View Single Post
  #3   (View Single Post)  
Old 21st March 2011
tinhead tinhead is offline
New User
 
Join Date: Mar 2011
Location: Vancouver, CA
Posts: 8
Default In case you don't want to download...

Might be useful for those that don't want to download the conf file...

Code:
#	$OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#
# Couple things look into making it a default block policy, make sure VPN's work, double check and test the outbox.allstream.net address, determine the correct interface for ftp-proxy CARP or EM?

table <LocalNetworks> const { 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/23, 10.9.0.0/24 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24 } 

IntIFs  = "{ em0, vlan2, vlan2, vlan3, vlan4, vlan5, vlan6, vlan7, vlan8, vlan9, vlan10, vlan11, vlan12, vlan13, vlan14 }" 
IntCARPs = "{ carp1, carp2, carp3, carp4, carp5, carp6, carp7, carp8, carp9, carp10, carp11, carp12, carp13, carp14 }"

set skip on lo

scrub in all

# Allstream upload = 40Mbit (queue at 97%)
#altq on em1 bandwidth 38Mb hfsc queue { ack, dns }
#queue ack bandwidth 50% priority 7 qlimit 500 hfsc (realtime 50%)
#queue dns bandwidth 5% priority 6 qlimit 500 hfsc (realtime 5%)
#queue dns	bandwidth  7% priority 6 qlimit 500 hfsc (realtime  5%)
#queue https     bandwidth  7% priority 5 qlimit 500 hfsc (realtime  5%)
#queue http      bandwidth  7% priority 4 qlimit 500 hfsc (realtime  5%)
#queue bulk	bandwidth  1% priority 3 qlimit 500 hfsc (realtime 5% default)
#queue bittor	bandwidth  1% priority 2 qlimit 500 hfsc (upperlimit 99%)

ext_if		= "em1"
int_if		= "em0"
dev_if		= "em2"

dev1        = "8.82.104.212"

bw_world_up     = "51Mb"
bw_world_dn     = "51Mb"

bw_client1      = "39.5Mb"
bw_client2      = "1.5Mb"

bw_rest         = "5Mb"

bw_dev_dn       = "100Mb"
bw_dev1         = "5Mb"
bw_rest_dev_dn  = "95Mb"

altq on $ext_if cbq bandwidth $bw_world_up queue { client1_up, client2_up, dev1_up, rest_up }
altq on $int_if cbq bandwidth $bw_world_dn queue { client1_dn, client2_dn, rest_dn }
altq on $dev_if cbq bandwidth $bw_dev_dn queue { dev1_dn, rest_dev_dn }

queue client1_up bandwidth $bw_client1 cbq
queue client1_dn bandwidth $bw_client1 cbq
queue client2_up bandwidth $bw_client2 cbq
queue client2_dn bandwidth $bw_client2 cbq
queue dev1_up bandwidth $bw_dev1 cbq
queue dev1_dn bandwidth $bw_dev1 cbq
queue rest_up bandwidth $bw_rest cbq(default)
queue rest_dn bandwidth $bw_rest cbq(default)
queue rest_dev_dn bandwidth $bw_rest_dev_dn cbq(default)



# NAT all internal networks on em1 to CARP100 interface (Internet) 
nat on em1 proto { tcp, udp, icmp, esp, gre } from <LocalNetworks>  -> (carp100) 

# Correct FTP issues on all local interfaces 

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Please determine which is working the CARP or the Internal IF
#rdr pass on $IntCARPs proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $IntIFs proto tcp to port ftp -> 127.0.0.1 port 8021

# Intercept all smtp outgoing e-mail and forward to outbox.allstream.net  
rdr pass on $IntIFs proto tcp to port 25 -> 207.245.244.41 port 25

# Redirect external IP address to internal CMPP camera server. 
rdr pass on em1 proto tcp to 8.82.105.158 port 5400 -> 10.1.0.5 port 5400 
#rdr pass on em1 proto tcp to 192.168.42.2 port 5400 -> 10.1.0.5 port 5400

anchor "ftp-proxy/*"

# Allow all vpn data
pass in quick on em1 inet proto udp from any to any port = 500
pass in quick on em1 inet proto esp from any to any
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto tcp all flags S/SA keep state
pass out on em1 inet proto udp from any to any port = 500
pass out on em1 inet proto esp from any to any
pass out on em1 inet proto udp all keep state
pass out on em1 inet proto icmp all keep state

# no inet6 for me
block quick inet6 all

block out on $IntIFs from <LocalNetworks> 

pass in on em0 from 10.1.0.0/24 to any tag CLIENT2U queue client2_dn 
pass out on em0 from { (em0), (carp1) } queue client2_dn
pass out quick on $ext_if tagged CLIENT2U queue client2_up

pass in on vlan2 from 10.2.0.0/24 to any
pass out on vlan2 from { (vlan2), (carp2) }

pass in on vlan3 from 10.3.0.0/24 to any
pass out on vlan3 from { (vlan3), (carp3) }

#pass in on vlan4 from 10.4.0.0/24 to any
#pass out on vlan4 from { (vlan4), (carp4) }

pass in on vlan4 from 10.4.0.0/24 to any tag CLIENT2U queue client2_dn
pass out on vlan4 from { (vlan4), (carp4) } queue client2_dn
pass out quick on $ext_if tagged CLIENT2U queue client2_up


pass in on vlan5 from 10.5.0.0/24 to any
pass out on vlan5 from { (vlan5), (carp5) }

pass in on vlan6 from 10.6.0.0/24 to any
pass out on vlan6 from { (vlan6), (carp6) }

pass in on vlan7 from 10.7.0.0/24 to any
pass out on vlan7 from { (vlan7), (carp7) }

pass in on vlan8 from 10.8.0.0/23 to any tag CLIENT1U queue client1_dn
pass out on vlan8 from { (vlan8), (carp8) } queue client1_dn
pass out quick on $ext_if tagged CLIENT1U queue client1_up

# dev1
#pass in quick on $dev_if from any to $dev1 queue dev1_dn
#pass in quick on $ext_if from any to $dev1 queue dev1_dn
#pass out quick on $ext_if from $dev1 to any queue dev1_up
#pass out quick on $dev_if from any to $dev1 queue dev1_dn
#pass out quick on $ext_if from $dev1 to any
#pass out quick on $dev_if from any to $dev1 
pass in on $dev_if from $dev1 to any tag DEV1U queue dev1_dn
pass out on $dev_if from $dev1 queue dev1_dn
pass out quick on $ext_if tagged DEV1U queue dev1_up 

pass in on vlan9 from 10.9.0.0/24 to any tag CLIENT2U queue client2_dn
pass out on vlan9 from { (vlan9), (carp9) } queue client2_dn
pass out quick on $ext_if tagged CLIENT2U queue client2_up

pass in on vlan10 from 10.10.0.0/24 to any
pass out on vlan10 from { (vlan10), (carp10) }

pass in on vlan11 from 10.11.0.0/24 to any
pass out on vlan11 from { (vlan11), (carp11) }

pass in on vlan12 from 10.12.0.0/24 to any
pass out on vlan12 from { (vlan12), (carp12) }

pass in on vlan13 from 10.13.0.0/24 to any
pass out on vlan13 from { (vlan13), (carp13) }

pass in on vlan14 from 10.14.0.0/24 to any
pass out on vlan14 from { (vlan14), (carp14) }

Last edited by tinhead; 22nd March 2011 at 01:52 AM.
Reply With Quote