Annotation of src/share/pf/faq-example3, Revision 1.1
1.1 ! henning 1: # $OpenBSD$
! 2:
! 3: #
! 4: # Company Network
! 5: #
! 6:
! 7:
! 8: # enable queueing on the external interface to queue packets going out
! 9: # to the Internet. use the cbq scheduler so that the bandwidth use of
! 10: # each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
! 11:
! 12: altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
! 13:
! 14: # define the parameters for the child queues.
! 15: # std_ext - the standard queue. also the default queue for
! 16: # outgoing traffic on fxp0.
! 17: # www_ext - container queue for WWW server queues. limit to
! 18: # 500Kbps.
! 19: # www_ext_http - http traffic from the WWW server
! 20: # www_ext_misc - all non-http traffic from the WWW server
! 21: # boss_ext - traffic coming from the boss's computer
! 22:
! 23: queue std_ext cbq(default)
! 24: queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc }
! 25: queue www_ext_http priority 3 cbq(red)
! 26: queue www_ext_misc priority 1
! 27: queue boss_ext priority 3
! 28:
! 29: # enable queueing on the internal interface to control traffic coming
! 30: # from the Internet or the DMZ. use the cbq scheduler to control the
! 31: # bandwidth of each queue. bandwidth on this interface is set to the
! 32: # maximum. traffic coming from the DMZ will be able to use all of this
! 33: # bandwidth while traffic coming from the Internet will be limited to
! 34: # 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1).
! 35:
! 36: altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
! 37:
! 38: # define the parameters for the child queues.
! 39: # net_int - container queue for traffic from the Internet. bandwidth
! 40: # is 1.0Mbps.
! 41: # std_int - the standard queue. also the default queue for outgoing
! 42: # traffic on dc0.
! 43: # it_int - traffic to the IT Dept network.
! 44: # boss_int - traffic to the boss's PC.
! 45: # www_int - traffic from the WWW server in the DMZ.
! 46:
! 47: queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int }
! 48: queue std_int cbq(default)
! 49: queue it_int bandwidth 500Kb cbq(borrow)
! 50: queue boss_int priority 3
! 51: queue www_int cbq(red)
! 52:
! 53: # enable queueing on the DMZ interface to control traffic destined for
! 54: # the WWW server. cbq will be used on this interface since detailed
! 55: # control of bandwidth is necessary. bandwidth on this interface is set
! 56: # to the maximum. traffic from the internal network will be able to use
! 57: # all of this bandwidth while traffic from the Internet will be limited
! 58: # to 500Kbps.
! 59:
! 60: altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
! 61:
! 62: # define the parameters for the child queues.
! 63: # internal_dmz - traffic from the internal network.
! 64: # net_dmz - container queue for traffic from the Internet.
! 65: # net_dmz_http - http traffic.
! 66: # net_dmz_misc - all non-http traffic. this is also the default queue.
! 67:
! 68: queue internal_dmz # no special settings needed
! 69: queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc }
! 70: queue net_dmz_http priority 3 cbq(red)
! 71: queue net_dmz_misc priority 1 cbq(default)
! 72:
! 73:
! 74: # ... in the filtering section of pf.conf ...
! 75:
! 76: main_net = "192.168.0.0/24"
! 77: it_net = "192.168.1.0/24"
! 78: int_nets = "{ 192.168.0.0/24, 192.168.1.0/24 }"
! 79: dmz_net = "10.0.0.0/24"
! 80:
! 81: boss = "192.168.0.200"
! 82: wwwserv = "10.0.0.100"
! 83:
! 84: # default deny
! 85: block on { fxp0, fxp1, dc0 } all
! 86:
! 87: # filter rules for fxp0 inbound
! 88: pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
! 89: > 49151 } flags S/SA keep state queue www_ext_misc
! 90: pass in on fxp0 proto tcp from any to $wwwserv port 80 \
! 91: flags S/SA keep state queue www_ext_http
! 92:
! 93: # filter rules for fxp0 outbound
! 94: pass out on fxp0 from $int_nets to any keep state
! 95: pass out on fxp0 from $boss to any keep state queue boss_ext
! 96:
! 97: # filter rules for dc0 inbound
! 98: pass in on dc0 from $int_nets to any keep state
! 99: pass in on dc0 from $it_net to any queue it_int
! 100: pass in on dc0 from $boss to any queue boss_int
! 101: pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
! 102: > 49151 } flags S/SA keep state queue www_int
! 103:
! 104: # filter rules for dc0 outbound
! 105: pass out on dc0 from dc0 to $int_nets
! 106:
! 107: # filter rules for fxp1 inbound
! 108: pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
! 109: keep state
! 110:
! 111: # filter rules for fxp1 outbound
! 112: pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
! 113: > 49151 } flags S/SA keep state queue net_dmz_misc
! 114: pass out on fxp1 proto tcp from any to $wwwserv port 80 \
! 115: flags S/SA keep state queue net_dmz_http
! 116: pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
! 117: 21, > 49151 } flags S/SA keep state queue internal_dmz