mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-20 15:26:43 +01:00
42a227f8ba
other syntax changes. Move pf.conf from /etc to examples, too.
90 lines
3.1 KiB
Plaintext
90 lines
3.1 KiB
Plaintext
# $FreeBSD$
|
|
# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $
|
|
|
|
#
|
|
# Small, Home Network
|
|
# http://www.openbsd.org/faq/pf/queueing.html#example1
|
|
#
|
|
|
|
|
|
# enable queueing on the external interface to control traffic going to
|
|
# the Internet. use the priq scheduler to control only priorities. set
|
|
# the bandwidth to 610Kbps to get the best performance out of the TCP
|
|
# ACK queue.
|
|
|
|
altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \
|
|
tcp_ack_out }
|
|
|
|
# define the parameters for the child queues.
|
|
# std_out - the standard queue. any filter rule below that does not
|
|
# explicitly specify a queue will have its traffic added
|
|
# to this queue.
|
|
# ssh_im_out - interactive SSH and various instant message traffic.
|
|
# dns_out - DNS queries.
|
|
# tcp_ack_out - TCP ACK packets with no data payload.
|
|
|
|
queue std_out priq(default)
|
|
queue ssh_im_out priority 4 priq(red)
|
|
queue dns_out priority 5
|
|
queue tcp_ack_out priority 6
|
|
|
|
# enable queueing on the internal interface to control traffic coming in
|
|
# from the Internet. use the cbq scheduler to control bandwidth. max
|
|
# bandwidth is 2Mbps.
|
|
|
|
altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
|
|
|
|
# define the parameters for the child queues.
|
|
# std_in - the standard queue. any filter rule below that does not
|
|
# explicitly specify a queue will have its traffic added
|
|
# to this queue.
|
|
# ssh_im_in - interactive SSH and various instant message traffic.
|
|
# dns_in - DNS replies.
|
|
# bob_in - bandwidth reserved for Bob's workstation. allow him to
|
|
# borrow.
|
|
|
|
queue std_in bandwidth 1.6Mb cbq(default)
|
|
queue ssh_im_in bandwidth 200Kb priority 4
|
|
queue dns_in bandwidth 120Kb priority 5
|
|
queue bob_in bandwidth 80Kb cbq(borrow)
|
|
|
|
|
|
# ... in the filtering section of pf.conf ...
|
|
|
|
alice = "192.168.0.2"
|
|
bob = "192.168.0.3"
|
|
charlie = "192.168.0.4"
|
|
local_net = "192.168.0.0/24"
|
|
ssh_ports = "{ 22 2022 }"
|
|
im_ports = "{ 1863 5190 5222 }"
|
|
|
|
# filter rules for fxp0 inbound
|
|
block in on fxp0 all
|
|
|
|
# filter rules for fxp0 outbound
|
|
block out on fxp0 all
|
|
pass out on fxp0 inet proto tcp from (fxp0) to any \
|
|
queue(std_out, tcp_ack_out)
|
|
pass out on fxp0 inet proto { udp icmp } from (fxp0) to any
|
|
pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
|
|
queue dns_out
|
|
pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
|
|
queue(std_out, ssh_im_out)
|
|
pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
|
|
queue(ssh_im_out, tcp_ack_out)
|
|
|
|
# filter rules for dc0 inbound
|
|
block in on dc0 all
|
|
pass in on dc0 from $local_net
|
|
|
|
# filter rules for dc0 outbound
|
|
block out on dc0 all
|
|
pass out on dc0 from any to $local_net
|
|
pass out on dc0 proto { tcp udp } from any port domain to $local_net \
|
|
queue dns_in
|
|
pass out on dc0 proto tcp from any port $ssh_ports to $local_net \
|
|
queue(std_in, ssh_im_in)
|
|
pass out on dc0 proto tcp from any port $im_ports to $local_net \
|
|
queue ssh_im_in
|
|
pass out on dc0 from any to $bob queue bob_in
|