View Single Post
  #4   (View Single Post)  
Old 22nd October 2008
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default

I had the same need as you.. this is my pf.conf
(that has been modded over the past few years)

Note: I am not a pf expert..
I did a lot of trial and error to get this to work..

There are some Stellar pf folks here and I am surprised that one
of them has not answered..

My goal was the same as yours...
To give VOIP traffic #1 priority over everything..

Granted pf changes over time but this has worked for me for
the past couple of years.

TODO
Update pf :-)

Code:
# --------------------
# Variable definitions
# --------------------

  ext_if = "rl0"
  int_if = "em0"
  mail = "192.168.1.110"
  mymailserver = "{sanitized}" 
  smtp2 = "2500"
  email = "{https, imaps, 465 }"
  torrent = "{ 43804, 35834,6346,57462,10517,36791,16883 }"
  httpmail = "{ 81 }"
  apc ="{ 8001 }"
  misc ="{1024, 9001 }"
 
  client = "{ 43804,16883, 5190, 20, 8880, 81, 2082, 110, 5526, ntp, 53, 8000, \
  8080, ftp, whois, 5525, http, https, ssh, imaps, imap, 2200, \
  smtp, 6346,57462, 10517,36791, 113, 465, 45000 ><65000 }"
 
# Vonage Adapter
    voiphost = "{192.168.1.2}"
# Vonage traffic ports (SIP and RTP).
    voipports = "{ 5060, 5061, 10000:20000 }"

# ---------------------
# Generic configuration
# ---------------------

set loginterface $ext_if
set fingerprints "/etc/pf.os"

# http://rfc.net/rfc1918.html
  reserved = " {
  0.0.0.0/8,      10.0.0.0/8,     20.20.20.0/24,  127.0.0.0/8,
  169.254.0.0/16, 172.16.0.0/12,  192.0.2.0/24,   192.168.0.0/16,
  224.0.0.0/3  } "

#Tables
table <cidr> persist file "/etc/tables/cidr"
 table <scanners> persist

# -----------
# scrub rules
# -----------

 scrub in all
#   scrub in on $ext_if all random-id
#  scrub  on $ext_if all reassemble tcp

# -----------
# AltQ rules
# -----------
  altq on $ext_if priq bandwidth 1124Kb queue { std, voip, tcpack }
  queue std priq(red default)
  queue tcpack priority 10 priq(red)
  queue voip priority 15 priq(red)

# ---------
# Nat and Rdr rules
# ---------
## nat-anchor "ftp-proxy/*"
## rdr-anchor "ftp-proxy/*"
## rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

  nat on $ext_if inet from ($int_if:network) to any -> ($ext_if:0)

# Redirect Rules
# note: if this is commented out, no access to ssh remotely
   set skip on {lo0 lo1}

# Spamd Rule
  no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
  rdr pass on $ext_if proto tcp from any to any port smtp \
        -> 127.0.0.1 port spamd

# Redirect Rules for internal Services 
  rdr on $ext_if proto tcp from $mymailserver to $ext_if port $smtp2 -> $mail port smtp
  rdr on $ext_if proto tcp from $mymailserver to $ext_if port imap -> $mail port imap
  rdr on $ext_if proto tcp from any to $ext_if port $email -> $mail
  rdr on $ext_if proto tcp from any to $ext_if port $apc -> 192.168.1.10
  rdr on $ext_if proto tcp from $mymailserver to $ext_if port $ssh2 -> $mail port ssh
  rdr on $ext_if proto tcp from any to $ext_if port $httpmail -> $mail 

# --------
# pf rules
# --------
## anchor "ftp-proxy/*"

# Default policy.
# remove the log-keyword if you ever get ddossed.
  block in log on $ext_if all
# block in on $ext_if all

# ---------------
# SPOOFERS
# ---------------

# Block spoofing.
  block in on $ext_if from $reserved to any
  block out on $ext_if from $reserved to any

# Block the table data 
 block in quick on $ext_if from <cidr> to any

 antispoof for { $int_if, $ext_if }

 block drop in quick on $ext_if from any os { SCO, NMAP }

# ----
# ICMP
# ----
  pass out on $ext_if inet proto icmp all icmp-type 8 code 0 
  pass in  on $ext_if inet proto icmp all icmp-type 8 code 0 

# ---
# Internal network.
# ---
# Note that in order for our special Vonage queue to work, we need to
# tag incoming traffic so we can identify it on its way out.
#
 pass in on $int_if from $int_if:network to any 
 pass in quick on $int_if proto udp from $int_if:network to any \
 port $voipports tag VONAGE_OUT 

# ---
# UDP
# ---
# outgoing UDP
   pass out on $ext_if proto udp all 
# bitorrent UDP
  pass in on $ext_if inet proto udp from any to any port $torrent 

# ---
# TCP
# ---

# misc blocked outgoing ports
  block in quick on $ext_if inet proto { tcp, udp}  from any to any port $misc

# bitorrent
   pass in on $ext_if inet proto tcp from any to any port $torrent 

# ssh and brute force table
   pass in quick on $ext_if proto tcp from !<scanners> to $ext_if port ssh flags S/SA \
   synproxy state (max-src-conn-rate 2/60, overload <scanners> flush)

# Pass rule for Webserver on Mailserver
   pass in on $ext_if inet proto tcp from any to any port $apc 
   pass in on $ext_if inet proto tcp from any to any port ssh 
   pass in on $ext_if inet proto tcp from any to any port http 
   pass in on $ext_if inet proto tcp from any to any port $httpmail 

# Pass rule for Mailserver
   pass in on $ext_if inet proto tcp from any to any port $email 
   pass in on $ext_if inet proto tcp from any to any port smtp 
   pass in on $ext_if inet proto tcp from $mymailserver to any port smtp 
   pass in on $ext_if inet proto tcp from $mymailserver to $mail port imap

# Outgoing TCP

# current pass statement with port restrictions
   pass out quick on $ext_if proto tcp to any port $client queue(std, tcpack)

# Outgoing Tagged Vonage Traffic
  pass out quick on $ext_if tagged VONAGE_OUT queue(voip, tcpack)
__________________
All posts sent on ReCycled Electrons...

Last edited by roundkat; 23rd October 2008 at 07:33 PM.
Reply With Quote