Annotation of src/share/pf/faq-example3, Revision 1.2
1.2 ! henning 1: # $OpenBSD: faq-example3,v 1.1 2003/08/02 18:25:49 henning Exp $
1.1 henning 2:
3: #
4: # Company Network
1.2 ! henning 5: # http://www.openbsd.org/faq/pf/queueing.html#example2
1.1 henning 6: #
7:
8:
9: # enable queueing on the external interface to queue packets going out
10: # to the Internet. use the cbq scheduler so that the bandwidth use of
11: # each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
12:
13: altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
14:
15: # define the parameters for the child queues.
16: # std_ext - the standard queue. also the default queue for
17: # outgoing traffic on fxp0.
18: # www_ext - container queue for WWW server queues. limit to
19: # 500Kbps.
20: # www_ext_http - http traffic from the WWW server
21: # www_ext_misc - all non-http traffic from the WWW server
22: # boss_ext - traffic coming from the boss's computer
23:
24: queue std_ext cbq(default)
25: queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc }
26: queue www_ext_http priority 3 cbq(red)
27: queue www_ext_misc priority 1
28: queue boss_ext priority 3
29:
30: # enable queueing on the internal interface to control traffic coming
31: # from the Internet or the DMZ. use the cbq scheduler to control the
32: # bandwidth of each queue. bandwidth on this interface is set to the
33: # maximum. traffic coming from the DMZ will be able to use all of this
34: # bandwidth while traffic coming from the Internet will be limited to
35: # 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1).
36:
37: altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
38:
39: # define the parameters for the child queues.
40: # net_int - container queue for traffic from the Internet. bandwidth
41: # is 1.0Mbps.
42: # std_int - the standard queue. also the default queue for outgoing
43: # traffic on dc0.
44: # it_int - traffic to the IT Dept network.
45: # boss_int - traffic to the boss's PC.
46: # www_int - traffic from the WWW server in the DMZ.
47:
48: queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int }
49: queue std_int cbq(default)
50: queue it_int bandwidth 500Kb cbq(borrow)
51: queue boss_int priority 3
52: queue www_int cbq(red)
53:
54: # enable queueing on the DMZ interface to control traffic destined for
55: # the WWW server. cbq will be used on this interface since detailed
56: # control of bandwidth is necessary. bandwidth on this interface is set
57: # to the maximum. traffic from the internal network will be able to use
58: # all of this bandwidth while traffic from the Internet will be limited
59: # to 500Kbps.
60:
61: altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
62:
63: # define the parameters for the child queues.
64: # internal_dmz - traffic from the internal network.
65: # net_dmz - container queue for traffic from the Internet.
66: # net_dmz_http - http traffic.
67: # net_dmz_misc - all non-http traffic. this is also the default queue.
68:
69: queue internal_dmz # no special settings needed
70: queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc }
71: queue net_dmz_http priority 3 cbq(red)
72: queue net_dmz_misc priority 1 cbq(default)
73:
74:
75: # ... in the filtering section of pf.conf ...
76:
77: main_net = "192.168.0.0/24"
78: it_net = "192.168.1.0/24"
79: int_nets = "{ 192.168.0.0/24, 192.168.1.0/24 }"
80: dmz_net = "10.0.0.0/24"
81:
82: boss = "192.168.0.200"
83: wwwserv = "10.0.0.100"
84:
85: # default deny
86: block on { fxp0, fxp1, dc0 } all
87:
88: # filter rules for fxp0 inbound
89: pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
90: > 49151 } flags S/SA keep state queue www_ext_misc
91: pass in on fxp0 proto tcp from any to $wwwserv port 80 \
92: flags S/SA keep state queue www_ext_http
93:
94: # filter rules for fxp0 outbound
95: pass out on fxp0 from $int_nets to any keep state
96: pass out on fxp0 from $boss to any keep state queue boss_ext
97:
98: # filter rules for dc0 inbound
99: pass in on dc0 from $int_nets to any keep state
100: pass in on dc0 from $it_net to any queue it_int
101: pass in on dc0 from $boss to any queue boss_int
102: pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
103: > 49151 } flags S/SA keep state queue www_int
104:
105: # filter rules for dc0 outbound
106: pass out on dc0 from dc0 to $int_nets
107:
108: # filter rules for fxp1 inbound
109: pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
110: keep state
111:
112: # filter rules for fxp1 outbound
113: pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
114: > 49151 } flags S/SA keep state queue net_dmz_misc
115: pass out on fxp1 proto tcp from any to $wwwserv port 80 \
116: flags S/SA keep state queue net_dmz_http
117: pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
118: 21, > 49151 } flags S/SA keep state queue internal_dmz