got it running, added net, pf and jail roles
This commit is contained in:
24
roles/firewall/templates/pf.conf.j2
Normal file
24
roles/firewall/templates/pf.conf.j2
Normal file
@@ -0,0 +1,24 @@
|
||||
ext_if="{{ ansible_default_ipv6.interface }}"
|
||||
|
||||
### Default block policy is to return a reset packet
|
||||
set block-policy return
|
||||
### Reassemble fragmented packets
|
||||
scrub in on $ext_if all fragment reassemble
|
||||
### Ignore loopback interface
|
||||
set skip on lo
|
||||
|
||||
### Allow empty table to exist
|
||||
table <jails> persist
|
||||
|
||||
### Block on incoming traffic
|
||||
block in all
|
||||
|
||||
### Allow outgoing, skip others rules if match, and track connections
|
||||
pass out quick keep state
|
||||
|
||||
### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
|
||||
### And block incoming traffic from $ext_if IP on $ext_if interface
|
||||
antispoof for $ext_if inet6
|
||||
|
||||
### Allow SSH
|
||||
pass in inet6 proto tcp from any to any port ssh flags S/SA keep state
|
||||
Reference in New Issue
Block a user