example rulesets from the pf FAQ; provided by Joel Knight

1 files changed, 87 insertions, 0 deletions

diff --git a/share/pf/faq-example2 b/share/pf/faq-example2
new file mode 100644
index 00000000000..dc6737ca92c
--- /dev/null
+++ b/share/pf/faq-example2
@@ -0,0 +1,87 @@
+# $OpenBSD: faq-example2,v 1.1 2003/08/02 18:25:49 henning Exp $
+
+#
+# Small, Home Network
+#
+
+
+# enable queueing on the external interface to control traffic going to
+# the Internet. use the priq scheduler to control only priorities. set
+# the bandwidth to 610Kbps to get the best performance out of the TCP
+# ACK queue.
+
+altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \
+        tcp_ack_out }
+
+# define the parameters for the child queues.
+# std_out      - the standard queue. any filter rule below that does not
+#                explicitly specify a queue will have its traffic added
+#                to this queue.
+# ssh_im_out   - interactive SSH and various instant message traffic.
+# dns_out      - DNS queries.
+# tcp_ack_out  - TCP ACK packets with no data payload.
+
+queue std_out     priq(default)
+queue ssh_im_out  priority 4 priq(red)
+queue dns_out     priority 5
+queue tcp_ack_out priority 6
+
+# enable queueing on the internal interface to control traffic coming in
+# from the Internet. use the cbq scheduler to control bandwidth. max
+# bandwidth is 2Mbps.
+
+altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
+
+# define the parameters for the child queues.
+# std_in      - the standard queue. any filter rule below that does not
+#               explicitly specify a queue will have its traffic added
+#               to this queue.
+# ssh_im_in   - interactive SSH and various instant message traffic.
+# dns_in      - DNS replies.
+# bob_in      - bandwidth reserved for Bob's workstation. allow him to
+#               borrow.
+
+queue std_in    cbq(default)
+queue ssh_im_in priority 4
+queue dns_in    priority 5
+queue bob_in    bandwidth 80Kb cbq(borrow)
+
+
+# ... in the filtering section of pf.conf ...
+
+alice         = "192.168.0.2"
+bob           = "192.168.0.3"
+charlie       = "192.168.0.4"
+local_net     = "192.168.0.0/24"
+ssh_ports     = "{ 22 2022 }"
+im_ports      = "{ 1863 5190 5222 }"
+
+# filter rules for fxp0 inbound
+block in on fxp0 all
+
+# filter rules for fxp0 outbound
+block out on fxp0 all
+pass  out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \
+        keep state queue(std_out, tcp_ack_out)
+pass  out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
+pass  out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
+        keep state queue dns_out
+pass  out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
+        flags S/SA keep state queue(std_out, ssh_im_out)
+pass  out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
+        flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
+
+# filter rules for dc0 inbound
+block in on dc0 all
+pass  in on dc0 from $local_net
+
+# filter rules for dc0 outbound
+block out on dc0 all
+pass  out on dc0 from any to $local_net
+pass  out on dc0 proto { tcp udp } from any port domain to $local_net \
+        queue dns_in
+pass  out on dc0 proto tcp from any port $ssh_ports to $local_net \
+        queue(std_in, ssh_im_in)
+pass  out on dc0 proto tcp from any port $im_ports to $local_net \
+        queue ssh_im_in
+pass  out on dc0 from any to $bob queue bob_in