I had the same need as you.. this is my pf.conf
(that has been modded over the past few years)
Note: I am not a pf expert..
I did a lot of trial and error to get this to work..
There are some Stellar pf folks here and I am surprised that one
of them has not answered..
My goal was the same as yours...
To give VOIP traffic #1 priority over everything..
Granted pf changes over time but this has worked for me for
the past couple of years.
TODO
Update pf :-)
Code:
# --------------------
# Variable definitions
# --------------------
ext_if = "rl0"
int_if = "em0"
mail = "192.168.1.110"
mymailserver = "{sanitized}"
smtp2 = "2500"
email = "{https, imaps, 465 }"
torrent = "{ 43804, 35834,6346,57462,10517,36791,16883 }"
httpmail = "{ 81 }"
apc ="{ 8001 }"
misc ="{1024, 9001 }"
client = "{ 43804,16883, 5190, 20, 8880, 81, 2082, 110, 5526, ntp, 53, 8000, \
8080, ftp, whois, 5525, http, https, ssh, imaps, imap, 2200, \
smtp, 6346,57462, 10517,36791, 113, 465, 45000 ><65000 }"
# Vonage Adapter
voiphost = "{192.168.1.2}"
# Vonage traffic ports (SIP and RTP).
voipports = "{ 5060, 5061, 10000:20000 }"
# ---------------------
# Generic configuration
# ---------------------
set loginterface $ext_if
set fingerprints "/etc/pf.os"
# http://rfc.net/rfc1918.html
reserved = " {
0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
224.0.0.0/3 } "
#Tables
table <cidr> persist file "/etc/tables/cidr"
table <scanners> persist
# -----------
# scrub rules
# -----------
scrub in all
# scrub in on $ext_if all random-id
# scrub on $ext_if all reassemble tcp
# -----------
# AltQ rules
# -----------
altq on $ext_if priq bandwidth 1124Kb queue { std, voip, tcpack }
queue std priq(red default)
queue tcpack priority 10 priq(red)
queue voip priority 15 priq(red)
# ---------
# Nat and Rdr rules
# ---------
## nat-anchor "ftp-proxy/*"
## rdr-anchor "ftp-proxy/*"
## rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
nat on $ext_if inet from ($int_if:network) to any -> ($ext_if:0)
# Redirect Rules
# note: if this is commented out, no access to ssh remotely
set skip on {lo0 lo1}
# Spamd Rule
no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
rdr pass on $ext_if proto tcp from any to any port smtp \
-> 127.0.0.1 port spamd
# Redirect Rules for internal Services
rdr on $ext_if proto tcp from $mymailserver to $ext_if port $smtp2 -> $mail port smtp
rdr on $ext_if proto tcp from $mymailserver to $ext_if port imap -> $mail port imap
rdr on $ext_if proto tcp from any to $ext_if port $email -> $mail
rdr on $ext_if proto tcp from any to $ext_if port $apc -> 192.168.1.10
rdr on $ext_if proto tcp from $mymailserver to $ext_if port $ssh2 -> $mail port ssh
rdr on $ext_if proto tcp from any to $ext_if port $httpmail -> $mail
# --------
# pf rules
# --------
## anchor "ftp-proxy/*"
# Default policy.
# remove the log-keyword if you ever get ddossed.
block in log on $ext_if all
# block in on $ext_if all
# ---------------
# SPOOFERS
# ---------------
# Block spoofing.
block in on $ext_if from $reserved to any
block out on $ext_if from $reserved to any
# Block the table data
block in quick on $ext_if from <cidr> to any
antispoof for { $int_if, $ext_if }
block drop in quick on $ext_if from any os { SCO, NMAP }
# ----
# ICMP
# ----
pass out on $ext_if inet proto icmp all icmp-type 8 code 0
pass in on $ext_if inet proto icmp all icmp-type 8 code 0
# ---
# Internal network.
# ---
# Note that in order for our special Vonage queue to work, we need to
# tag incoming traffic so we can identify it on its way out.
#
pass in on $int_if from $int_if:network to any
pass in quick on $int_if proto udp from $int_if:network to any \
port $voipports tag VONAGE_OUT
# ---
# UDP
# ---
# outgoing UDP
pass out on $ext_if proto udp all
# bitorrent UDP
pass in on $ext_if inet proto udp from any to any port $torrent
# ---
# TCP
# ---
# misc blocked outgoing ports
block in quick on $ext_if inet proto { tcp, udp} from any to any port $misc
# bitorrent
pass in on $ext_if inet proto tcp from any to any port $torrent
# ssh and brute force table
pass in quick on $ext_if proto tcp from !<scanners> to $ext_if port ssh flags S/SA \
synproxy state (max-src-conn-rate 2/60, overload <scanners> flush)
# Pass rule for Webserver on Mailserver
pass in on $ext_if inet proto tcp from any to any port $apc
pass in on $ext_if inet proto tcp from any to any port ssh
pass in on $ext_if inet proto tcp from any to any port http
pass in on $ext_if inet proto tcp from any to any port $httpmail
# Pass rule for Mailserver
pass in on $ext_if inet proto tcp from any to any port $email
pass in on $ext_if inet proto tcp from any to any port smtp
pass in on $ext_if inet proto tcp from $mymailserver to any port smtp
pass in on $ext_if inet proto tcp from $mymailserver to $mail port imap
# Outgoing TCP
# current pass statement with port restrictions
pass out quick on $ext_if proto tcp to any port $client queue(std, tcpack)
# Outgoing Tagged Vonage Traffic
pass out quick on $ext_if tagged VONAGE_OUT queue(voip, tcpack)