ext_if="{{ ansible_default_ipv6.interface }}"

### Default block policy is to return a reset packet
set block-policy return
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Ignore loopback interface
set skip on lo

### Allow empty table to exist
table <jails> persist

### Block on incoming traffic
block in all

### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state

### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
### And block incoming traffic from $ext_if IP on $ext_if interface
antispoof for $ext_if inet6

### Allow SSH
pass in inet6 proto tcp from any to any port ssh flags S/SA keep state