Hello everybody.
I need some help with my pf.conf.
My goal is to have all traffic (inbound and outbound) placed in queues, to speed up some parts and to make sure some things wont take up all the bandwidth.
At the moment all my outbound traffic is queued as it should but not the inbound.
I´m sure i´v made some obvious misstakes since i´m quite new at all of this.
Any help would be greatly appreciated.
Thanks
pf.conf
Code:
############ Macros
###### Interfaces
ext_if = "em0"
ext_bw = "4Mb"
int_if = "em1"
int_bw = "30Mb"
###### Clients
zoidberg = "192.168.1.3"
fry = "192.168.1.4"
###### Ports
torrent_port = "{ 45000, 50000 }"
torrent_port_zoidberg = "50000"
torrent_port_fry = "45000"
web_port = "{ 80, 443 }"
mail_port = "{ 25, 110, 220, 993, 995 }"
ftp_port = "{ 20, 21 }"
dns_port = "{ 53, 123 }"
icmp_types = "{ echoreq, unreach }"
ssh_port = "22"
############ Queues
###### Queue on external interface
altq on $ext_if hfsc bandwidth $ext_bw queue { main, ack, web, mail, filetransfer, ssh, dns, bruteforce }
queue ack bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%)
queue dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 5%)
queue ssh bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {ssh_login, ssh_bulk}
queue ssh_login bandwidth 50% priority 6 qlimit 500 hfsc
queue ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc
queue main bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn)
queue web bandwidth 5% priority 4 qlimit 500 hfsc (realtime 10%)
queue mail bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5%)
queue filetransfer bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit 95%)
queue bruteforce bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 1Kb)
###### Queue on internal interface
altq on $int_if hfsc bandwidth $int_bw queue { i_main, i_ack, i_web, i_mail, i_filetransfer, i_ssh, i_dns }
queue i_ack bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%)
queue i_dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 5%)
queue i_ssh bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {i_ssh_login, i_ssh_bulk}
queue i_ssh_login bandwidth 50% priority 6 qlimit 500 hfsc
queue i_ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc
queue i_main bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn)
queue i_web bandwidth 5% priority 4 qlimit 500 hfsc (realtime 10%)
queue i_mail bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5%)
queue i_filetransfer bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit 95%)
############ Tables
table <rfc1918> persist file "/etc/pftables/rfc1918"
table <clients> persist file "/etc/pftables/clients"
table <bruteforce> persist
############ Anchors
anchor "ftp-proxy/*"
############ Rules set
###### Misc rules (nat, scrub, skip)
set skip on { lo, $int_if }
match out on $ext_if from <clients> nat-to ($ext_if)
block in quick log on $ext_if from <rfc1918> to any
block out quick log on $ext_if from any to <rfc1918>
pass in quick log on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
pass quick log inet proto tcp from <bruteforce> to any queue bruteforce
pass log inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <bruteforce> flus
h global)
block all
###### Filter inbound $ext_if
pass in on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <brutef
orce> flush global)
pass in on $ext_if inet proto { tcp udp } to port $dns_port
pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_zoidberg rdr-to $zoidberg
pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_fry rdr-to $fry
###### Filter outbound $ext_if
pass out on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (ssh_bulk, ssh_login)
pass out on $ext_if inet proto { tcp udp } to port $dns_port queue (dns)
pass out on $ext_if inet proto { tcp udp } from any to any port $torrent_port queue (filetransfer)
pass out on $ext_if inet proto tcp from any to any port $web_port queue (web, ack)
pass out on $ext_if inet proto tcp from any to any port $mail_port queue (mail, ack)
pass out on $ext_if inet proto icmp icmp-type $icmp_types queue (dns, ack)
###### Filter inbound $int_if
pass in on $int_if inet proto tcp from any to any port ssh flags S/SAFR synproxy state
pass in on $int_if inet proto { tcp udp } from any to any port $dns_port
pass in on $int_if inet proto { tcp udp } from any to any port $torrent_port
pass in on $int_if inet proto tcp from any to any port $web_port
pass in on $int_if inet proto tcp from any to any port $mail_port
pass in on $ext_if inet proto icmp icmp-type $icmp_types
###### Filter outbound $int_if
pass out on $int_if inet proto { tcp udp } to port $dns_port queue (i_dns)
pass out on $int_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (i_ssh_bulk, i_ssh_login)
pass out on $int_if inet proto { tcp udp } from any to any port $torrent_port queue (i_filetransfer)
pass out on $int_if inet proto tcp from any to any port $web_port queue (i_web, i_ack)
pass out on $int_if inet proto tcp from any to any port $mail_port queue (i_mail, i_ack)
pass out on $int_if inet proto icmp icmp-type $icmp_types queue (i_dns, i_ack)