bsdnix/roles/firewall/templates/pf.conf.j2

ext_if="{{ ansible_default_ipv6.interface }}"

### Default block policy is to return a reset packet
set block-policy return
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Ignore loopback interface
set skip on lo

### Allow empty table to exist
table <jails> persist

### Block on incoming traffic
block in all

### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state

### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
### And block incoming traffic from $ext_if IP on $ext_if interface
antispoof for $ext_if inet6

### Allow SSH
pass in inet6 proto tcp from any to any port ssh flags S/SA keep state
got it running, added net, pf and jail roles 2024-11-08 20:08:56 +01:00			`ext_if="{{ ansible_default_ipv6.interface }}"`

			`### Default block policy is to return a reset packet`
			`set block-policy return`
			`### Reassemble fragmented packets`
			`scrub in on $ext_if all fragment reassemble`
			`### Ignore loopback interface`
			`set skip on lo`

			`### Allow empty table to exist`
			`table <jails> persist`

			`### Block on incoming traffic`
			`block in all`

			`### Allow outgoing, skip others rules if match, and track connections`
			`pass out quick keep state`

			`### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface`
			`### And block incoming traffic from $ext_if IP on $ext_if interface`
			`antispoof for $ext_if inet6`

			`### Allow SSH`
			`pass in inet6 proto tcp from any to any port ssh flags S/SA keep state`