aboutsummaryrefslogblamecommitdiffstats
path: root/roles/pf/templates/pf.conf.j2
blob: 2f159b45d59586c347d513df85bd4d9241f7d1a5 (plain) (tree)
1
2
3
4
5
6
7
8
9
10









                                               
                                                            

               
                           

                                                                         








                                                                  
# managed by Ansible
{% import 'macros.j2' as macros with context %}

# common configuration
set block-policy drop
set loginterface egress
set skip on { lo wg0 }
block all

# force ssh if not present below
pass in quick on egress proto tcp to port {{ ansible_port }}

# host services
{% for rule in pf__rules %}
# {{ rule.name }}
pass in quick on egress proto {{ rule.protocol }} to port {{ rule.port }}
{% endfor %}

# wireguard
pass in on egress inet proto udp from any to any port 50000
pass out quick on egress inet from (wg0:network) nat-to (egress:0)

# output network
pass out quick inet
pass in proto { icmp, icmp6 } all
remember that computers suck.