Annotation of src/share/pf/faq-example2, Revision 1.1
1.1 ! henning 1: # $OpenBSD$
! 2:
! 3: #
! 4: # Small, Home Network
! 5: #
! 6:
! 7:
! 8: # enable queueing on the external interface to control traffic going to
! 9: # the Internet. use the priq scheduler to control only priorities. set
! 10: # the bandwidth to 610Kbps to get the best performance out of the TCP
! 11: # ACK queue.
! 12:
! 13: altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \
! 14: tcp_ack_out }
! 15:
! 16: # define the parameters for the child queues.
! 17: # std_out - the standard queue. any filter rule below that does not
! 18: # explicitly specify a queue will have its traffic added
! 19: # to this queue.
! 20: # ssh_im_out - interactive SSH and various instant message traffic.
! 21: # dns_out - DNS queries.
! 22: # tcp_ack_out - TCP ACK packets with no data payload.
! 23:
! 24: queue std_out priq(default)
! 25: queue ssh_im_out priority 4 priq(red)
! 26: queue dns_out priority 5
! 27: queue tcp_ack_out priority 6
! 28:
! 29: # enable queueing on the internal interface to control traffic coming in
! 30: # from the Internet. use the cbq scheduler to control bandwidth. max
! 31: # bandwidth is 2Mbps.
! 32:
! 33: altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
! 34:
! 35: # define the parameters for the child queues.
! 36: # std_in - the standard queue. any filter rule below that does not
! 37: # explicitly specify a queue will have its traffic added
! 38: # to this queue.
! 39: # ssh_im_in - interactive SSH and various instant message traffic.
! 40: # dns_in - DNS replies.
! 41: # bob_in - bandwidth reserved for Bob's workstation. allow him to
! 42: # borrow.
! 43:
! 44: queue std_in cbq(default)
! 45: queue ssh_im_in priority 4
! 46: queue dns_in priority 5
! 47: queue bob_in bandwidth 80Kb cbq(borrow)
! 48:
! 49:
! 50: # ... in the filtering section of pf.conf ...
! 51:
! 52: alice = "192.168.0.2"
! 53: bob = "192.168.0.3"
! 54: charlie = "192.168.0.4"
! 55: local_net = "192.168.0.0/24"
! 56: ssh_ports = "{ 22 2022 }"
! 57: im_ports = "{ 1863 5190 5222 }"
! 58:
! 59: # filter rules for fxp0 inbound
! 60: block in on fxp0 all
! 61:
! 62: # filter rules for fxp0 outbound
! 63: block out on fxp0 all
! 64: pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \
! 65: keep state queue(std_out, tcp_ack_out)
! 66: pass out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
! 67: pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
! 68: keep state queue dns_out
! 69: pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
! 70: flags S/SA keep state queue(std_out, ssh_im_out)
! 71: pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
! 72: flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
! 73:
! 74: # filter rules for dc0 inbound
! 75: block in on dc0 all
! 76: pass in on dc0 from $local_net
! 77:
! 78: # filter rules for dc0 outbound
! 79: block out on dc0 all
! 80: pass out on dc0 from any to $local_net
! 81: pass out on dc0 proto { tcp udp } from any port domain to $local_net \
! 82: queue dns_in
! 83: pass out on dc0 proto tcp from any port $ssh_ports to $local_net \
! 84: queue(std_in, ssh_im_in)
! 85: pass out on dc0 proto tcp from any port $im_ports to $local_net \
! 86: queue ssh_im_in
! 87: pass out on dc0 from any to $bob queue bob_in
![[BACK]](/icons/back.gif){kind=icon}
Return to faq-example2 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / share / pf