/share/examples/pf/faq-example3

https://bitbucket.org/freebsd/freebsd-head/ · #! · 117 lines · 92 code · 25 blank · 0 comment · 0 complexity · 487b4f9000a07fc7b1cf3048b499d280 MD5 · raw file 

    

  1. # $FreeBSD$
    2. 

  2. # $OpenBSD: faq-example3,v 1.4 2006/10/07 04:48:01 mcbride Exp $
    3. 

  3. 

  4. #
    5. 

  5. # Company Network
    6. 

  6. # http://www.openbsd.org/faq/pf/queueing.html#example2
    7. 

  7. #
    8. 

  8. 

  9. 

  10. # enable queueing on the external interface to queue packets going out
    11. 

  11. # to the Internet. use the cbq scheduler so that the bandwidth use of
    12. 

  12. # each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
    13. 

  13. 

  14. altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
    15. 

  15. 

  16. # define the parameters for the child queues.
    17. 

  17. # std_ext        - the standard queue. also the default queue for
    18. 

  18. #                  outgoing traffic on fxp0.
    19. 

  19. # www_ext        - container queue for WWW server queues. limit to
    20. 

  20. #                  500Kbps.
    21. 

  21. #   www_ext_http - http traffic from the WWW server; higher priority.
    22. 

  22. #   www_ext_misc - all non-http traffic from the WWW server.
    23. 

  23. # boss_ext       - traffic coming from the boss's computer.
    24. 

    25. 

  25. queue std_ext        bandwidth 500Kb cbq(default borrow)
    26. 

  26. queue www_ext        bandwidth 500Kb { www_ext_http, www_ext_misc }
    27. 

  27.   queue www_ext_http bandwidth 50% priority 3 cbq(red borrow)
    28. 

  28.   queue www_ext_misc bandwidth 50% priority 1 cbq(borrow)
    29. 

  29. queue boss_ext       bandwidth 500Kb priority 3 cbq(borrow)
    30. 

  30. 

  31. # enable queueing on the internal interface to control traffic coming
    32. 

  32. # from the Internet or the DMZ. use the cbq scheduler to control the
    33. 

  33. # bandwidth of each queue. bandwidth on this interface is set to the
    34. 

  34. # maximum. traffic coming from the DMZ will be able to use all of this
    35. 

  35. # bandwidth while traffic coming from the Internet will be limited to
    36. 

  36. # 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1).
    37. 

  37. 

  38. altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
    39. 

  39. 

  40. # define the parameters for the child queues.
    41. 

  41. # net_int    - container queue for traffic from the Internet. bandwidth
    42. 

  42. #              is 1.0Mbps.
    43. 

  43. #   std_int  - the standard queue. also the default queue for outgoing
    44. 

  44. #              traffic on dc0.
    45. 

  45. #   it_int   - traffic to the IT Dept network; reserve them 500Kbps.
    46. 

  46. #   boss_int - traffic to the boss's PC; assign a higher priority.
    47. 

  47. # www_int    - traffic from the WWW server in the DMZ; full speed.
    48. 

  48. 

  49. queue net_int    bandwidth 1.0Mb { std_int, it_int, boss_int }
    50. 

  50.   queue std_int  bandwidth 250Kb cbq(default borrow)
    51. 

  51.   queue it_int   bandwidth 500Kb cbq(borrow)
    52. 

  52.   queue boss_int bandwidth 250Kb priority 3 cbq(borrow)
    53. 

  53. queue www_int    bandwidth 99Mb cbq(red borrow)
    54. 

  54. 

  55. # enable queueing on the DMZ interface to control traffic destined for
    56. 

  56. # the WWW server. cbq will be used on this interface since detailed
    57. 

  57. # control of bandwidth is necessary. bandwidth on this interface is set
    58. 

  58. # to the maximum. traffic from the internal network will be able to use
    59. 

  59. # all of this bandwidth while traffic from the Internet will be limited
    60. 

  60. # to 500Kbps.
    61. 

  61. 

  62. altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
    63. 

  63. 

  64. # define the parameters for the child queues.
    65. 

  65. # internal_dmz   - traffic from the internal network.
    66. 

  66. # net_dmz        - container queue for traffic from the Internet.
    67. 

  67. #   net_dmz_http - http traffic; higher priority.
    68. 

  68. #   net_dmz_misc - all non-http traffic. this is also the default queue.
    69. 

  69. 

  70. queue internal_dmz   bandwidth 99Mb cbq(borrow)
    71. 

  71. queue net_dmz        bandwidth 500Kb { net_dmz_http, net_dmz_misc }
    72. 

  72.   queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow)
    73. 

  73.   queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow)
    74. 

  74. 

  75. 

  76. # ... in the filtering section of pf.conf ...
    77. 

  77. 

  78. main_net  = "192.168.0.0/24"
    79. 

  79. it_net    = "192.168.1.0/24"
    80. 

  80. int_nets  = "{ 192.168.0.0/24, 192.168.1.0/24 }"
    81. 

  81. dmz_net   = "10.0.0.0/24"
    82. 

  82. 

  83. boss      = "192.168.0.200"
    84. 

  84. wwwserv   = "10.0.0.100"
    85. 

  85. 

  86. # default deny
    87. 

  87. block on { fxp0, fxp1, dc0 } all
    88. 

  88. 

  89. # filter rules for fxp0 inbound
    90. 

  90. pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
    91. 

  91.         > 49151 } queue www_ext_misc
    92. 

  92. pass in on fxp0 proto tcp from any to $wwwserv port 80 \
    93. 

  93.         queue www_ext_http
    94. 

  94. 

  95. # filter rules for fxp0 outbound
    96. 

  96. pass out on fxp0 from $int_nets to any
    97. 

  97. pass out on fxp0 from $boss to any queue boss_ext
    98. 

  98. 

  99. # filter rules for dc0 inbound
    100. 

  100. pass in on dc0 from $int_nets to any
    101. 

  101. pass in on dc0 from $it_net to any queue it_int
    102. 

  102. pass in on dc0 from $boss to any queue boss_int
    103. 

  103. pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
    104. 

  104.         > 49151 } queue www_int
    105. 

  105. 

  106. # filter rules for dc0 outbound
    107. 

  107. pass out on dc0 from dc0 to $int_nets
    108. 

  108. 

  109. # filter rules for fxp1 inbound
    110. 

  110. pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53
    111. 

  111. 

  112. # filter rules for fxp1 outbound
    113. 

  113. pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
    114. 

  114.         > 49151 } queue net_dmz_misc
    115. 

  115. pass out on fxp1 proto tcp from any to $wwwserv port 80 queue net_dmz_http
    116. 

  116. pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
    117. 

  117.         21, > 49151 } queue internal_dmz
    118.