blob: e60b4a6264c129f0f9d9ca10047d11bb69f1f300 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# managed by Ansible
{% import 'macros.j2' as macros with context %}
# common configuration
set block-policy drop
set loginterface egress
set skip on { lo wg0 }
block all
# force ssh if not present below
pass in quick on egress proto tcp to port {{ ansible_port }}
# host services
{% for name, rules in pf_rules.items() %}
# {{ name }}
pass in quick on egress proto {{ rules.protocol }} to port {{ rules.port }}
{% endfor %}
# wireguard
pass in on egress inet proto udp from any to any port 50000
pass out quick on egress inet from (wg0:network) nat-to (egress:0)
# output network
pass out quick inet
pass in proto { icmp, icmp6 } all
|