aboutsummaryrefslogtreecommitdiffstats
path: root/roles/pf/templates/pf.conf.j2
diff options
context:
space:
mode:
Diffstat (limited to 'roles/pf/templates/pf.conf.j2')
-rw-r--r--roles/pf/templates/pf.conf.j220
1 files changed, 13 insertions, 7 deletions
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index d39694d..6d67f4f 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -1,11 +1,10 @@
{# pf ~~ templates/pf.conf.j2 #}
-
# pf ~~ /etc/pf.conf
-# ========================= #
+# *
# common config. by Ansible
-# ========================= #
+# *
set block-policy drop
set loginterface egress
@@ -17,15 +16,22 @@ block all
pass in quick on egress proto {{ service["proto"] }} to port {{ service["port"] }}
{% endfor %}
-# ====================== #
+# *
# sub-config. by Ansible
-# ====================== #
+# *
+
+{% if hypervisor is defined and vms is defined %}
+# hypervisor network passthrough
+{% for i in range(vms | length + 5) %}
+set skip on tap{{ i }}
+{% endfor %}
+{% endif %}
{% include "templates/" + inventory_hostname + "/etc/pf.conf.j2" ignore missing %}
-# ========================= #
+# *
# out. interface by Ansible
-# ========================= #
+# *
pass out quick inet
pass in proto { icmp, icmp6 } all
remember that computers suck.