_in = "{ domain, ntp, 33433><33626 }"
udp_in = "{ 33433><33626 }" udp_in = "{ 33433><33626 }"
################### ###################
##### OPTIONS ##### ##### OPTIONS #####
################### ###################
@ -39,12 +36,15 @@ set optimization normal
set skip on lo set skip on lo
match in all scrub (no-df) match in all scrub (no-df)
#################### ###########################
##### FILTRAGE ##### ##### FILTRAGE GLOBAL #####
#################### ###########################
# politiques par defaut # politique par defaut : on autorise l'icmp en entrée puis on ne filtre que le WAN en entrée, tout le reste est autorisé
block log all block log all
pass out quick on $ext_if
#pass on $lan_if
pass in proto { icmp, icmp6 }
# filter rules and anchor for ftp-proxy(8) # filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*" #anchor "ftp-proxy/*"
@ -53,22 +53,21 @@ block log all
#pass quick proto carp #pass quick proto carp
#pass quick on $pfsync_if proto pfsync #pass quick on $pfsync_if proto pfsync
pass out # Autorisations pour Evolix
# 5666 = nrpe
pass in on $ext_if proto tcp from <evolix> to (self) port { ssh, 5666 } pass in on $ext_if proto tcp from <evolix> to (self) port { ssh, 5666 }
# Block Attack # Block Attack
# China 144.0.0.0/16 --> SSH # China 144.0.0.0/16 --> SSH
block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh
# Autorisation des protocoles # Autorisation des protocoles en entrée
pass in on $ext_if proto tcp to !(self) port $tcp_in pass in on $ext_if proto tcp to !(self) port $tcp_in
pass in on $ext_if proto udp to !(self) port $udp_in pass in on $ext_if proto udp to !(self) port $udp_in
# FTP actif # FTP actif
# pass in on $ext_if proto tcp from any port 20 to any port 1024:65535 # pass in on $ext_if proto tcp from any port 20 to any port 1024:65535
###############################
# Acces public ##### FILTRAGE SPECIFIQUE #####
pass in proto { icmp, icmp6 } ###############################