# 
# Look at past logs                tcpdump -n -e -ttt -r /var/log/pflog
# Look at live logs (aka tail -f): tcpdump -n -e -ttt -i pflog0
#
# Look at entries in table <bad_hosts> (SSH Limit Block):
#   pfctl -t bad_hosts -T show
# Delete an ip from table:
#   pfctl -t bad_hosts -T delete $ip  

ext_if="{{ ansible_default_ipv6.interface }}"
jail_net="{{ jailnet.stdout }}"

### Default block policy is to return a reset packet
set block-policy drop

# fairness my ass
set optimization aggressive

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Ignore loopback interface
set skip on lo

### Allow empty table to exist
table <jails> persist

### Block on incoming traffic
block in log all

### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state
pass out inet6 keep state

# FIXME: does not survice reboots, that is: pf blocks after a reboot, pf must be reloaded, then it works
pass out quick on $ext_if keep state
pass out on $ext_if inet6 keep state

### Allow traffic coming from jails
pass in on $ext_if inet6 from $jail_net keep state

### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
### And block incoming traffic from $ext_if IP on $ext_if interface
antispoof for $ext_if inet6

### Allow SSH
table <bad_hosts> persist
pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
     flags S/SAFR keep state \
     (max-src-conn-rate 10/60, \
     overload <bad_hosts> flush global) label ServicesTCP

# allow ansible answers
pass out on $ext_if proto tcp from port 22 to any flags any
     
# ipv6 icmp
pass in quick inet6 proto icmp6 all keep state