diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-10-07 04:48:02 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-10-07 04:48:02 +0000 |
| commit | 99cc46f0827328b5fa9f0ff45f39a501dbc95de4 (patch) | |
| tree | 4c3a42fe7713e61c7f5148afb07427f1eebf01d4 | |
| parent | 420c5a889411aef65233bd6bc35b88dda4abb5a7 (diff) | |
remove 'flags S/SA' and 'keep state'
ok nick@
| -rw-r--r-- | share/pf/ackpri | 8 | ||||
| -rw-r--r-- | share/pf/faq-example1 | 13 | ||||
| -rw-r--r-- | share/pf/faq-example2 | 14 | ||||
| -rw-r--r-- | share/pf/faq-example3 | 24 | ||||
| -rw-r--r-- | share/pf/queue1 | 14 | ||||
| -rw-r--r-- | share/pf/queue2 | 10 | ||||
| -rw-r--r-- | share/pf/queue3 | 8 |
7 files changed, 42 insertions, 49 deletions
diff --git a/share/pf/ackpri b/share/pf/ackpri index e33657647e2..2dd42b9bb3b 100644 --- a/share/pf/ackpri +++ b/share/pf/ackpri @@ -1,4 +1,4 @@ -# $OpenBSD: ackpri,v 1.2 2003/03/10 14:24:33 henning Exp $ +# $OpenBSD: ackpri,v 1.3 2006/10/07 04:48:01 mcbride Exp $ # Use a simple priority queue to prioritize empty (no payload) TCP ACKs, # which dramatically improves throughput on (asymmetric) links when the @@ -24,9 +24,7 @@ altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) -pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ - keep state queue (q_def, q_pri) +pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri) -pass in on $ext_if proto tcp from any to $ext_if flags S/SA \ - keep state queue (q_def, q_pri) +pass in on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri) diff --git a/share/pf/faq-example1 b/share/pf/faq-example1 index a105fdb9623..ee69e15ae2e 100644 --- a/share/pf/faq-example1 +++ b/share/pf/faq-example1 @@ -1,4 +1,4 @@ -# $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $ +# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $ # # Firewall for Home or Small Office @@ -35,17 +35,16 @@ rdr on $ext_if proto tcp from any to any port 80 -> $comp3 # filter rules block in -pass out keep state +pass out anchor "ftp-proxy/*" antispoof quick for { lo $int_if } -pass in on $ext_if inet proto tcp from any to ($ext_if) \ - port $tcp_services flags S/SA keep state +pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services pass in on $ext_if inet proto tcp from any to $comp3 port 80 \ - flags S/SA synproxy state + synproxy state -pass in inet proto icmp all icmp-type $icmp_types keep state +pass in inet proto icmp all icmp-type $icmp_types -pass quick on $int_if +pass quick on $int_if no state diff --git a/share/pf/faq-example2 b/share/pf/faq-example2 index ef97bf10031..e3dea440e83 100644 --- a/share/pf/faq-example2 +++ b/share/pf/faq-example2 @@ -1,4 +1,4 @@ -# $OpenBSD: faq-example2,v 1.3 2005/07/02 16:16:39 joel Exp $ +# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $ # # Small, Home Network @@ -62,15 +62,15 @@ block in on fxp0 all # filter rules for fxp0 outbound block out on fxp0 all -pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \ - keep state queue(std_out, tcp_ack_out) -pass out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state +pass out on fxp0 inet proto tcp from (fxp0) to any \ + queue(std_out, tcp_ack_out) +pass out on fxp0 inet proto { udp icmp } from (fxp0) to any pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \ - keep state queue dns_out + queue dns_out pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \ - flags S/SA keep state queue(std_out, ssh_im_out) + queue(std_out, ssh_im_out) pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \ - flags S/SA keep state queue(ssh_im_out, tcp_ack_out) + queue(ssh_im_out, tcp_ack_out) # filter rules for dc0 inbound block in on dc0 all diff --git a/share/pf/faq-example3 b/share/pf/faq-example3 index 391a0eee232..b4793110842 100644 --- a/share/pf/faq-example3 +++ b/share/pf/faq-example3 @@ -1,4 +1,4 @@ -# $OpenBSD: faq-example3,v 1.3 2005/07/02 16:16:39 joel Exp $ +# $OpenBSD: faq-example3,v 1.4 2006/10/07 04:48:01 mcbride Exp $ # # Company Network @@ -87,32 +87,30 @@ block on { fxp0, fxp1, dc0 } all # filter rules for fxp0 inbound pass in on fxp0 proto tcp from any to $wwwserv port { 21, \ - > 49151 } flags S/SA keep state queue www_ext_misc + > 49151 } queue www_ext_misc pass in on fxp0 proto tcp from any to $wwwserv port 80 \ - flags S/SA keep state queue www_ext_http + queue www_ext_http # filter rules for fxp0 outbound -pass out on fxp0 from $int_nets to any keep state -pass out on fxp0 from $boss to any keep state queue boss_ext +pass out on fxp0 from $int_nets to any +pass out on fxp0 from $boss to any queue boss_ext # filter rules for dc0 inbound -pass in on dc0 from $int_nets to any keep state +pass in on dc0 from $int_nets to any pass in on dc0 from $it_net to any queue it_int pass in on dc0 from $boss to any queue boss_int pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \ - > 49151 } flags S/SA keep state queue www_int + > 49151 } queue www_int # filter rules for dc0 outbound pass out on dc0 from dc0 to $int_nets # filter rules for fxp1 inbound -pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \ - keep state +pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 # filter rules for fxp1 outbound pass out on fxp1 proto tcp from any to $wwwserv port { 21, \ - > 49151 } flags S/SA keep state queue net_dmz_misc -pass out on fxp1 proto tcp from any to $wwwserv port 80 \ - flags S/SA keep state queue net_dmz_http + > 49151 } queue net_dmz_misc +pass out on fxp1 proto tcp from any to $wwwserv port 80 queue net_dmz_http pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \ - 21, > 49151 } flags S/SA keep state queue internal_dmz + 21, > 49151 } queue internal_dmz diff --git a/share/pf/queue1 b/share/pf/queue1 index 631d8a1e3d2..38824f38ee3 100644 --- a/share/pf/queue1 +++ b/share/pf/queue1 @@ -1,4 +1,4 @@ -# $OpenBSD: queue1,v 1.3 2003/01/20 16:14:23 henning Exp $ +# $OpenBSD: queue1,v 1.4 2006/10/07 04:48:01 mcbride Exp $ ext_if = "dc0" @@ -13,10 +13,8 @@ queue ssh bandwidth 100Kb priority 7 cbq(borrow) queue rsets bandwidth 7500b priority 0 cbq(red) block return in on $ext_if inet all queue rsets -pass in on $ext_if inet proto tcp from any to any port 80 keep state queue http -pass out on $ext_if inet proto tcp from any to any port 22 keep state queue ssh -pass in on $ext_if inet proto tcp from any to any port 22 keep state queue ssh -pass out on $ext_if inet proto tcp from any to any port 25 keep state queue mail -pass out on $ext_if inet all keep state - - +pass in on $ext_if inet proto tcp from any to any port 80 queue http +pass out on $ext_if inet proto tcp from any to any port 22 queue ssh +pass in on $ext_if inet proto tcp from any to any port 22 queue ssh +pass out on $ext_if inet proto tcp from any to any port 25 queue mail +pass out on $ext_if inet all diff --git a/share/pf/queue2 b/share/pf/queue2 index 3aaf101a05d..1968d8f3e8a 100644 --- a/share/pf/queue2 +++ b/share/pf/queue2 @@ -1,4 +1,4 @@ -# $OpenBSD: queue2,v 1.3 2005/07/02 16:21:00 joel Exp $ +# $OpenBSD: queue2,v 1.4 2006/10/07 04:48:01 mcbride Exp $ # advanced queue example. # give interactive ssh traffic priority over ssh bulk transfers (scp, sftp) @@ -19,10 +19,10 @@ queue ssh_bulk bandwidth 75% priority 0 block return out on $ext_if inet all queue std pass out on $ext_if inet proto tcp from $developerhosts to any port 80 \ - keep state queue developers + queue developers pass out on $ext_if inet proto tcp from $employeehosts to any port 80 \ - keep state queue employees + queue employees pass out on $ext_if inet proto tcp from any to any port 22 \ - keep state queue(ssh_bulk, ssh_interactive) + queue(ssh_bulk, ssh_interactive) pass out on $ext_if inet proto tcp from any to any port 25 \ - keep state queue mail + queue mail diff --git a/share/pf/queue3 b/share/pf/queue3 index 4fb35a1c08a..b33e7b8f204 100644 --- a/share/pf/queue3 +++ b/share/pf/queue3 @@ -1,4 +1,4 @@ -# $OpenBSD: queue3,v 1.2 2003/01/20 16:14:23 henning Exp $ +# $OpenBSD: queue3,v 1.3 2006/10/07 04:48:01 mcbride Exp $ # simple PRIQ example ext_if="lo0" @@ -8,8 +8,8 @@ queue pri-low priority 0 queue pri-med priority 1 priq(default) queue pri-high priority 2 -pass out on $ext_if proto tcp from any to any port 22 keep state \ +pass out on $ext_if proto tcp from any to any port 22 \ queue(pri-med, pri-high) -pass out on $ext_if proto tcp from any to any port 80 keep state queue pri-med -pass in on $ext_if proto tcp from any to any port 80 keep state queue pri-low +pass out on $ext_if proto tcp from any to any port 80 queue pri-med +pass in on $ext_if proto tcp from any to any port 80 queue pri-low |