diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
new file mode 100644
index 0000000..51dcfc3
--- /dev/null
+++ b/roles/pf/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+
+firewall_in:
+  - {proto: tcp, port: 22}
+
+firewall_raw: []
diff --git a/roles/pf/handlers/main.yml b/roles/pf/handlers/main.yml
new file mode 100644
index 0000000..8cb3d40
--- /dev/null
+++ b/roles/pf/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: reload pf
+  command: /sbin/pfctl -f /etc/pf.conf
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
new file mode 100644
index 0000000..c7bbb32
--- /dev/null
+++ b/roles/pf/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+
+- name: copy pf.conf
+  copy:
+    src: "{{ firewall_src }}"
+    dest: /etc/pf.conf
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: reload pf
+  when: firewall_src is defined
+
+- name: create pf.conf from template
+  template:
+    src: pf.conf.j2
+    dest: /etc/pf.conf
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: reload pf
+  when: firewall_src is not defined
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
new file mode 100644
index 0000000..8a05612
--- /dev/null
+++ b/roles/pf/templates/pf.conf.j2
@@ -0,0 +1,22 @@
+
+set block-policy return
+set skip on lo0
+
+block in
+pass out
+
+pass in quick proto icmp
+pass in quick proto icmp6
+
+{% for rule in firewall_raw %}
+{{ rule }}
+{% endfor %}
+{% for rule in firewall_in %}
+  {% if rule.from is defined %}
+    {% for from in rule.from | ipaddr %}
+pass in quick proto {{ rule.proto }} from {{ from }} to port {{ rule.port }}
+    {% endfor %}
+  {% else %}
+pass in quick proto {{ rule.proto }} to port {{ rule.port }}
+  {% endif %}
+{% endfor %}