Just a few optimisations and suggestions:
1) 'modulate state' is for outbound tcp only, all others use 'keep state' (ignoring 'synproxy state' for special cases)
2) 'flags S/SA' is for tcp only
3) queueing for TCP acks should only be done on incoming tcp (you will be sending out TCP acks on those, so prioritising takes place there); in other words: rules for incoming tcp are the only ones with 'double queues' like '(q_def, q_pri)' in priq or 'queue(something, acks)' in cbq scheduling - wrong, see below
4) you are encouraged to write your rules in order of prefererred processing and use the 'quick' keyword wherever possible; work from specific to general, and start with a general block all rule.
Yes, you can specifiy a range of ports using a macro. Use pfctl -s rules to see the expanded ruleset after loading them.
Last edited by DutchDaemon; 23rd July 2008 at 02:56 PM.
|