25 lines
716 B
Django/Jinja
25 lines
716 B
Django/Jinja
ext_if="{{ ansible_default_ipv6.interface }}"
|
|
|
|
### Default block policy is to return a reset packet
|
|
set block-policy return
|
|
### Reassemble fragmented packets
|
|
scrub in on $ext_if all fragment reassemble
|
|
### Ignore loopback interface
|
|
set skip on lo
|
|
|
|
### Allow empty table to exist
|
|
table <jails> persist
|
|
|
|
### Block on incoming traffic
|
|
block in all
|
|
|
|
### Allow outgoing, skip others rules if match, and track connections
|
|
pass out quick keep state
|
|
|
|
### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
|
|
### And block incoming traffic from $ext_if IP on $ext_if interface
|
|
antispoof for $ext_if inet6
|
|
|
|
### Allow SSH
|
|
pass in inet6 proto tcp from any to any port ssh flags S/SA keep state
|