I am adding queueing to my pf based nat for my home network. Since there
isn't a complete example involving nat and queuing I am not entirely sure
where to put things. I've read the manual and I think I put things before
the rdr-to rules. I also have a transparent ftp and http proxy. I am not
entirely sure if I put it before or after the divert-to rules. I just need
someone to show me where in the pf.conf I've already done I should put
things.
I need to add the lines like these...
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out,
tcp_ack_out)
(And so on, including for incoming traffic on $int_if)
My current pf.conf...
# grep -v '^#' /etc/pf.conf
int_if="fxp0"
ext_if="pppoe0"
murphy="10.0.0.2"
fekete="10.0.0.3"
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, 2222 }"
tcp_services="{ 22 }"
icmp_types="echoreq"
set skip on lo
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass # to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
