PageRenderTime 23ms CodeModel.GetById 16ms app.highlight 1ms RepoModel.GetById 5ms app.codeStats 0ms

/share/examples/pf/faq-example3

https://bitbucket.org/freebsd/freebsd-head/
#! | 117 lines | 92 code | 25 blank | 0 comment | 0 complexity | 487b4f9000a07fc7b1cf3048b499d280 MD5 | raw file
  1# $FreeBSD$
  2# $OpenBSD: faq-example3,v 1.4 2006/10/07 04:48:01 mcbride Exp $
  3
  4#
  5# Company Network
  6# http://www.openbsd.org/faq/pf/queueing.html#example2
  7#
  8
  9
 10# enable queueing on the external interface to queue packets going out
 11# to the Internet. use the cbq scheduler so that the bandwidth use of
 12# each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
 13
 14altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
 15
 16# define the parameters for the child queues.
 17# std_ext        - the standard queue. also the default queue for
 18#                  outgoing traffic on fxp0.
 19# www_ext        - container queue for WWW server queues. limit to
 20#                  500Kbps.
 21#   www_ext_http - http traffic from the WWW server; higher priority.
 22#   www_ext_misc - all non-http traffic from the WWW server.
 23# boss_ext       - traffic coming from the boss's computer.
 24
 25queue std_ext        bandwidth 500Kb cbq(default borrow)
 26queue www_ext        bandwidth 500Kb { www_ext_http, www_ext_misc }
 27  queue www_ext_http bandwidth 50% priority 3 cbq(red borrow)
 28  queue www_ext_misc bandwidth 50% priority 1 cbq(borrow)
 29queue boss_ext       bandwidth 500Kb priority 3 cbq(borrow)
 30
 31# enable queueing on the internal interface to control traffic coming
 32# from the Internet or the DMZ. use the cbq scheduler to control the
 33# bandwidth of each queue. bandwidth on this interface is set to the
 34# maximum. traffic coming from the DMZ will be able to use all of this
 35# bandwidth while traffic coming from the Internet will be limited to
 36# 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1).
 37
 38altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
 39
 40# define the parameters for the child queues.
 41# net_int    - container queue for traffic from the Internet. bandwidth
 42#              is 1.0Mbps.
 43#   std_int  - the standard queue. also the default queue for outgoing
 44#              traffic on dc0.
 45#   it_int   - traffic to the IT Dept network; reserve them 500Kbps.
 46#   boss_int - traffic to the boss's PC; assign a higher priority.
 47# www_int    - traffic from the WWW server in the DMZ; full speed.
 48
 49queue net_int    bandwidth 1.0Mb { std_int, it_int, boss_int }
 50  queue std_int  bandwidth 250Kb cbq(default borrow)
 51  queue it_int   bandwidth 500Kb cbq(borrow)
 52  queue boss_int bandwidth 250Kb priority 3 cbq(borrow)
 53queue www_int    bandwidth 99Mb cbq(red borrow)
 54
 55# enable queueing on the DMZ interface to control traffic destined for
 56# the WWW server. cbq will be used on this interface since detailed
 57# control of bandwidth is necessary. bandwidth on this interface is set
 58# to the maximum. traffic from the internal network will be able to use
 59# all of this bandwidth while traffic from the Internet will be limited
 60# to 500Kbps.
 61
 62altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
 63
 64# define the parameters for the child queues.
 65# internal_dmz   - traffic from the internal network.
 66# net_dmz        - container queue for traffic from the Internet.
 67#   net_dmz_http - http traffic; higher priority.
 68#   net_dmz_misc - all non-http traffic. this is also the default queue.
 69
 70queue internal_dmz   bandwidth 99Mb cbq(borrow)
 71queue net_dmz        bandwidth 500Kb { net_dmz_http, net_dmz_misc }
 72  queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow)
 73  queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow)
 74
 75
 76# ... in the filtering section of pf.conf ...
 77
 78main_net  = "192.168.0.0/24"
 79it_net    = "192.168.1.0/24"
 80int_nets  = "{ 192.168.0.0/24, 192.168.1.0/24 }"
 81dmz_net   = "10.0.0.0/24"
 82
 83boss      = "192.168.0.200"
 84wwwserv   = "10.0.0.100"
 85
 86# default deny
 87block on { fxp0, fxp1, dc0 } all
 88
 89# filter rules for fxp0 inbound
 90pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
 91        > 49151 } queue www_ext_misc
 92pass in on fxp0 proto tcp from any to $wwwserv port 80 \
 93        queue www_ext_http
 94
 95# filter rules for fxp0 outbound
 96pass out on fxp0 from $int_nets to any
 97pass out on fxp0 from $boss to any queue boss_ext
 98
 99# filter rules for dc0 inbound
100pass in on dc0 from $int_nets to any
101pass in on dc0 from $it_net to any queue it_int
102pass in on dc0 from $boss to any queue boss_int
103pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
104        > 49151 } queue www_int
105
106# filter rules for dc0 outbound
107pass out on dc0 from dc0 to $int_nets
108
109# filter rules for fxp1 inbound
110pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53
111
112# filter rules for fxp1 outbound
113pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
114        > 49151 } queue net_dmz_misc
115pass out on fxp1 proto tcp from any to $wwwserv port 80 queue net_dmz_http
116pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
117        21, > 49151 } queue internal_dmz