DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 13th April 2011
A_Sorenby A_Sorenby is offline
New User
 
Join Date: Apr 2011
Posts: 6
Default Help with pf.conf

Hello everybody.

I need some help with my pf.conf.
My goal is to have all traffic (inbound and outbound) placed in queues, to speed up some parts and to make sure some things wont take up all the bandwidth.

At the moment all my outbound traffic is queued as it should but not the inbound.

I´m sure i´v made some obvious misstakes since i´m quite new at all of this.

Any help would be greatly appreciated.

Thanks

pf.conf
Code:
############ Macros

###### Interfaces
ext_if = "em0"
ext_bw = "4Mb"

int_if = "em1"
int_bw = "30Mb"

###### Clients
zoidberg = "192.168.1.3"
fry = "192.168.1.4"

###### Ports
torrent_port = "{ 45000, 50000 }"
torrent_port_zoidberg = "50000"
torrent_port_fry = "45000"
web_port = "{ 80, 443 }"
mail_port = "{ 25, 110, 220, 993, 995 }"
ftp_port = "{ 20, 21 }"
dns_port = "{ 53, 123 }"
icmp_types = "{ echoreq, unreach }"
ssh_port = "22"

############ Queues

###### Queue on external interface
altq on $ext_if hfsc bandwidth $ext_bw queue { main, ack, web, mail, filetransfer, ssh, dns, bruteforce }
        queue ack               bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%)
        queue dns               bandwidth 5%  priority 7 qlimit 500 hfsc (realtime 5%)
        queue ssh               bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {ssh_login, ssh_bulk}
          queue ssh_login       bandwidth 50% priority 6 qlimit 500 hfsc
          queue ssh_bulk        bandwidth 50% priority 5 qlimit 500 hfsc
        queue main              bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn)
        queue web               bandwidth 5%  priority 4 qlimit 500 hfsc (realtime 10%)
        queue mail              bandwidth 5%  priority 3 qlimit 500 hfsc (realtime 5%)
        queue filetransfer      bandwidth 1%  priority 3 qlimit 500 hfsc (upperlimit 95%)
        queue bruteforce        bandwidth 1%  priority 1 qlimit 500 hfsc (upperlimit 1Kb)

###### Queue on internal interface
altq on $int_if hfsc bandwidth $int_bw queue { i_main, i_ack, i_web, i_mail, i_filetransfer, i_ssh, i_dns }
        queue i_ack             bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%)
        queue i_dns             bandwidth 5%  priority 7 qlimit 500 hfsc (realtime 5%)
        queue i_ssh             bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {i_ssh_login, i_ssh_bulk}
          queue i_ssh_login     bandwidth 50% priority 6 qlimit 500 hfsc
          queue i_ssh_bulk      bandwidth 50% priority 5 qlimit 500 hfsc
        queue i_main            bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn)
        queue i_web             bandwidth 5%  priority 4 qlimit 500 hfsc (realtime 10%)
        queue i_mail            bandwidth 5%  priority 3 qlimit 500 hfsc (realtime 5%)
        queue i_filetransfer    bandwidth 1%  priority 3 qlimit 500 hfsc (upperlimit 95%)

############ Tables
table <rfc1918> persist file "/etc/pftables/rfc1918"
table <clients> persist file "/etc/pftables/clients"
table <bruteforce> persist


############ Anchors
anchor "ftp-proxy/*"

############ Rules set
###### Misc rules (nat, scrub, skip)
set skip on { lo, $int_if }
match out on $ext_if from <clients> nat-to ($ext_if)
block in quick log on $ext_if from <rfc1918> to any
block out quick log on $ext_if from any to <rfc1918>
pass in quick log on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
pass quick log inet proto tcp from <bruteforce> to any queue bruteforce
pass log inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <bruteforce> flus
h global)
block all

###### Filter inbound $ext_if
pass in on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <brutef
orce> flush global)
pass in on $ext_if inet proto { tcp udp } to port $dns_port
pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_zoidberg rdr-to $zoidberg
pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_fry rdr-to $fry

###### Filter outbound $ext_if
pass out on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (ssh_bulk, ssh_login)
pass out on $ext_if inet proto { tcp udp } to port $dns_port queue (dns)
pass out on $ext_if inet proto { tcp udp } from any to any port $torrent_port queue (filetransfer)
pass out on $ext_if inet proto tcp from any to any port $web_port queue (web, ack)
pass out on $ext_if inet proto tcp from any to any port $mail_port queue (mail, ack)
pass out on $ext_if inet proto icmp icmp-type $icmp_types queue (dns, ack)

###### Filter inbound $int_if
pass in on $int_if inet proto tcp from any to any port ssh flags S/SAFR synproxy state
pass in on $int_if inet proto { tcp udp } from any to any port $dns_port
pass in on $int_if inet proto { tcp udp } from any to any port $torrent_port
pass in on $int_if inet proto tcp from any to any port $web_port
pass in on $int_if inet proto tcp from any to any port $mail_port
pass in on $ext_if inet proto icmp icmp-type $icmp_types

###### Filter outbound $int_if
pass out on $int_if inet proto { tcp udp } to port $dns_port queue (i_dns)
pass out on $int_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (i_ssh_bulk, i_ssh_login)
pass out on $int_if inet proto { tcp udp } from any to any port $torrent_port queue (i_filetransfer)
pass out on $int_if inet proto tcp from any to any port $web_port queue (i_web, i_ack)
pass out on $int_if inet proto tcp from any to any port $mail_port queue (i_mail, i_ack)
pass out on $int_if inet proto icmp icmp-type $icmp_types queue (i_dns, i_ack)
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Pf.conf issues afcelie OpenBSD Security 5 3rd January 2011 09:12 PM
Pf.conf erict35 OpenBSD Security 1 30th January 2010 10:19 PM
please check my pf.conf gosha OpenBSD Security 10 30th January 2009 12:32 AM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM


All times are GMT. The time now is 11:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick