diff options
| author | Aaron LI <aly@aaronly.me> | 2018-06-24 17:10:26 +0800 |
|---|---|---|
| committer | Aaron LI <aly@aaronly.me> | 2018-06-24 17:10:26 +0800 |
| commit | 5c7ad9e6b108c11f4f3827965dae7c0fc019ca3c (patch) | |
| tree | c77a6b88e054985ae65a87f35a9cca70f7efa2df | |
| parent | b8f4a6b806ecaf157cb5e4f822c7a5c2d34bdf09 (diff) | |
| download | ansible-dfly-vps-5c7ad9e6b108c11f4f3827965dae7c0fc019ca3c.tar.bz2 | |
security/pf: Allow the ports of all shadowsocks instances
| -rw-r--r-- | roles/security/templates/pf.conf.j2 | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/roles/security/templates/pf.conf.j2 b/roles/security/templates/pf.conf.j2 index a2c1381..e51fc42 100644 --- a/roles/security/templates/pf.conf.j2 +++ b/roles/security/templates/pf.conf.j2 @@ -156,6 +156,7 @@ vpn_if = "{{ vpn.interface }}" # Network used by VPN on $vpn_if vpn_net = "{{ vpn.network4 }}/24" +{% set ss_ports = shadowsocks.profiles | map(attribute="port") | join(", ") %} # Allowed Services (incoming & outgoing) # * {{ ansible_ssh_port }}: SSH on custom port # * {{ ansible_ssh_port+1 }}: UDP port for Mosh connection @@ -166,14 +167,14 @@ vpn_net = "{{ vpn.network4 }}/24" # * imaps: IMAP server # * http & https: web service # * git: Git clone etc. -# * {{ shadowsocks.port }}: ShadowSocks server +# * {{ ss_ports }}: ShadowSocks service(s) # * {{ znc.port }}: ZNC IRC bouncer (tcp) # * {{ vpn.port }}: OpenVPN service (tcp & udp) # # For restrictive incoming rules in_tcp_services_restricted = "{ {{ ansible_ssh_port }}, smtp, submission, imaps }" # For non-restrictive incoming rules -in_tcp_services = "{ domain, http, https, {{ shadowsocks.port }}, {{ znc.port }}, {{ vpn.port }} }" +in_tcp_services = "{ domain, http, https, {{ ss_ports }}, {{ znc.port }}, {{ vpn.port }} }" # For incoming UDP rules in_udp_services = "{ domain, {{ vpn.port }}, {{ ansible_ssh_port+1 }} }" # For outgoing rules |