finally got the ipv6 jail stuff working, yeah

roles/firewall/templates/pf.conf.j2

@@ -1,9 +1,23 @@
+# 
+# Look at past logs                tcpdump -n -e -ttt -r /var/log/pflog
+# Look at live logs (aka tail -f): tcpdump -n -e -ttt -i pflog0
+#
+# Look at entries in table <bad_hosts> (SSH Limit Block):
+#   pfctl -t bad_hosts -T show
+# Delete an ip from table:
+#   pfctl -t bad_hosts -T delete $ip  
+
 ext_if="{{ ansible_default_ipv6.interface }}"
 
 ### Default block policy is to return a reset packet
-set block-policy return
+set block-policy drop
+
+# fairness my ass
+set optimization aggressive
+
 ### Reassemble fragmented packets
 scrub in on $ext_if all fragment reassemble
+
 ### Ignore loopback interface
 set skip on lo
 
@@ -11,14 +25,22 @@ set skip on lo
 table <jails> persist
 
 ### Block on incoming traffic
-block in all
+block in log all
 
 ### Allow outgoing, skip others rules if match, and track connections
 pass out quick keep state
+pass out inet6 keep state
 
 ### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
 ### And block incoming traffic from $ext_if IP on $ext_if interface
 antispoof for $ext_if inet6
 
 ### Allow SSH
-pass in inet6 proto tcp from any to any port ssh flags S/SA keep state
+table <bad_hosts> persist
+pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
+     flags S/SAFR keep state \
+     (max-src-conn-rate 10/60, \
+     overload <bad_hosts> flush global) label ServicesTCP
+
+# ipv6 icmp
+pass in quick inet6 proto icmp6 all keep state