# managed by Ansible
{% import 'macros.j2' as macros with context %}

# common configuration
set block-policy drop
set loginterface egress
set skip on { lo wg0 }
block all

# force ssh if not present below
pass in quick on egress proto tcp to port 22

# host services
{% for service in __services %}
pass in quick on egress proto {{ service["protocol"] }} to port {{ service["port"] }}
{% endfor %}

# wireguard
pass in on egress inet proto udp from any to any port 50000
pass out quick on egress inet from (wg0:network) nat-to (egress:0)

# output network
pass out quick inet
pass in proto { icmp, icmp6 } all