much-needed update to include examples for all seven types of statements

queueing and table examples are from the fosdem2k3 presentation
spamd rdr simplification from henning@
ok dhartmei@ henning@

1 files changed, 27 insertions, 9 deletions

diff --git a/etc/pf.conf b/etc/pf.conf
index 58b75ef87b3..2f1626ea186 100644
--- a/etc/pf.conf
+++ b/etc/pf.conf
@@ -1,13 +1,17 @@
-#	$OpenBSD: pf.conf,v 1.16 2003/02/14 00:34:14 jason Exp $
+#	$OpenBSD: pf.conf,v 1.17 2003/02/28 00:34:13 david Exp $
 #
 # See pf.conf(5) and /usr/share/pf for syntax and examples.
-# General order: options, scrub rules, translation rules, and filter rules.
+# Required order: options, normalization, queueing, translation, filtering.
+# Macros and tables may be defined and used anywhere.
 # Note that translation rules are first match while filter rules are last match.
 #
 # Macros: define common values, so they can be referenced and changed easily.
-ext_if="ext0"	# replace with actual external interface name i.e., dc0
-internal_net="10.1.1.1/8"
-external_addr="192.168.1.1"
+#ext_if="ext0"	# replace with actual external interface name i.e., dc0
+#internal_net="10.1.1.1/8"
+#external_addr="192.168.1.1"
+
+# Tables: similar to macros, but more flexible for many addresses.
+#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
 
 # Options: tune the behavior of pf, default values are given.
 #set timeout { interval 30, frag 10 }
@@ -22,9 +26,16 @@ external_addr="192.168.1.1"
 #set block-policy drop
 #set require-order yes
 
-# Normalize: reassemble fragments and resolve or reduce traffic ambiguities.
+# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
 #scrub in all
 
+# Queueing: rule-based bandwidth control.
+#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
+#queue dflt bandwidth 5% cbq(default)
+#queue developers bandwidth 80%
+#queue marketing  bandwidth 15%
+
+# Translation: specify how addresses are to be mapped or redirected.
 # nat: packets going out through $ext_if with source address $internal_net will
 # get translated as coming from the address of $ext_if, a state is created for
 # such packets, and incoming packets will be redirected to the internal address.
@@ -35,12 +46,12 @@ external_addr="192.168.1.1"
 # outgoing packets will be translated as coming from the external address.
 #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
 
-# spamd-setup puts addresses to be redirected into table <spamd>
+# spamd-setup puts addresses to be redirected into table <spamd>.
 #table <spamd> persist
 #no rdr on { lo0, lo1 } from any to any
-#rdr inet proto tcp from { <spamd> } to any port smtp -> 127.0.0.1 port 8025
+#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
 
-# filter rules: the implicit first two rules are
+# Filtering: the implicit first two rules are
 #pass in all
 #pass out all
 
@@ -49,3 +60,10 @@ external_addr="192.168.1.1"
 #block in log all
 #pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
 #pass  out on $ext_if proto { tcp, udp } all keep state
+
+# pass incoming packets destined to the addresses given in table <foo>.
+#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
+
+# assign packets to a queue.
+#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
+#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing