View Single Post
  #1   (View Single Post)  
Old 20th March 2016
Roedy Roedy is offline
New User
 
Join Date: Mar 2016
Posts: 2
Default PF Upgrade to 5.8

Hi,

I have upgraded my router from a freebsd to Openbsd 5.8 with the new PF. Before i used priq which worked quite well. Sadly I am unable to make the new PF configuration work the same way. I hope someone here can point me in the right direction. Below is my configuration:
Code:
INT="vmx0"
EXT="vmx1"
localnet = $INT:network

nas="192.168.1.3"

table <dummies> persist
table <temporary> persist file "/etc/pf/pf_temporary"
table <blocked> persist file "/etc/pf/pf_blocked"
table <spammers> persist file "/etc/pf/pf_spammers"

# Block everything unless otherwise allowed, and queue any state that
# packet might flow into the slow class unless otherwise requeued.
block in log on $EXT
block in log quick from <dummies>
block in log quick from <spammers>
block in log quick from <blocked>
pass quick on lo0 all

match out on $EXT from $localnet to any nat-to $EXT

#allow in some basic services
pass in on $EXT inet proto icmp icmp-type echoreq set prio (5, 6)

# ssh
pass log quick proto tcp from <temporary> to $EXT port ssh flags S/SA keep state \
         (max-src-conn 20, max-src-conn-rate 5/60, \
                 overload <blocked> flush global) set prio (6, 7)

pass quick proto tcp from any to $EXT port ssh flags S/SA keep state \
         (max-src-conn 20, max-src-conn-rate 5/60, \
                 overload <dummies> flush global) set prio (6, 7)

# Skype
pass in on $EXT proto {tcp udp} to port 25601 rdr-to 192.168.1.7 set prio (6, 7)

#Torrent
pass in on $EXT proto {tcp udp} to port {51413} rdr-to $nas set prio (1, 2)


# Pass out rules
pass out quick on $EXT inet proto icmp set prio (6, 7)
pass out quick on $EXT proto {tcp udp} to port {22} set prio (6, 7)
pass out quick on $EXT proto {tcp udp} to port {53} set prio (6, 7)
pass out quick on $EXT proto {tcp udp} to port {123} set prio (6, 7)
pass out quick on $EXT proto {tcp udp} to port {23, 4500, 706, 1863, 5050, 5190, 5222, 6667, 9987} set prio (5, 6)
pass out quick on $EXT proto {tcp udp} to port {25, 80, 443, 8080, 2401, 10838, 18000} set prio (4, 5)

# DotA
pass out quick on $EXT proto {tcp udp} to port {27015:28999} set prio (4, 5)

#torrent
pass out quick on $EXT proto {tcp udp} from port {51413} set prio (1, 2)

# Pass out everything else
pass out quick on $EXT set prio (3, 4)

Last edited by ocicat; 20th March 2016 at 01:05 PM. Reason: added [code] & [/code] tags to bracket command line output
Reply With Quote