farhaven · August 16, 2017 18:46
diff --git a/bgp-rappet.conf b/bgp-rappet.conf
 # /etc/bgp/rappet.conf
 group "rappet" {
        remote-as 4242423889
        announce all

        neighbor "100.64.0.2" {
                descr "rappet-4"
        }
 }
diff --git a/bgpd.conf b/bgpd.conf
 # /etc/bgpd.conf
 socket "/var/www/run/bgpd.rsock" restricted

 AS 4242422342
 router-id 172.22.127.1

 network 172.22.127.0/27
 network fd97:1c82:9447::/64

 include "/etc/bgp/moho.conf"
 include "/etc/bgp/nazco.conf"
 include "/etc/bgp/leeps.conf"
 include "/etc/bgp/MWD.conf"
 include "/etc/bgp/space.conf"
 include "/etc/bgp/sammy.conf"
 include "/etc/bgp/unbedenklich.conf"
 include "/etc/bgp/qsx.conf"
 include "/etc/bgp/pascal.conf"
 include "/etc/bgp/gruetzkopf.conf"
 include "/etc/bgp/gigadoc2.conf"
 include "/etc/bgp/subraum.conf"
 include "/etc/bgp/cccac.conf"
 include "/etc/bgp/nd.conf"
 include "/etc/bgp/pr0j3ctx.conf"
 include "/etc/bgp/stv0g.conf"
 include "/etc/bgp/rappet.conf"
 include "/etc/bgp/unobtanium.conf"

 deny from any
 deny to any

 allow from any prefix { 172.31/16 or-longer, 172.20/14 or-longer, 10/8 or-longer }
 allow   to any prefix { 172.31/16 or-longer, 172.20/14 or-longer, 10/8 or-longer }

 # access to NRW digibib via bodems
 allow from any prefix { 193.30.122/24 or-longer }
 allow   to any prefix { 193.30.122/24 or-longer }

 allow from any prefix fc00::/7 or-longer
 allow   to any prefix fc00::/7 or-longer

 deny from any prefix { fd14:70d8:4a5a::/48 or-longer, ::/0 prefixlen = 0 }
 deny   to any prefix { fd14:70d8:4a5a::/48 or-longer, ::/0 prefixlen = 0 }

 deny from any AS 4242420002
diff --git a/hostname.tun19 b/hostname.tun19
 # /etc/hostname.tun19
 description "DN42 uplink to rappet"
 group dn42uplink

 !(cd /dev; sh MAKEDEV \$if)
 !/usr/local/sbin/openvpn --config /etc/openvpn/dn42-rappet/config --daemon dn42-rappet-uplink &
diff --git a/pf.conf b/pf.conf
 set skip on lo

 # match all scrub (no-df random-id reassemble tcp)
 # match in all scrub (no-df reassemble tcp)

 pass out all
 pass proto ospf
 block return in log to (self)
 pass on { tun gre enc }

 anchor "tunnelbroker" {
        pass in from 216.66.80.30
 }

 anchor "ipsec" {
        pass proto { esp ipencap }
        pass proto { udp tcp } \
                to port { isakmp ipsec-nat-t }
 }

 pass \
        proto tcp \
        to port { ssh telnet }

 table <spammers> { 66.249.64.41, 66.249.64.45 }
 block in quick from <spammers>

 table <spamd> persist

 anchor "mail" {
        # Spammers
        block in quick from { 93.171.159.248, 193.189.117.148 }

        pass in log quick \
                proto tcp \
                from <spamd> \
                to port smtp \
                divert-to 127.0.0.1 port spamd

        pass \
                proto tcp \
                to port { smtp smtps submission }
 }

 pass \
        proto tcp \
        to port { http 81 https 8081 }

 pass \
        proto tcp \
        to port { 9001 9030 } # TOR

 pass \
        proto tcp \
        to port 3260 # iscsi

 pass \
        proto tcp \
        to port ident

 pass \
        proto tcp \
        to port 4000

 pass \
        proto { tcp udp } \
        to port 5001 # iperf

 pass \
        proto { tcp udp } \
        to port domain

 pass \
        proto tcp \
        to port 8883 # MQTT

 anchor "dn42"
 load anchor "dn42" from "/etc/pf.dn42.conf"

 pass \
        in inet \
        proto icmp all \
        icmp-type echoreq

 pass \
        in inet6 \
        proto icmp6 all

 anchor "tinc" {
        pass on tap0
        pass \
                proto { tcp udp } \
                to port 655
 }

 pass \
        proto udp \
        to port 60000:61000 # mosh

 pass proto { tcp, udp } \
        to (self) \
        port 55000:55001 # test port

 block out log on egress from ! (self)
 pass out on egress received-on tap0 # so i can use tinc for ipv6 access

 table <v4_martians> const { 0/8 10/8 100.64/10 127/8 169.254/16 192/24
        192.0.2/24 192.168/16 192.18/16 198.51.100/24 203.0.113/24 224/4 240/4
        255.255.255.255/32 }
 table <v6_martians> const { ::/128 ::1/128 ::ffff:0:0/96 ::/96 100::/64
        2001:10::/28 2001:db8::/32 fc00::/7 fe80::/10 fec0::/10 ff00::/8
        2002::/16       # 6to4
        2001:0::/32 # teredo
 }

 block log on egress from { <v4_martians> <v6_martians> }
 pass on egress from fe80::/8

 pass quick on tap0
diff --git a/pf.dn42.conf b/pf.dn42.conf
 # /etc/pf.dn42.conf
 table <dn42_networks> const { 169.254.12.0/16 fc00::/7 10/8 172.16/12 fe80::/8 100.64.0.0/10 }
 table <dn42_peering> const { 169.254.12.0/16 }

 block log on tun from ! <dn42_networks>

 # rappet
 pass \
        proto { tcp udp } \
        to port 22141

 pass out quick on tun19 \
        inet \
        from self \
        to (tun19:peer)

 # NAT to the routers address in my net (172.22.127.1) for all traffic originating from the router
 pass out on tun \
        inet \
        from self \
        to <dn42_networks> \
        nat-to tap0
	# /etc/bgp/rappet.conf
	group "rappet" {
	remote-as 4242423889
	announce all

	neighbor "100.64.0.2" {
	descr "rappet-4"
	}
	}
	# /etc/bgpd.conf
	socket "/var/www/run/bgpd.rsock" restricted

	AS 4242422342
	router-id 172.22.127.1

	network 172.22.127.0/27
	network fd97:1c82:9447::/64

	include "/etc/bgp/moho.conf"
	include "/etc/bgp/nazco.conf"
	include "/etc/bgp/leeps.conf"
	include "/etc/bgp/MWD.conf"
	include "/etc/bgp/space.conf"
	include "/etc/bgp/sammy.conf"
	include "/etc/bgp/unbedenklich.conf"
	include "/etc/bgp/qsx.conf"
	include "/etc/bgp/pascal.conf"
	include "/etc/bgp/gruetzkopf.conf"
	include "/etc/bgp/gigadoc2.conf"
	include "/etc/bgp/subraum.conf"
	include "/etc/bgp/cccac.conf"
	include "/etc/bgp/nd.conf"
	include "/etc/bgp/pr0j3ctx.conf"
	include "/etc/bgp/stv0g.conf"
	include "/etc/bgp/rappet.conf"
	include "/etc/bgp/unobtanium.conf"

	deny from any
	deny to any

	allow from any prefix { 172.31/16 or-longer, 172.20/14 or-longer, 10/8 or-longer }
	allow to any prefix { 172.31/16 or-longer, 172.20/14 or-longer, 10/8 or-longer }

	# access to NRW digibib via bodems
	allow from any prefix { 193.30.122/24 or-longer }
	allow to any prefix { 193.30.122/24 or-longer }

	allow from any prefix fc00::/7 or-longer
	allow to any prefix fc00::/7 or-longer

	deny from any prefix { fd14:70d8:4a5a::/48 or-longer, ::/0 prefixlen = 0 }
	deny to any prefix { fd14:70d8:4a5a::/48 or-longer, ::/0 prefixlen = 0 }

	deny from any AS 4242420002
	# /etc/hostname.tun19
	description "DN42 uplink to rappet"
	group dn42uplink

	!(cd /dev; sh MAKEDEV \$if)
	!/usr/local/sbin/openvpn --config /etc/openvpn/dn42-rappet/config --daemon dn42-rappet-uplink &
	set skip on lo

	# match all scrub (no-df random-id reassemble tcp)
	# match in all scrub (no-df reassemble tcp)

	pass out all
	pass proto ospf
	block return in log to (self)
	pass on { tun gre enc }

	anchor "tunnelbroker" {
	pass in from 216.66.80.30
	}

	anchor "ipsec" {
	pass proto { esp ipencap }
	pass proto { udp tcp } \
	to port { isakmp ipsec-nat-t }
	}

	pass \
	proto tcp \
	to port { ssh telnet }

	table <spammers> { 66.249.64.41, 66.249.64.45 }
	block in quick from <spammers>

	table <spamd> persist

	anchor "mail" {
	# Spammers
	block in quick from { 93.171.159.248, 193.189.117.148 }

	pass in log quick \
	proto tcp \
	from <spamd> \
	to port smtp \
	divert-to 127.0.0.1 port spamd

	pass \
	proto tcp \
	to port { smtp smtps submission }
	}

	pass \
	proto tcp \
	to port { http 81 https 8081 }

	pass \
	proto tcp \
	to port { 9001 9030 } # TOR

	pass \
	proto tcp \
	to port 3260 # iscsi

	pass \
	proto tcp \
	to port ident

	pass \
	proto tcp \
	to port 4000

	pass \
	proto { tcp udp } \
	to port 5001 # iperf

	pass \
	proto { tcp udp } \
	to port domain

	pass \
	proto tcp \
	to port 8883 # MQTT

	anchor "dn42"
	load anchor "dn42" from "/etc/pf.dn42.conf"

	pass \
	in inet \
	proto icmp all \
	icmp-type echoreq

	pass \
	in inet6 \
	proto icmp6 all

	anchor "tinc" {
	pass on tap0
	pass \
	proto { tcp udp } \
	to port 655
	}

	pass \
	proto udp \
	to port 60000:61000 # mosh

	pass proto { tcp, udp } \
	to (self) \
	port 55000:55001 # test port

	block out log on egress from ! (self)
	pass out on egress received-on tap0 # so i can use tinc for ipv6 access

	table <v4_martians> const { 0/8 10/8 100.64/10 127/8 169.254/16 192/24
	192.0.2/24 192.168/16 192.18/16 198.51.100/24 203.0.113/24 224/4 240/4
	255.255.255.255/32 }
	table <v6_martians> const { ::/128 ::1/128 ::ffff:0:0/96 ::/96 100::/64
	2001:10::/28 2001:db8::/32 fc00::/7 fe80::/10 fec0::/10 ff00::/8
	2002::/16 # 6to4
	2001:0::/32 # teredo
	}

	block log on egress from { <v4_martians> <v6_martians> }
	pass on egress from fe80::/8

	pass quick on tap0
	# /etc/pf.dn42.conf
	table <dn42_networks> const { 169.254.12.0/16 fc00::/7 10/8 172.16/12 fe80::/8 100.64.0.0/10 }
	table <dn42_peering> const { 169.254.12.0/16 }

	block log on tun from ! <dn42_networks>

	# rappet
	pass \
	proto { tcp udp } \
	to port 22141

	pass out quick on tun19 \
	inet \
	from self \
	to (tun19:peer)

	# NAT to the routers address in my net (172.22.127.1) for all traffic originating from the router
	pass out on tun \
	inet \
	from self \
	to <dn42_networks> \
	nat-to tap0