--- - name: firewall - setup PF rules template: src: pf.conf.j2 dest: /etc/pf.conf validate: "pfctl -nf %s" notify: reload-pf tags: pf-rules - name: firewall - enable PF command: rcenable pf - name: firewall - enable PF log command: rcenable pflog - name: sshlockout - setup with PF lineinfile: path: /etc/syslog.conf line: "auth.info;authpriv.info |exec /usr/sbin/sshlockout -pf bruteforce" insertafter: 'auth\.info' notify: restart-syslogd tags: sshlockout - name: cron - expire PF table (bruteforce) cron: name: "pf-expire-table-bruteforce" user: root minute: "0" hour: "*/2" # every 2 hours job: "pfctl -t bruteforce -T expire 86400 >/dev/null 2>&1"