diff options
author | Joel Knight <joel@cvs.openbsd.org> | 2005-07-02 16:16:40 +0000 |
---|---|---|
committer | Joel Knight <joel@cvs.openbsd.org> | 2005-07-02 16:16:40 +0000 |
commit | 0c9f5e9aee697099f8ca3213ace803130ec91c77 (patch) | |
tree | d2c8c8588e9e23b511e27704535130772738246f /share/pf | |
parent | b145b611dcb0e533d1afdc054c59ea7d8ff5d16c (diff) |
Sync with the faq
Diffstat (limited to 'share/pf')
-rw-r--r-- | share/pf/faq-example1 | 13 | ||||
-rw-r--r-- | share/pf/faq-example2 | 8 | ||||
-rw-r--r-- | share/pf/faq-example3 | 38 |
3 files changed, 34 insertions, 25 deletions
diff --git a/share/pf/faq-example1 b/share/pf/faq-example1 index a93cb42ed9a..25e80a65fa8 100644 --- a/share/pf/faq-example1 +++ b/share/pf/faq-example1 @@ -1,4 +1,4 @@ -# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $ +# $OpenBSD: faq-example1,v 1.3 2005/07/02 16:16:39 joel Exp $ # # Firewall for Home or Small Office @@ -14,7 +14,9 @@ tcp_services = "{ 22, 113 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" - + +comp3 = "192.168.0.3" + # options set block-policy return set loginterface $ext_if @@ -26,6 +28,7 @@ scrub in all nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ port 8021 +rdr on $ext_if proto tcp from any to any port 80 -> $comp3 # filter rules block all @@ -38,6 +41,12 @@ block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state +pass in on $ext_if proto tcp from any to $comp3 port 80 \ + flags S/SA synproxy state + +pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \ + user proxy flags S/SA keep state + pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state diff --git a/share/pf/faq-example2 b/share/pf/faq-example2 index f46626353cc..ef97bf10031 100644 --- a/share/pf/faq-example2 +++ b/share/pf/faq-example2 @@ -1,4 +1,4 @@ -# $OpenBSD: faq-example2,v 1.2 2003/08/06 16:04:45 henning Exp $ +# $OpenBSD: faq-example2,v 1.3 2005/07/02 16:16:39 joel Exp $ # # Small, Home Network @@ -42,9 +42,9 @@ altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in } # bob_in - bandwidth reserved for Bob's workstation. allow him to # borrow. -queue std_in cbq(default) -queue ssh_im_in priority 4 -queue dns_in priority 5 +queue std_in bandwidth 1.6Mb cbq(default) +queue ssh_im_in bandwidth 200Kb priority 4 +queue dns_in bandwidth 120Kb priority 5 queue bob_in bandwidth 80Kb cbq(borrow) diff --git a/share/pf/faq-example3 b/share/pf/faq-example3 index 2dff688e8ba..391a0eee232 100644 --- a/share/pf/faq-example3 +++ b/share/pf/faq-example3 @@ -1,11 +1,11 @@ -# $OpenBSD: faq-example3,v 1.2 2003/08/06 16:04:45 henning Exp $ +# $OpenBSD: faq-example3,v 1.3 2005/07/02 16:16:39 joel Exp $ # # Company Network # http://www.openbsd.org/faq/pf/queueing.html#example2 # - + # enable queueing on the external interface to queue packets going out # to the Internet. use the cbq scheduler so that the bandwidth use of # each queue can be controlled. the max outgoing bandwidth is 1.5Mbps. @@ -17,15 +17,15 @@ altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } # outgoing traffic on fxp0. # www_ext - container queue for WWW server queues. limit to # 500Kbps. -# www_ext_http - http traffic from the WWW server -# www_ext_misc - all non-http traffic from the WWW server -# boss_ext - traffic coming from the boss's computer +# www_ext_http - http traffic from the WWW server; higher priority. +# www_ext_misc - all non-http traffic from the WWW server. +# boss_ext - traffic coming from the boss's computer. -queue std_ext cbq(default) +queue std_ext bandwidth 500Kb cbq(default borrow) queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc } - queue www_ext_http priority 3 cbq(red) - queue www_ext_misc priority 1 -queue boss_ext priority 3 + queue www_ext_http bandwidth 50% priority 3 cbq(red borrow) + queue www_ext_misc bandwidth 50% priority 1 cbq(borrow) +queue boss_ext bandwidth 500Kb priority 3 cbq(borrow) # enable queueing on the internal interface to control traffic coming # from the Internet or the DMZ. use the cbq scheduler to control the @@ -41,15 +41,15 @@ altq on dc0 cbq bandwidth 100% queue { net_int, www_int } # is 1.0Mbps. # std_int - the standard queue. also the default queue for outgoing # traffic on dc0. -# it_int - traffic to the IT Dept network. -# boss_int - traffic to the boss's PC. -# www_int - traffic from the WWW server in the DMZ. +# it_int - traffic to the IT Dept network; reserve them 500Kbps. +# boss_int - traffic to the boss's PC; assign a higher priority. +# www_int - traffic from the WWW server in the DMZ; full speed. queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int } - queue std_int cbq(default) + queue std_int bandwidth 250Kb cbq(default borrow) queue it_int bandwidth 500Kb cbq(borrow) - queue boss_int priority 3 -queue www_int cbq(red) + queue boss_int bandwidth 250Kb priority 3 cbq(borrow) +queue www_int bandwidth 99Mb cbq(red borrow) # enable queueing on the DMZ interface to control traffic destined for # the WWW server. cbq will be used on this interface since detailed @@ -63,13 +63,13 @@ altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz } # define the parameters for the child queues. # internal_dmz - traffic from the internal network. # net_dmz - container queue for traffic from the Internet. -# net_dmz_http - http traffic. +# net_dmz_http - http traffic; higher priority. # net_dmz_misc - all non-http traffic. this is also the default queue. -queue internal_dmz # no special settings needed +queue internal_dmz bandwidth 99Mb cbq(borrow) queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc } - queue net_dmz_http priority 3 cbq(red) - queue net_dmz_misc priority 1 cbq(default) + queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow) + queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow) # ... in the filtering section of pf.conf ... |