From c694e43b71a60ad399ba70e8de5ddb481d529b6a Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Sun, 14 Jul 2024 23:03:48 +0200
Subject: [PATCH] ansible: add device-specific pf files

We're going to need slightly different rules for different machines, if only for
port forwardings, so split out the pf.conf file.

Just phobos for now, we'll add the iapetus file later.
---
 ansible/inventory-routers.yaml                |  1 +
 ansible/roles/router/tasks/main.yaml          |  2 +-
 ansible/roles/router/templates/pf_phobos.conf | 32 +++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/router/templates/pf_phobos.conf

diff --git a/ansible/inventory-routers.yaml b/ansible/inventory-routers.yaml
index be7dbbc..ae75f05 100644
--- a/ansible/inventory-routers.yaml
+++ b/ansible/inventory-routers.yaml
@@ -8,6 +8,7 @@ routers:
       ipsec_conf: "ipsec_iapetus.conf"
       hostname: "phobos.mars.sigsegv.be"
       dyndns_name: "qemu-dummy.sigsegv.be"
+      pf_file: "pf_phobos.conf"
     iapetus:
       control_port: 2404
       ansible_port: 2404
diff --git a/ansible/roles/router/tasks/main.yaml b/ansible/roles/router/tasks/main.yaml
index dc0d68a..f5cbe2b 100644
--- a/ansible/roles/router/tasks/main.yaml
+++ b/ansible/roles/router/tasks/main.yaml
@@ -17,7 +17,7 @@
   become: true
 - name: install pf.conf
   template:
-    src: pf.conf
+    src: "{{ pf_file }}"
     dest: "/etc/pf.conf"
     owner: root
     group: wheel
diff --git a/ansible/roles/router/templates/pf_phobos.conf b/ansible/roles/router/templates/pf_phobos.conf
new file mode 100644
index 0000000..b5a52b8
--- /dev/null
+++ b/ansible/roles/router/templates/pf_phobos.conf
@@ -0,0 +1,32 @@
+#!/sbin/pfctl -f
+
+#set timeout tcp.established 86400
+#set block-policy return
+
+set skip on lo0
+
+ext_if = "igb0"
+int_if = "igb1"
+
+deimos = "10.0.3.2"
+
+scrub on $ext_if all fragment reassemble reassemble tcp
+
+nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
+
+rdr pass on $ext_if proto tcp from any to ($ext_if) port 2200 -> $deimos port 22
+rdr pass on $ext_if proto tcp from any to ($ext_if) port 8080 -> $deimos port 8080
+rdr pass on $ext_if proto tcp from any to ($ext_if) port 9103 -> $deimos port 9103
+rdr pass on $ext_if proto tcp from any to ($ext_if) port 10102 -> $deimos port 9102
+
+
+block drop log
+pass out
+
+pass in proto tcp 
+
+pass in inet proto icmp
+pass in inet6 proto icmp6
+
+pass in proto tcp from any to any port { 22, 9102 }
+pass in on $int_if
-- 
2.51.0