fixes:

- finally fixed pf.conf
- got Bastillefile working (sshd_config missing yet)
- re-activated network role to set net variables
- fixed make [all]
- use hetzner volume for jail home
- use ramdisk for /tmp inside jail

roles/firewall/templates/pf.conf.j2

@@ -8,6 +8,7 @@
 #   pfctl -t bad_hosts -T delete $ip  
 
 ext_if="{{ ansible_default_ipv6.interface }}"
+jail_net="{{ jailnet.stdout }}"
 
 ### Default block policy is to return a reset packet
 set block-policy drop
@@ -30,6 +31,11 @@ block in log all
 ### Allow outgoing, skip others rules if match, and track connections
 pass out quick keep state
 pass out inet6 keep state
+pass out quick on $ext_if keep state
+pass out on $ext_if inet6 keep state
+
+### Allow traffic coming from jails
+pass in on $ext_if inet6 from $jail_net keep state
 
 ### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
 ### And block incoming traffic from $ext_if IP on $ext_if interface
@@ -42,5 +48,8 @@ pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
      (max-src-conn-rate 10/60, \
      overload <bad_hosts> flush global) label ServicesTCP
 
+# allow ansible answers
+pass out on $ext_if proto tcp from port 22 to any flags any
+     
 # ipv6 icmp
 pass in quick inet6 proto icmp6 all keep state