My new module pf (packet filter) allows managing the BSD’s packet filter (pf – as a firewall) which is compatible with FreeBSD, OpenBSD etc. When running in dry_run mode a generated rule set file will be validated and printed within Ansible’s meta output (json). Rulesets can be loaded by filters (e.g. filter, options or nat) and tested in dry_run mode.

Next to this, basic service management can be done by this module for starting, stopping and restarting pf.

Next step, pushing this to Ansible upstream.

Example usage:

- name: Test a rule set
  pf:
    action: reload
    config: /etc/pf.conf
    dry_run: True

- name: Load only NAT rules set
  pf:
    action: reload
    config: /etc/pf.conf
    filter: nat

- name: Flush PF rules
  pf:
    action: reload
    config: /etc/pf.conf

- name: Start PF
  pf:
    action: restart
    config: /etc/pf.conf

Github: initial upload of pf (packet filter)
Github: Ansible Community: pf.py module PR#5857