主页 / computer / 问题 / 1777250
Accepted
Ken - Enough about Monica
Asked: 2023-04-04 06:14:17 +0800 CST

如何在不中断现有连接的情况下启动 PF 服务?

  • 772

我有一个启动 PF 防火墙的 Ansible 剧本。它在此时冻结,因为目标和 Ansible 正在执行的主机之间的 SSH 连接因此而中断。有没有办法保持这种连接,这样我就可以继续执行下一个任务/剧本而无需重新运行?

freebsd

1 个回答

  1. Best Answer

    你说得对。模块服务在启动或重新加载pf时会中断 Ansible ssh 连接。请不要使用它

    - service:
    name: pf
    state: started
    enabled: yes

    相反,使用模块shell并让命令异步执行。根据您的需要设置pf_async_timeout(大约 10 秒应该没问题。请参阅下面的日志)。比如启动pf

    - name: start pf
  ansible.builtin.shell:
    cmd: >
      (( sleep 5; nohup service pf start 1>/dev/null 2>&1 ) & )
  async: "{{ pf_async_timeout }}"
  poll: 0

    将其放入处理程序中。这样,它将作为剧中的最后一个任务执行。由于异步执行,任务不需要命令完成。该剧将立即完成。在远程主机上的日志中,您应该看到类似于

    Apr  5 09:19:33 plane ansible-async_wrapper.py[20170]: Invoked with 743252776472 45 /home/asadmin/.ansible/tmp/ansible-tmp-1680679171.524129-1188854-111980374615608/AnsiballZ_command.py _
Apr  5 09:19:33 plane ansible-async_wrapper.py[20173]: Starting module and watcher
Apr  5 09:19:33 plane ansible-async_wrapper.py[20173]: Start watching 20174 (45)
Apr  5 09:19:33 plane ansible-async_wrapper.py[20174]: Start module (20174)
Apr  5 09:19:33 plane ansible-async_wrapper.py[20170]: Return async_wrapper task started.
Apr  5 09:19:35 plane ansible-async_wrapper.py[20174]: Module complete (20174)
Apr  5 09:19:38 plane ansible-async_wrapper.py[20173]: Done in kid B.

    创建类似的处理程序也可以停止并重新加载pf。为避免麻烦,最好先配置和验证配置,并在配置验证后重新加载防火墙。查看我的角色freebsd_pf

    该剧的例子 
    shell> ansible-playbook freebsd-pf.yml
   ...
TASK [vbotka.freebsd_pf : pfconf: Configure rules using server2-pf.conf.j2 template] *************************************************
changed: [plane]
   ...
RUNNING HANDLER [vbotka.freebsd_pf : reload pf] **************************************************************************************
changed: [plane]

PLAY RECAP ***************************************************************************************************************************
plane: ok=20   changed=2    unreachable=0    failed=0    skipped=17   rescued=0    ignored=0

    如果您想在同一个剧本或剧本中继续,请等待连接。例如,

      ansible.builtin.wait_for:
    port: 22
    delay: 10

    您还可以显式等待异步命令的完成。请参阅异步操作和轮询并查找模块async_status

    问:它异步挂起我的连接……也就是说,稍后在 Ansible 剧本中挂起(几秒钟后)。

    A:它对我有用。在剧本中,我在pf重新加载后等待端口 22并ping远程主机几次

    shell> cat freebsd-pf.yml
- hosts: plane
  become: true
  roles:
    - vbotka.freebsd_pf
  post_tasks:
    - ansible.builtin.wait_for:
        port: 22
        delay: 10
    - ping:
    - pause: seconds=5
    - ping:
    - pause: seconds=5
    - ping:
    - pause: seconds=5
    - ping:

    给出(删节)

    shell> ansible-playbook freebsd-pf.yml
  ...
TASK [vbotka.freebsd_pf : pfconf: Configure rules using server2-pf.conf.j2 template] *************************************************
changed: [plane]

  ...

RUNNING HANDLER [vbotka.freebsd_pf : reload pf] **************************************************************************************
changed: [plane]

TASK [ansible.builtin.wait_for] ******************************************************************************************************
ok: [plane]

TASK [ping] **************************************************************************************************************************
ok: [plane]

TASK [pause] *************************************************************************************************************************
Pausing for 5 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [plane]

TASK [ping] **************************************************************************************************************************
ok: [plane]

TASK [pause] *************************************************************************************************************************
Pausing for 5 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [plane]

TASK [ping] **************************************************************************************************************************
ok: [plane]

TASK [pause] *************************************************************************************************************************
Pausing for 5 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [plane]

TASK [ping] **************************************************************************************************************************
ok: [plane]

PLAY RECAP ***************************************************************************************************************************
plane: ok=28   changed=2    unreachable=0    failed=0    skipped=17   rescued=0    ignored=0

    配置示例

    ---

pf_install: false
pf_enable: true
pf_debug: false
pf_blacklistd_enable: true
pf_fail2ban_enable: true
pf_sshguard_enable: true
pf_backup_conf: true

pfconf_only: false
pfconf_validate: true
pfconf_validate_command: "pfctl -n -f %s"

pf_type: server2
srv2_pss_ssh: "# pass in quick on $ext_if proto tcp from any to any port ssh flags S/SA keep state"
srv2_sshabuse: |-
  table <sshabuse> persist
  block in quick from <sshabuse>
  pass in quick on $ext_if proto tcp from any to any port ssh flags S/SA keep state \
       (max-src-conn 10, max-src-conn-rate 3/5, overload <sshabuse> flush)

pf_log_all_blocked: true
pf_ext_if: wlan0
pf_ext_tcp_ports: "ssh, smtp, domain, www, pop3, auth, https, pop3s, 5500, 8080, 8081"
pf_ext_udp_ports: "domain, snmp, prospero, 5500"
pf_dhcp_ports: "bootps, bootpc"
pf_jails_ip: "10.1.0.0/24"

# nfs
pf_nfs_tcp_ports: "sunrpc, nfsd-status nfsd, lockd, 815, 956"
pf_nfs_udp_ports: "sunrpc, nfsd-keepalive, nfsd, lockd, 815, 956"
pf_nfs_clients: "10.1.0.0/24"
pf_rpc_ports: "1286, 1283, 1229"

pf_reserved_internal_net: "172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32"

pf_rules_custom:
  - dhcp_if="10.1.0.17"
  - ext_tcp_ports="{ {{ pf_ext_tcp_ports }} }"
  - ext_udp_ports="{ {{ pf_ext_udp_ports }} }"
  - dhcp_ports="{ {{ pf_dhcp_ports }} }"
  - jails_ip="{ {{ pf_jails_ip }} }"
  - nfs_clients="{ {{ pf_nfs_clients }} }"
  - nfs_tcp_ports="{ {{ pf_nfs_tcp_ports }} }"
  - nfs_udp_ports="{ {{ pf_nfs_udp_ports }} }"
  - rpc_ports="{ {{ pf_rpc_ports }} }"
  - syn_state="flags S/SA synproxy state"
  - sto_ext_ports="(max-src-conn-rate 500/10, overload <blocked_hosts> flush global)"
# DHCP
  - pass quick on $ext_if proto { tcp, udp } to $ext_if port $dhcp_ports
  - pass quick on $dhcp_if proto { tcp, udp } to $dhcp_if port $dhcp_ports
  # ext_tcp_ports
  - pass quick on $ext_if proto tcp to $ext_if port $ext_tcp_ports $syn_state $sto_ext_ports
  # ext_udp_ports
  - pass quick on $ext_if proto udp to $ext_if port $ext_udp_ports keep state $sto_ext_ports
  # nfs_clients nfs_ports
  - pass quick on $ext_if proto tcp from $nfs_clients to $ext_if port $nfs_tcp_ports keep state flags S/SA
  - pass quick on $ext_if proto udp from $nfs_clients to $ext_if port $nfs_udp_ports keep state
  - pass quick on $ext_if proto sctp from $nfs_clients to $ext_if keep state
  - pass quick on $ext_if proto { tcp, udp } from $nfs_clients to $ext_if port $rpc_ports keep state flags S/SA
  # jails_ip
  - pass in on $ext_if proto tcp to $jails_ip port $ext_tcp_ports $syn_state $sto_ext_ports
  - pass in on $ext_if proto udp to $jails_ip port $ext_udp_ports keep state $sto_ext_ports

pf_rules_nat:
  - nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

# Howto: quick setup of jail on ZFS using ezjail with PF NAT/
# https://forums.freebsd.org/threads/howto-quick-setup-of-jail-on-zfs-using-ezjail-with-pf-nat.30063/
pf_rules_rdr:
  - rdr_jail_ports1="{ 80, 443 }"
  - rdr_jail_ports2="{ 80, 443 8080 8081 }"
  - rdr pass on $ext_if proto tcp from any to 10.1.0.61 port $rdr_jail_ports2 -> 127.0.2.11  # test_11
  - rdr pass on $ext_if proto tcp from any to 10.1.0.62 port $rdr_jail_ports1 -> 127.0.2.12  # test_12
  - rdr pass on $ext_if proto tcp from any to 10.1.0.63 port $rdr_jail_ports1 -> 127.0.2.13  # test_13
  - rdr pass on $ext_if proto tcp from any to 10.1.0.64 port $rdr_jail_ports1 -> 127.0.2.14  # test_14
  - rdr pass on $ext_if proto tcp from any to 10.1.0.65 port $rdr_jail_ports1 -> 127.0.2.15  # test_15
  - rdr pass on $ext_if proto tcp from any to 10.1.0.66 port $rdr_jail_ports1 -> 127.0.2.16  # test_16
  - rdr pass on $ext_if proto tcp from any to 10.1.0.67 port $rdr_jail_ports1 -> 127.0.2.17  # test_17
  - rdr pass on $ext_if proto tcp from any to 10.1.0.68 port $rdr_jail_ports1 -> 127.0.2.18  # test_18
  - rdr pass on $ext_if proto tcp from any to 10.1.0.69 port $rdr_jail_ports1 -> 127.0.2.19  # test_19
  - rdr pass on $ext_if proto tcp from any to 10.1.0.70 port $rdr_jail_ports1 -> 127.0.2.20  # test_20

# pf_ssh_whitelist:
# - 192.168.1.0/24
#
# NOTES: (1) nfs_ports: port 797 is needed for mountd;

# blacklistd
pf_blacklistd_flags: "-r"
pf_blacklistd_conf_remote: []
pf_blacklistd_conf_local:
  - {adr: ssh, type: stream, proto: "*", owner: "*", name: "*", nfail: "3", disable: 24h}
  - {adr: ftp, type: stream, proto: "*", owner: "*", name: "*", nfail: "3", disable: 24h}
  - {adr: smtp, type: stream, proto: "*", owner: "*", name: "*", nfail: "3", disable: 24h}
  - {adr: smtps, type: stream, proto: "*", owner: "*", name: "*", nfail: "3", disable: 24h}
  - {adr: submission, type: stream, proto: "*", owner: "*", name: "*", nfail: "3", disable: 24h}
  - {adr: "*", type: "*", proto: "*", owner: "*", name: "*", nfail: "3", disable: "60"}
pf_blacklistd_rcconf:
  - {regexp: blacklistd_flags, line: "{{ pf_blacklistd_flags }}"}

# EOF
...
    • 1

相关问题