summaryrefslogtreecommitdiff
path: root/share/pf
diff options
context:
space:
mode:
authorJoel Knight <joel@cvs.openbsd.org>2005-07-02 16:16:40 +0000
committerJoel Knight <joel@cvs.openbsd.org>2005-07-02 16:16:40 +0000
commit0c9f5e9aee697099f8ca3213ace803130ec91c77 (patch)
treed2c8c8588e9e23b511e27704535130772738246f /share/pf
parentb145b611dcb0e533d1afdc054c59ea7d8ff5d16c (diff)
Sync with the faq
Diffstat (limited to 'share/pf')
-rw-r--r--share/pf/faq-example113
-rw-r--r--share/pf/faq-example28
-rw-r--r--share/pf/faq-example338
3 files changed, 34 insertions, 25 deletions
diff --git a/share/pf/faq-example1 b/share/pf/faq-example1
index a93cb42ed9a..25e80a65fa8 100644
--- a/share/pf/faq-example1
+++ b/share/pf/faq-example1
@@ -1,4 +1,4 @@
-# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
+# $OpenBSD: faq-example1,v 1.3 2005/07/02 16:16:39 joel Exp $
#
# Firewall for Home or Small Office
@@ -14,7 +14,9 @@ tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
-
+
+comp3 = "192.168.0.3"
+
# options
set block-policy return
set loginterface $ext_if
@@ -26,6 +28,7 @@ scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
+rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# filter rules
block all
@@ -38,6 +41,12 @@ block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
+pass in on $ext_if proto tcp from any to $comp3 port 80 \
+ flags S/SA synproxy state
+
+pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
+ user proxy flags S/SA keep state
+
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
diff --git a/share/pf/faq-example2 b/share/pf/faq-example2
index f46626353cc..ef97bf10031 100644
--- a/share/pf/faq-example2
+++ b/share/pf/faq-example2
@@ -1,4 +1,4 @@
-# $OpenBSD: faq-example2,v 1.2 2003/08/06 16:04:45 henning Exp $
+# $OpenBSD: faq-example2,v 1.3 2005/07/02 16:16:39 joel Exp $
#
# Small, Home Network
@@ -42,9 +42,9 @@ altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
# bob_in - bandwidth reserved for Bob's workstation. allow him to
# borrow.
-queue std_in cbq(default)
-queue ssh_im_in priority 4
-queue dns_in priority 5
+queue std_in bandwidth 1.6Mb cbq(default)
+queue ssh_im_in bandwidth 200Kb priority 4
+queue dns_in bandwidth 120Kb priority 5
queue bob_in bandwidth 80Kb cbq(borrow)
diff --git a/share/pf/faq-example3 b/share/pf/faq-example3
index 2dff688e8ba..391a0eee232 100644
--- a/share/pf/faq-example3
+++ b/share/pf/faq-example3
@@ -1,11 +1,11 @@
-# $OpenBSD: faq-example3,v 1.2 2003/08/06 16:04:45 henning Exp $
+# $OpenBSD: faq-example3,v 1.3 2005/07/02 16:16:39 joel Exp $
#
# Company Network
# http://www.openbsd.org/faq/pf/queueing.html#example2
#
-
+
# enable queueing on the external interface to queue packets going out
# to the Internet. use the cbq scheduler so that the bandwidth use of
# each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
@@ -17,15 +17,15 @@ altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
# outgoing traffic on fxp0.
# www_ext - container queue for WWW server queues. limit to
# 500Kbps.
-# www_ext_http - http traffic from the WWW server
-# www_ext_misc - all non-http traffic from the WWW server
-# boss_ext - traffic coming from the boss's computer
+# www_ext_http - http traffic from the WWW server; higher priority.
+# www_ext_misc - all non-http traffic from the WWW server.
+# boss_ext - traffic coming from the boss's computer.
-queue std_ext cbq(default)
+queue std_ext bandwidth 500Kb cbq(default borrow)
queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc }
- queue www_ext_http priority 3 cbq(red)
- queue www_ext_misc priority 1
-queue boss_ext priority 3
+ queue www_ext_http bandwidth 50% priority 3 cbq(red borrow)
+ queue www_ext_misc bandwidth 50% priority 1 cbq(borrow)
+queue boss_ext bandwidth 500Kb priority 3 cbq(borrow)
# enable queueing on the internal interface to control traffic coming
# from the Internet or the DMZ. use the cbq scheduler to control the
@@ -41,15 +41,15 @@ altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
# is 1.0Mbps.
# std_int - the standard queue. also the default queue for outgoing
# traffic on dc0.
-# it_int - traffic to the IT Dept network.
-# boss_int - traffic to the boss's PC.
-# www_int - traffic from the WWW server in the DMZ.
+# it_int - traffic to the IT Dept network; reserve them 500Kbps.
+# boss_int - traffic to the boss's PC; assign a higher priority.
+# www_int - traffic from the WWW server in the DMZ; full speed.
queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int }
- queue std_int cbq(default)
+ queue std_int bandwidth 250Kb cbq(default borrow)
queue it_int bandwidth 500Kb cbq(borrow)
- queue boss_int priority 3
-queue www_int cbq(red)
+ queue boss_int bandwidth 250Kb priority 3 cbq(borrow)
+queue www_int bandwidth 99Mb cbq(red borrow)
# enable queueing on the DMZ interface to control traffic destined for
# the WWW server. cbq will be used on this interface since detailed
@@ -63,13 +63,13 @@ altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
# define the parameters for the child queues.
# internal_dmz - traffic from the internal network.
# net_dmz - container queue for traffic from the Internet.
-# net_dmz_http - http traffic.
+# net_dmz_http - http traffic; higher priority.
# net_dmz_misc - all non-http traffic. this is also the default queue.
-queue internal_dmz # no special settings needed
+queue internal_dmz bandwidth 99Mb cbq(borrow)
queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc }
- queue net_dmz_http priority 3 cbq(red)
- queue net_dmz_misc priority 1 cbq(default)
+ queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow)
+ queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow)
# ... in the filtering section of pf.conf ...