got it running, added net, pf and jail roles

roles/firewall/handlers/main.yaml

@@ -0,0 +1,15 @@
+---
+- name: start pf
+  service:
+    name: pf
+    state: started
+  async: 45
+  poll: 5
+
+- name: start pflog
+  service:
+    name: pflog
+    state: started
+
+- name: reload pf
+  shell: pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf

roles/firewall/tasks/main.yaml

@@ -0,0 +1,20 @@
+---
+- name: enable pf
+  community.general.sysrc:
+    name: pf_enable
+    value: "YES"
+  notify: start pf
+
+- name: enable pflog
+  community.general.sysrc:
+    name: pflog_enable
+    value: "YES"
+  notify: start pflog
+
+- name: template pf.conf
+  template:
+    src: pf.conf.j2
+    dest: /etc/pf.conf
+  notify: reload pf
+
+- meta: flush_handlers

roles/firewall/templates/pf.conf.j2

@@ -0,0 +1,24 @@
+ext_if="{{ ansible_default_ipv6.interface }}"
+
+### Default block policy is to return a reset packet
+set block-policy return
+### Reassemble fragmented packets
+scrub in on $ext_if all fragment reassemble
+### Ignore loopback interface
+set skip on lo
+
+### Allow empty table to exist
+table <jails> persist
+
+### Block on incoming traffic
+block in all
+
+### Allow outgoing, skip others rules if match, and track connections
+pass out quick keep state
+
+### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
+### And block incoming traffic from $ext_if IP on $ext_if interface
+antispoof for $ext_if inet6
+
+### Allow SSH
+pass in inet6 proto tcp from any to any port ssh flags S/SA keep state