Configure Firewall

2024-05-29 23:24:50 +03:00 · 2024-05-29 23:24:50 +03:00 · 16efa8acfe
parent d779db5d34
commit 16efa8acfe
3 changed files with 76 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -51,6 +51,38 @@ mx2_wg:
      public_key: <vpn gateway public key>
      endpoint: <gateway ip>:21841
      allowed_ips: 10.2.0.1/32
+
+mx1_fw:
+  interfaces:
+    - name: vio0
+      allowed_tcp:
+        - 22 # SSH
+        - 80 # HTTP
+        - 443 # HTTPS
+        - 25 # SMTP Relay
+        - 587 # SMTP Submission
+        - 465 # SMTPS Submission
+        - 143 # IMAP
+        - 993 # IMAPS
+        - 4190 # Sive
+      allowed_udp:
+        - 21841 # Wireguard
+    - name: wg0
+      allowed_tcp:
+        - 22 # SSH
+mx2_fw:
+  interfaces:
+    - name: vio0
+      allowed_tcp:
+        - 22 # SSH
+        - 80 # HTTP
+        - 443 # HTTPS
+        - 25 # SMTP Relay
+      allowed_udp:
+        - 21841 # Wireguard
+    - name: wg0
+      allowed_tcp:
+        - 22 # SSH
 ```

 The hosts are taken from the `inventory.yml` file:
@ -95,6 +127,7 @@ Current ansible playbooks:
  - installs nano, curl and git
  - disables ssh password logins
  - adds ssh public key
+  - configures firewall
 - 02-ssl.yml - generates ssl certificates and adds a renew cron job
 - 03-mail.yml - installs and configures dovecot and opensmtpd
 - 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver
--- a/ansible/01-initial_setup.yml
+++ b/ansible/01-initial_setup.yml
@ -31,13 +31,26 @@
        regexp: "^#?PasswordAuthentication"
        line: "PasswordAuthentication no"
        state: present
+      register: sshd_config

    - name: Restart SSH service to apply changes
      ansible.builtin.service:
        name: sshd
        state: restarted
+      when: sshd_config.changed

    - name: Add SSH public key to authorized_keys
      ansible.posix.authorized_key:
        user: root
        key: "{{ ssh_public_key }}"
+
+    - name: Configure firewall
+      template:
+        src: "templates/pf.conf.j2"
+        dest: /etc/pf.conf
+        validate: pfctl -n -f %s
+      register: pf
+
+    - name: Load config to pf if needed
+      command: pfctl -f /etc/pf.conf
+      when: pf.changed
--- a/ansible/templates/pf.conf.j2
+++ b/ansible/templates/pf.conf.j2
@ -0,0 +1,30 @@
+{% set _fw = lookup('vars', inventory_hostname + '_fw') %}
+# {{ ansible_managed }}
+# Skip filtering on the loopback interface
+set skip on lo
+
+# set up a default deny policy
+block all
+
+# Block remote X11 connections
+block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
+
+{% for interface in _fw.interfaces %}
+# Pass rules for the specific ports on the {{ interface.name }} interface
+{% if (interface.allowed_tcp is defined) and interface.allowed_tcp %}
+{% for port in interface.allowed_tcp %}
+pass in on {{ interface.name }} proto tcp from any to any port {{ port }}
+{% endfor %}
+{% endif %}
+{% if (interface.allowed_udp is defined) and interface.allowed_udp %}
+{% for port in interface.allowed_udp %}
+pass in on {{ interface.name }} proto udp from any to any port {{ port }}
+{% endfor %}
+{% endif %}
+pass in on {{ interface.name }} proto icmp
+# Pass out rule to allow outgoing traffic on the {{ interface.name }} interface
+pass out on {{ interface.name }}
+{% endfor %}