aboutsummaryrefslogtreecommitdiffstats
path: root/roles/security
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-06-24 17:10:26 +0800
committerAaron LI <aly@aaronly.me>2018-06-24 17:10:26 +0800
commit5c7ad9e6b108c11f4f3827965dae7c0fc019ca3c (patch)
treec77a6b88e054985ae65a87f35a9cca70f7efa2df /roles/security
parentb8f4a6b806ecaf157cb5e4f822c7a5c2d34bdf09 (diff)
downloadansible-dfly-vps-5c7ad9e6b108c11f4f3827965dae7c0fc019ca3c.tar.bz2
security/pf: Allow the ports of all shadowsocks instances
Diffstat (limited to 'roles/security')
-rw-r--r--roles/security/templates/pf.conf.j25
1 files changed, 3 insertions, 2 deletions
diff --git a/roles/security/templates/pf.conf.j2 b/roles/security/templates/pf.conf.j2
index a2c1381..e51fc42 100644
--- a/roles/security/templates/pf.conf.j2
+++ b/roles/security/templates/pf.conf.j2
@@ -156,6 +156,7 @@ vpn_if = "{{ vpn.interface }}"
# Network used by VPN on $vpn_if
vpn_net = "{{ vpn.network4 }}/24"
+{% set ss_ports = shadowsocks.profiles | map(attribute="port") | join(", ") %}
# Allowed Services (incoming & outgoing)
# * {{ ansible_ssh_port }}: SSH on custom port
# * {{ ansible_ssh_port+1 }}: UDP port for Mosh connection
@@ -166,14 +167,14 @@ vpn_net = "{{ vpn.network4 }}/24"
# * imaps: IMAP server
# * http & https: web service
# * git: Git clone etc.
-# * {{ shadowsocks.port }}: ShadowSocks server
+# * {{ ss_ports }}: ShadowSocks service(s)
# * {{ znc.port }}: ZNC IRC bouncer (tcp)
# * {{ vpn.port }}: OpenVPN service (tcp & udp)
#
# For restrictive incoming rules
in_tcp_services_restricted = "{ {{ ansible_ssh_port }}, smtp, submission, imaps }"
# For non-restrictive incoming rules
-in_tcp_services = "{ domain, http, https, {{ shadowsocks.port }}, {{ znc.port }}, {{ vpn.port }} }"
+in_tcp_services = "{ domain, http, https, {{ ss_ports }}, {{ znc.port }}, {{ vpn.port }} }"
# For incoming UDP rules
in_udp_services = "{ domain, {{ vpn.port }}, {{ ansible_ssh_port+1 }} }"
# For outgoing rules