# managed by Ansible
{% import 'macros.j2' as macros with context %}

# common configuration
set block-policy drop
set loginterface egress
set skip on { lo wg0 }
block all

# force ssh if not present below
pass in quick on egress proto tcp to port {{ ansible_port }}

# host services
{% for rule in pf_rules %}
# {{ rule.name }}
pass in quick on egress proto {{ rule.protocol }} to port {{ rule.port }}
{% endfor %}

# wireguard
pass in on egress inet proto udp from any to any port 50000
pass out quick on egress inet from (wg0:network) nat-to (egress:0)

# output network
pass out quick inet
pass in proto { icmp, icmp6 } all