104 lines
3.1 KiB
Plaintext
104 lines
3.1 KiB
Plaintext
|
## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }}
|
||
|
|
||
|
{%- from "npf/map.jinja" import net with context %}
|
||
|
|
||
|
{%- macro set_log() %} apply "log"{%- endmacro %}
|
||
|
|
||
|
## Macros ##
|
||
|
{%- for key, value in net.interfaces.items() %}
|
||
|
${{ key }} = "{{ value.id }}"
|
||
|
{%- endfor %}
|
||
|
|
||
|
{% set my_net4=[] -%}
|
||
|
{%- for key, value in net.ipv4_networks.items() -%}
|
||
|
{%- do my_net4.append( value.ip + "/" + value.mask ) -%}
|
||
|
{%- endfor -%}
|
||
|
|
||
|
{%- set my_net6=[] -%}
|
||
|
{%- for key, value in net.ipv6_networks.items() -%}
|
||
|
{%- do my_net6.append( value.ip + "/" + value.mask ) -%}
|
||
|
{%- endfor -%}
|
||
|
|
||
|
{%- set work_net4=[] -%}
|
||
|
{%- for key, value in net.work_ipv4_networks.items() -%}
|
||
|
{%- do work_net4.append( value.ip + "/" + value.mask ) -%}
|
||
|
{%- endfor -%}
|
||
|
|
||
|
{%- set public_ports_tcp=[] -%}
|
||
|
{%- set public_ports_udp=[] -%}
|
||
|
{%- for key, value in net.public_ports.items() -%}
|
||
|
{%- if value.proto == 'tcp' -%}
|
||
|
{%- do public_ports_tcp.append(value.port) -%}
|
||
|
{%- elif value.proto == 'udp' -%}
|
||
|
{%- do public_ports_udp.append(value.port) -%}
|
||
|
{%- endif -%}
|
||
|
{%- endfor -%}
|
||
|
|
||
|
$mynet4 = { {{ my_net4|join(', ') }} }
|
||
|
$mynet6 = { {{ my_net6|join(', ') }} }
|
||
|
|
||
|
$public_ports_tcp = { {{ public_ports_tcp|join(', ') }} }
|
||
|
$public_ports_udp = { {{ public_ports_udp|join(', ') }} }
|
||
|
|
||
|
|
||
|
## Tables ##
|
||
|
{%- if net.tables is defined %}
|
||
|
{%- for key, value in net.tables.items() %}
|
||
|
table <{{ key }}> type ipset file "{{ value.filename }}"
|
||
|
#table <{{ key }}> type cdb file "{{ value.filename }}"
|
||
|
{%- endfor %}
|
||
|
{%- endif %}
|
||
|
|
||
|
|
||
|
## Translations ##
|
||
|
{%- for key, value in net.nats.items() %}
|
||
|
#map $ext dynamic {{ value.ip }}/{{ value.mask }} -> inet4({{ net.interfaces.ext.id }})
|
||
|
{%- endfor %}
|
||
|
map $ext dynamic 10.99.99.0/24 -> inet4({{ net.interfaces.ext.id }})
|
||
|
map $ext dynamic 192.168.50.0/26 -> inet4({{ net.interfaces.ext.id }})
|
||
|
|
||
|
alg "icmp"
|
||
|
|
||
|
{%- if net.log is defined and net.log.enabled %}
|
||
|
## Procedures ##
|
||
|
procedure "log" {
|
||
|
log: {{ net.log.interface }}
|
||
|
normalize: {{ net.log.normalize }}
|
||
|
}
|
||
|
{%- endif %}
|
||
|
|
||
|
|
||
|
## Rules ##
|
||
|
{%- for key, value in net.interfaces.items() %}
|
||
|
{%- if value.type == 'lan' %}
|
||
|
group "{{ key }}" on ${{ key }} {
|
||
|
{%- for family, net in [('inet4','mynet4'), ('inet6','mynet6')] %}
|
||
|
pass stateful out final family {{ family }} all
|
||
|
{%- endfor %}
|
||
|
{%- for family, net in [('inet4','mynet4'), ('inet6','mynet6')] %}
|
||
|
pass stateful in final family {{ family }} from ${{ net }} to any
|
||
|
{%- endfor %}
|
||
|
|
||
|
block in all apply "log"
|
||
|
block in final from <spammers> apply "log"
|
||
|
|
||
|
pass stateful in final family inet4 proto icmp all
|
||
|
pass stateful in final family inet6 proto ipv6-icmp all
|
||
|
|
||
|
pass stateful in family inet4 proto tcp from any to any port $public_ports_tcp
|
||
|
pass stateful in family inet6 proto tcp from any to any port $public_ports_tcp
|
||
|
|
||
|
pass stateful in family inet4 proto udp from any to any port $public_ports_udp
|
||
|
pass stateful in family inet6 proto udp from any to any port $public_ports_udp
|
||
|
}
|
||
|
{%- endif %}
|
||
|
{%- endfor %}
|
||
|
|
||
|
group default {
|
||
|
block all {%- if net.log is defined and net.log.enabled %}{{ set_log() }}{%- endif %}
|
||
|
{%- for key, value in net.interfaces.items() %}
|
||
|
{%- if value.skip is defined and value.skip %}
|
||
|
pass on ${{ key }} all
|
||
|
{%- endif %}
|
||
|
{%- endfor %}
|
||
|
}
|