Add pf playbook and role

2 files changed, 50 insertions, 0 deletions

diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
new file mode 100644
index 0000000..7916c69
--- /dev/null
+++ b/roles/pf/tasks/main.yml
@@ -0,0 +1,15 @@
+
+# pf ~~ tasks/main.yml
+
+---
+
+- name: Generate and sync configuration
+  template:
+    src: templates/pf.conf.j2
+    dest: /etc/pf.conf
+    owner: root
+    group: "{{ group.root }}"
+    mode: "0600"
+
+- name: Restart pf
+  shell: /sbin/pfctl -f /etc/pf.conf
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
new file mode 100644
index 0000000..64001cf
--- /dev/null
+++ b/roles/pf/templates/pf.conf.j2
@@ -0,0 +1,35 @@
+
+{# pf ~~ templates/pf.conf.j2 #}
+
+# pf ~~ /etc/pf.conf
+
+# ========================= #
+# common config. by Ansible
+# ========================= #
+
+set block-policy drop
+set loginterface egress
+set skip on { lo tun0 }
+
+block all
+
+{% for key, value in services.tcp.items() %}
+pass in quick on egress proto tcp to port {{ value }}
+{% endfor %}
+{% for key, value in services.udp.items() %}
+pass in quick on egress proto udp to port {{ value }}
+{% endfor %}
+
+# ====================== #
+# sub-config. by Ansible
+# ====================== #
+
+{% include "templates/" + inventory_hostname + "/etc/pf.conf.j2" %}
+
+# ========================= #
+# out. interface by Ansible 
+# ========================= #
+
+pass out quick inet
+pass in proto { icmp, icmp6 } all
+