Quick suggestions:
Use 'modulate state' on outbound TCP connections, use 'synproxy state' on inbound TCP connections destined for your LAN , and use 'keep state' on inbound TCP (to the firewall itself), in/outbound UDP and in/outbound ICMP.
Do not use things like queue(a, b) on non-TCP traffic. UDP and ICMP have no TCP acks, so this might confuse altq or have undesirable side-effects (like filling up the wrong queues).
|