|
|||
Help with pf.conf
Hello everybody.
I need some help with my pf.conf. My goal is to have all traffic (inbound and outbound) placed in queues, to speed up some parts and to make sure some things wont take up all the bandwidth. At the moment all my outbound traffic is queued as it should but not the inbound. I´m sure i´v made some obvious misstakes since i´m quite new at all of this. Any help would be greatly appreciated. Thanks pf.conf Code:
############ Macros ###### Interfaces ext_if = "em0" ext_bw = "4Mb" int_if = "em1" int_bw = "30Mb" ###### Clients zoidberg = "192.168.1.3" fry = "192.168.1.4" ###### Ports torrent_port = "{ 45000, 50000 }" torrent_port_zoidberg = "50000" torrent_port_fry = "45000" web_port = "{ 80, 443 }" mail_port = "{ 25, 110, 220, 993, 995 }" ftp_port = "{ 20, 21 }" dns_port = "{ 53, 123 }" icmp_types = "{ echoreq, unreach }" ssh_port = "22" ############ Queues ###### Queue on external interface altq on $ext_if hfsc bandwidth $ext_bw queue { main, ack, web, mail, filetransfer, ssh, dns, bruteforce } queue ack bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%) queue dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 5%) queue ssh bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {ssh_login, ssh_bulk} queue ssh_login bandwidth 50% priority 6 qlimit 500 hfsc queue ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc queue main bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn) queue web bandwidth 5% priority 4 qlimit 500 hfsc (realtime 10%) queue mail bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5%) queue filetransfer bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit 95%) queue bruteforce bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 1Kb) ###### Queue on internal interface altq on $int_if hfsc bandwidth $int_bw queue { i_main, i_ack, i_web, i_mail, i_filetransfer, i_ssh, i_dns } queue i_ack bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%) queue i_dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 5%) queue i_ssh bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {i_ssh_login, i_ssh_bulk} queue i_ssh_login bandwidth 50% priority 6 qlimit 500 hfsc queue i_ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc queue i_main bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn) queue i_web bandwidth 5% priority 4 qlimit 500 hfsc (realtime 10%) queue i_mail bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5%) queue i_filetransfer bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit 95%) ############ Tables table <rfc1918> persist file "/etc/pftables/rfc1918" table <clients> persist file "/etc/pftables/clients" table <bruteforce> persist ############ Anchors anchor "ftp-proxy/*" ############ Rules set ###### Misc rules (nat, scrub, skip) set skip on { lo, $int_if } match out on $ext_if from <clients> nat-to ($ext_if) block in quick log on $ext_if from <rfc1918> to any block out quick log on $ext_if from any to <rfc1918> pass in quick log on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 pass quick log inet proto tcp from <bruteforce> to any queue bruteforce pass log inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <bruteforce> flus h global) block all ###### Filter inbound $ext_if pass in on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <brutef orce> flush global) pass in on $ext_if inet proto { tcp udp } to port $dns_port pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_zoidberg rdr-to $zoidberg pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_fry rdr-to $fry ###### Filter outbound $ext_if pass out on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (ssh_bulk, ssh_login) pass out on $ext_if inet proto { tcp udp } to port $dns_port queue (dns) pass out on $ext_if inet proto { tcp udp } from any to any port $torrent_port queue (filetransfer) pass out on $ext_if inet proto tcp from any to any port $web_port queue (web, ack) pass out on $ext_if inet proto tcp from any to any port $mail_port queue (mail, ack) pass out on $ext_if inet proto icmp icmp-type $icmp_types queue (dns, ack) ###### Filter inbound $int_if pass in on $int_if inet proto tcp from any to any port ssh flags S/SAFR synproxy state pass in on $int_if inet proto { tcp udp } from any to any port $dns_port pass in on $int_if inet proto { tcp udp } from any to any port $torrent_port pass in on $int_if inet proto tcp from any to any port $web_port pass in on $int_if inet proto tcp from any to any port $mail_port pass in on $ext_if inet proto icmp icmp-type $icmp_types ###### Filter outbound $int_if pass out on $int_if inet proto { tcp udp } to port $dns_port queue (i_dns) pass out on $int_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (i_ssh_bulk, i_ssh_login) pass out on $int_if inet proto { tcp udp } from any to any port $torrent_port queue (i_filetransfer) pass out on $int_if inet proto tcp from any to any port $web_port queue (i_web, i_ack) pass out on $int_if inet proto tcp from any to any port $mail_port queue (i_mail, i_ack) pass out on $int_if inet proto icmp icmp-type $icmp_types queue (i_dns, i_ack) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Pf.conf issues | afcelie | OpenBSD Security | 5 | 3rd January 2011 09:12 PM |
Pf.conf | erict35 | OpenBSD Security | 1 | 30th January 2010 10:19 PM |
please check my pf.conf | gosha | OpenBSD Security | 10 | 30th January 2009 12:32 AM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |