Sat down today and re-read documentation along with a tutorial over at
http://calomel.org. Since I've not really touched my PF rules in a while I
appear to have needed a major overhaul. I rebuilt the ruleset with what I
hope is a better flow. However, pfctl is telling me I still am only passing
traffic through the one queue. Any advice or pointers would be appreciated.
## Macros ##
## Interfaces ##
ext_if = "fxp0"
wire_if = "fxp1"
## Global Variables ##
ext_ip = "64.119.37.74"
wire_network = "192.168.1.0/24"
wire_gw = "192.168.1.1/32"
## Tables ##
## SSH Hackers - blocked IPs
table <ssh-bruteforce> persist
## Options ##
set block-policy return
set loginterface $ext_if
set state-policy if-bound
set skip on lo0
set skip on enc0
set optimization normal
## Traffic Normalization ##
scrub on $ext_if all random-id reassemble tcp fragment reassemble
## Queueing ##
altq on $ext_if priq bandwidth 768Kb queue { voip, stream, web, email,
general, tcp_ack }
queue voip priority 14 priq(red)
queue stream priority 12 priq(red)
queue web priority 10 priq(red)
queue email priority 8 priq(red)
queue tcp_ack priority 5 priq(red)
queue general priority 1 priq(default)
## Translation (NAT/RDR) ##
nat pass on $ext_if inet from { $wire_if:network, $wlan_if:network } to any
-> $ext_if
## Packet Filtering ##
## Deny Spoofed Packets ##
antispoof log quick for $ext_if
antispoof log quick for $wire_if
antispoof log quick for $wlan_if
## Block traffic to or from specific ports, protocols and sources ##
block drop quick inet6
block drop in log quick from no-route to any
block drop in quick on $ext_if from <ssh-bruteforce> to any
block in quick on $ext_if from any to 255.255.255.255
block return in quick on { $wire_if, $wlan_if } from any to
224.0.0.1
## Block all in/out traffic on all interfaces by default ##
block on $ext_if
block return on $wire_if
## Inbound traffic from WAN to the External Interface
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type 8
code 0 keep state
pass in quick on $ext_if inet proto tcp from any to $ext_if port ssh
flags S/SA synproxy state (max 10, source-track rule, max-src-conn 10,
max-src-nodes 5,
max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global )
## Inbound traffic on the Internal Interface
pass in on $wire_if inet from $wire_if:network to any flags S/SA modulate
state
## Outbound traffic on the External Interface from the LAN/Server
pass out on $ext_if inet proto tcp from $ext_if to any flags S/SA keep
state queue (general, tcp_ack)
pass out on $ext_if inet proto tcp from $ext_if to any port 25 synproxy
state queue (email, tcp_ack)
pass out on $ext_if inet proto tcp from $ext_if to any port 80 synproxy
state queue (web, tcp_ack)
pass out on $ext_if inet proto tcp from $ext_if to any port 110 synproxy
state queue (email, tcp_ack)
pass out on $ext_if inet proto tcp from $ext_if to any port 443 synproxy
state queue (web, tcp_ack)
pass out on $ext_if inet proto tcp from $ext_if to any port 8008 synproxy
state queue (stream, tcp_ack)
pass out on $ext_if inet proto udp from $ext_if to any keep
state queue general
pass out on $ext_if inet proto udp from $ext_if to any port 5060 keep
state queue voip
pass out on $ext_if inet proto icmp from $ext_if to any keep
state queue general
## Outbound traffic on the Internal Interface
pass out on $wire_if inet from $wire_if:network to any flags S/SA modulate
state
