pf rule syntax changes

msimerson · Nov 10, 2024 · 1a4a55e · 1a4a55e
1 parent 552dbed
commit 1a4a55e
Show file tree

Hide file tree

Showing 7 changed files with 95 additions and 58 deletions.
diff --git a/provision/dcc.sh b/provision/dcc.sh
@@ -54,11 +54,20 @@ configure_dcc()
 		"$STAGE_MNT/var/db/dcc/dcc_conf"
 
 	_pf_etc="$ZFS_DATA_MNT/dcc/etc/pf.conf.d"
-	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
-table <dcc_server> { $(get_jail_ip dcc), $(get_jail_ip6 dcc) }
-pass in quick proto udp from any port 6277 to <ext_ip>
-pass in quick proto udp from any port 6277 to <dcc_server>
-EO_PF_ALLOW
+
+	get_public_ip
+	get_public_ip ipv6
+
+	store_config "$_pf_etc/dcc.table" <<EO_DCC_TABLE
+$PUBLIC_IP4
+$PUBLIC_IP6
+$(get_jail_ip dcc)
+$(get_jail_ip6 dcc)
+EO_DCC_TABLE
+
+	store_config "$_pf_etc/filter.conf" <<EO_PF_FILTER
+pass in quick proto udp from any port 6277 to <dcc>
+EO_PF_FILTER
 
 	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
 rdr inet  proto tcp from any to <ext_ip4> port 6277 -> $(get_jail_ip  dcc)

diff --git a/provision/dovecot.sh b/provision/dovecot.sh
@@ -514,37 +514,40 @@ configure_dovecot_pf()
 {
 	_pf_etc="$ZFS_DATA_MNT/dovecot/etc/pf.conf.d"
 
-	store_config "$_pf_etc/insecure_mua" <<EO_PF_INSECURE
-# 10.0.0.0/8
-# 172.16.0.0/12
-# 192.168.0.0/16
+	store_config "$_pf_etc/insecure_mua.table" <<EO_PF_INSECURE
+# RFC 1918 Private IP blocks
+# 10/8
+# 172.16/12
+# 192.168/16
 EO_PF_INSECURE
 
-	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
-int_ip4 = "$(get_jail_ip dovecot)"
-int_ip6 = "$(get_jail_ip6 dovecot)"
-
-# to permit legacy users to access insecure POP3 & IMAP, add their IPs/masks
-table <insecure_mua> persist file "$_pf_etc/insecure_mua"
+	get_public_ip
+	get_public_ip ipv6
 
-rdr inet  proto tcp from any to <ext_ip4> port { 993 995 } -> \$int_ip4
-rdr inet6 proto tcp from any to <ext_ip6> port { 993 995 } -> \$int_ip6
+	store_config "$_pf_etc/dovecot.table" <<EO_PF_INSECURE
+$PUBLIC_IP4
+$PUBLIC_IP6
+$(get_jail_ip dovecot)
+$(get_jail_ip6 dovecot)
+EO_PF_INSECURE
 
-rdr inet  proto tcp from <insecure_mua> to <ext_ip4> port { 110 143 } -> \$int_ip4
-rdr inet6 proto tcp from <insecure_mua> to <ext_ip6> port { 110 143 } -> \$int_ip6
-EO_PF_RDR
+	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
+dovecot_lo4 = "$(get_jail_ip dovecot)"
+dovecot_lo6 = "$(get_jail_ip6 dovecot)"
 
-	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
-int_ip4 = "$(get_jail_ip dovecot)"
-int_ip6 = "$(get_jail_ip6 dovecot)"
+rdr inet  proto tcp from any to <ext_ip4> port { 993 995 } -> \$dovecot_lo4
+rdr inet6 proto tcp from any to <ext_ip6> port { 993 995 } -> \$dovecot_lo6
 
-table <dovecot_int> persist { \$int_ip4, \$int_ip6 }
+# to permit legacy users to access insecure POP3 & IMAP, add their IPs/masks
+rdr inet  proto tcp from <insecure_mua> to <ext_ip4> port { 110 143 } -> \$dovecot_lo4
+rdr inet6 proto tcp from <insecure_mua> to <ext_ip6> port { 110 143 } -> \$dovecot_lo6
+EO_PF_RDR
 
-pass in quick proto tcp from any to <ext_ip> port { 993 995 }
-pass in quick proto tcp from any to <dovecot_int> port { 993 995 }
+	store_config "$_pf_etc/filter.conf" <<EO_PF_FILTER
+pass in quick proto tcp from any to <dovecot> port { 993 995 }
 
-pass in quick proto tcp from <insecure_mua> to <dovecot_int> port { 110 143 }
-EO_PF_ALLOW
+pass in quick proto tcp from <insecure_mua> to <dovecot> port { 110 143 }
+EO_PF_FILTER
 }
 
 configure_dovecot()

diff --git a/provision/haproxy.sh b/provision/haproxy.sh
@@ -363,18 +363,24 @@ configure_haproxy()
 	fi
 
 	_pf_etc="$ZFS_DATA_MNT/haproxy/etc/pf.conf.d"
-	store_config "$_pf_etc/rdr.conf" <<EO_PF
+	store_config "$_pf_etc/rdr.conf" <<EO_PF_RDR
 rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> $(get_jail_ip haproxy)
 rdr inet6 proto tcp from any to <ext_ip6> port { 80 443 } -> $(get_jail_ip6 haproxy)
-EO_PF
+EO_PF_RDR
 
 	get_public_ip
 	get_public_ip ipv6
 
-	store_config "$_pf_etc/allow.conf" <<EO_PF
-table <http_servers> { $PUBLIC_IP4 $PUBLIC_IP6 $(get_jail_ip haproxy) $(get_jail_ip6 haproxy) }
-pass in quick proto tcp from any to <http_servers> port { 80 443 }
-EO_PF
+	store_config "$_pf_etc/haproxy.table" <<EO_HAPROXY_TABLE
+$PUBLIC_IP4
+$PUBLIC_IP6
+$(get_jail_ip haproxy)
+$(get_jail_ip6 haproxy)
+EO_HAPROXY_TABLE
+
+	store_config "$_pf_etc/filter.conf" <<EO_PF_FILTER
+pass in quick proto tcp from any to <haproxy> port { 80 443 }
+EO_PF_FILTER
 
 	configure_haproxy_tls
 }

diff --git a/provision/haraka.sh b/provision/haraka.sh
@@ -620,8 +620,14 @@ configure_haraka_log_rotation()
 	tell_status "configuring haraka.log rotation"
 	mkdir -p "$STAGE_MNT/etc/newsyslog.conf.d"
 	tee -a "$STAGE_MNT/etc/newsyslog.conf.d/haraka.conf" <<EO_HARAKA
-/var/log/haraka.log			644  7	   *	@T00  JC
+/var/log/haraka.log			644  21	   *	@T00  JC
 EO_HARAKA
+
+	_logdays=$(grep ^/var/log/maillog /etc/newsyslog.conf | awk '{ print $3 }')
+	if [ "$_logdays" = "7" ]; then
+		tell_status "increasing log retention from 7 to 21 days"
+		sed -i '' -e '/maillog/ s/7/21/' /etc/newsyslog.conf
+	fi
 }
 
 configure_haraka_access()
@@ -729,8 +735,8 @@ configure_haraka()
 
 	_pf_etc="$ZFS_DATA_MNT/haraka/etc/pf.conf.d"
 	store_config "$_pf_etc/rdr.conf" <<EO_PF
-rdr inet  proto tcp from any to <ext_ip4> port { 25 465 587 } -> $(get_jail_ip  haraka)
-rdr inet6 proto tcp from any to <ext_ip6> port { 25 465 587 } -> $(get_jail_ip6 haraka)
+rdr pass inet  proto tcp from any to <ext_ip4> port { 25 465 587 } -> $(get_jail_ip  haraka)
+rdr pass inet6 proto tcp from any to <ext_ip6> port { 25 465 587 } -> $(get_jail_ip6 haraka)
 EO_PF
 
 	install_geoip_dbs

diff --git a/provision/host.sh b/provision/host.sh
@@ -365,6 +365,8 @@ table <sshguard> persist
 
 ## NAT / Network Address Translation
 
+binat-anchor "binat/*"
+
 # default route to the internet for jails
 nat on \$ext_if inet  from $JAIL_NET_PREFIX.0${JAIL_NET_MASK} to any -> (\$ext_if)
 nat on \$ext_if inet6 from (lo1) to any -> <ext_ip6>
@@ -396,11 +398,13 @@ pass in inet6 proto ipv6-icmp icmp6-type 136
 # NTP
 pass out quick on \$ext_if proto udp to any port ntp keep state
 
-pass  in quick on \$ext_if proto tcp to port ssh \
+pass in quick on \$ext_if proto tcp to port ssh \
         flags S/SA synproxy state \
         (max-src-conn 10, max-src-conn-rate 8/15, overload <bruteforce> flush global)
 
+# allow anchor is deprecated, use filter instead
 anchor "allow/*"
+anchor "filter/*"
 EO_PF_RULES
 
 	if [ -z "$PUBLIC_IP6" ]; then

diff --git a/provision/webmail.sh b/provision/webmail.sh
@@ -366,24 +366,28 @@ configure_webmail_pf()
 	_pf_etc="$ZFS_DATA_MNT/webmail/etc/pf.conf.d"
 
 	if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
-		store_config "$_pf_etc/rdr.conf" <<EO_HTTP_RDR
+		store_config "$_pf_etc/rdr.conf" <<EO_WEBMAIL_RDR
 int_ip4 = "$(get_jail_ip webmail)"
 int_ip6 = "$(get_jail_ip6 webmail)"
 
 rdr inet  proto tcp from any to <ext_ip4> port { 80 443 } -> \$int_ip4
 rdr inet6 proto tcp from any to <ext_ip6> port { 80 443 } -> \$int_ip6
-EO_HTTP_RDR
+EO_WEBMAIL_RDR
 	fi
 
-	store_config "$_pf_etc/allow.conf" <<EO_HTTP_ALLOW
-int_ip4 = "$(get_jail_ip webmail)"
-int_ip6 = "$(get_jail_ip6 webmail)"
+	get_public_ip
+	get_public_ip ipv6
 
-table <webmail_int> persist { \$int_ip4, \$int_ip6 }
+	store_config "$_pf_etc/webmail.table" <<EO_WEBMAIL_TABLE
+$PUBLIC_IP4
+$PUBLIC_IP6
+$(get_jail_ip webmail)
+$(get_jail_ip6 webmail)
+EO_WEBMAIL_TABLE
 
-pass in quick proto tcp from any to <ext_ip> port { 80 443 }
-pass in quick proto tcp from any to <webmail_int> port { 80 443 }
-EO_HTTP_ALLOW
+	store_config "$_pf_etc/filter.conf" <<EO_WEBMAIL_FILTER
+pass in quick proto tcp from any to <webmail> port { 80 443 }
+EO_WEBMAIL_FILTER
 }
 
 configure_webmail()

diff --git a/provision/wildduck.sh b/provision/wildduck.sh
@@ -11,6 +11,8 @@ export JAIL_FSTAB=""
 
 mt6-include mua
 
+# TODO: wildduck requires RSA certs (acme.sh --issue --keylength 2048|3072)
+
 preflight_check()
 {
 	for _j in dns redis mongodb
@@ -358,6 +360,10 @@ rdr inet6 proto tcp from any to \$ext_ip6 port { 25 465 587 993 995 } -> \$int_i
 # send HTTP traffic to haproxy
 rdr inet  proto tcp from any to \$ext_ip4 port { 80 443 } -> $(get_jail_ip haproxy)
 rdr inet6 proto tcp from any to \$ext_ip6 port { 80 443 } -> $(get_jail_ip6 haproxy)
+
+# or send HTTP traffic to webmail
+#rdr inet  proto tcp from any to \$ext_ip4 port { 80 443 } -> $(get_jail_ip webmail)
+#rdr inet6 proto tcp from any to \$ext_ip6 port { 80 443 } -> $(get_jail_ip6 webmail)
 EO_PF_RDR
 
 	store_config "$_pf_etc/nat.conf" <<EO_PF_NAT
@@ -372,17 +378,16 @@ nat on \$ext_if from \$int_ip4 to any -> \$ext_ip4
 nat on \$ext_if from \$int_ip6 to any -> \$ext_ip6
 EO_PF_NAT
 
-	store_config "$_pf_etc/allow.conf" <<EO_PF_ALLOW
-int_ip4 = "$(get_jail_ip wildduck)"
-int_ip6 = "$(get_jail_ip6 wildduck)"
-table <wildduck_int> persist { \$int_ip4, \$int_ip6 }
-pass in quick proto tcp from any to <wildduck_int> port { 25 465 587 80 443 993 995 }
-
-# ext_ip4 = "$PUBLIC_IP4"
-# ext_ip6 = "$PUBLIC_IP6"
-# table <wildduck_ext> persist { \$ext_ip4, \$ext_ip6 }
-# pass in quick proto tcp from any to <wildduck_ext> port { 25 465 587 80 443 993 995 }
-EO_PF_ALLOW
+	store_config "$_pf_etc/wildduck.table" <<EO_TABLE
+$PUBLIC_IP4
+$PUBLIC_IP6
+$(get_jail_ip wildduck)
+$(get_jail_ip6 wildduck)
+EO_TABLE
+
+	store_config "$_pf_etc/filter.conf" <<EO_FILTER
+pass in quick proto tcp from any to <wildduck> port { 25 465 587 80 443 993 995 }
+EO_FILTER
 }
 
 configure_haraka()