Well the ruleset loads, can anyone do a quick check of this in case I've
done something stupid. I've never used match rules before. I'm not really
sure how to test queueing to see if it works.
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#interfaces
int_if="fxp0"
ext_if="pppoe0"
#networks
local_net="10.0.0.0/8"
#hosts
murphy="10.0.0.2"
fekete="10.0.0.3"
#host port forwarding
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, 2222 }"
#other
tcp_services="{ 22 }"
icmp_types="echoreq"
#queue ports
ssh_ports = "{ 22, 2222 }"
im_ports = "{ 1863, 5190, 5222 }"
#queues
altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out, dns_out,
tcp_ack_out }
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in,
fekete_in }
queue std_in bandwidth 175Kb cbq(default)
queue ssh_im_in bandwidth 75Kb priority 4
queue dns_in bandwidth 50Kb priority 5
queue fekete_in bandwidth 50Kb cbq(borrow)
set skip on lo
# this is the squid proxy line
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
# anchor for relayd(8)
#anchor "relayd/*"
#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass # to establish keep-state
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
match out on $ext_if inet proto tcp from ($ext_if) queue(std_out,
tcp_ack_out)
match out on $ext_if inet proto { tcp udp } from ($ext_if) to port domain \
queue dns_out
match out on $ext_if inet proto tcp from ($ext_if) to port $ssh_ports \
queue(std_out, ssh_im_out)
match out on $ext_if inet proto tcp from ($ext_if) to port $im_ports \
queue(ssh_im_out, tcp_ack_out)
match out on $int_if proto { tcp udp } from port domain to $local_net queue
dns_in
match out on $int_if proto tcp from port $ssh_ports to $local_net \
queue(std_in, ssh_im_in)
match out on $int_if proto tcp from port $im_ports to $local_net \
queue ssh_im_in
match out on $int_if to $fekete queue fekete_in
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
#nat port redirects
#pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_i
On Wed, Apr 17, 2013 at 5:17 PM, John Tate <j...@johntate.org> wrote:
> Found it in the manpage pretty quick;y, silly me, apparently is the same.
>
>
> On Wed, Apr 17, 2013 at 5:16 PM, John Tate <j...@johntate.org> wrote:
>
>> I can't find any description of the match rules here:
>> http://openbsd.org/faq/pf/filter.html
>>
>> Are they the same syntax as block and pass rules?
>>
>>
>> On Wed, Apr 17, 2013 at 4:56 AM, Peter N. M. Hansteen <pe...@bsdly.net>wrote:
>>
>>> John Tate <j...@johntate.org> writes:
>>>
>>> > I think I understand, can someone give me a look at a pf.conf with
>>> queueing
>>> > and nat rules.
>>>
>>> With an existing rule set in place, it's probably easier to do the queue
>>> assignment with a block of match rules. That way at least you don't
>>> affect the pass or block decision.
>>>
>>> - P
>>>
>>> --
>>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>>> "Remember to set the evil bit on all malicious network traffic"
>>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>>
>>
>>
>>
>> --
>> www.johntate.org
>>
>
>
>
> --
> www.johntate.org
>
--
www.johntate.org
