View Single Post
Old 21st June 2011
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Hi, I've been away from pf for a while, but unless something in pf has changed in the more recent versions, the following should achieve what you're asking for.

Code:
###### Filter inbound $int_if

pass in on $int_if inet proto tcp \
  from ($int_if:network) to any port ssh \
     flags S/SAFR synproxy state \
        queue( i_ssh,i_ack )

#
# in this rule's context, 
# ($int_if:network) is far superior security than "any"
Assigning a QUEUE of that interface's own SCHEDULER on an INBOUND rule causes the RETURNING STATEFUL traffic to abide the SCHEDULER. Returning packets will, therefore, be queued on their egress on the inside interface.

The reason your pass out on $int_if ... queue(...) isn't working is because the packets already have state and NO FURTHER RULE PROCESSING IS PERFORMED ON THE PACKETS.

Repeat the mod's to all your inbound rules in your rule block.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote