xref: /freebsd/share/examples/pf/faq-example2 (revision bdd1243df58e60e85101c09001d9812a789b6bc4) 
1# $FreeBSD$
2# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $
3
4#
5# Small, Home Network
6# http://www.openbsd.org/faq/pf/queueing.html#example1
7#
8
9
10# enable queueing on the external interface to control traffic going to
11# the Internet. use the priq scheduler to control only priorities. set
12# the bandwidth to 610Kbps to get the best performance out of the TCP
13# ACK queue.
14
15altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \
16        tcp_ack_out }
17
18# define the parameters for the child queues.
19# std_out      - the standard queue. any filter rule below that does not
20#                explicitly specify a queue will have its traffic added
21#                to this queue.
22# ssh_im_out   - interactive SSH and various instant message traffic.
23# dns_out      - DNS queries.
24# tcp_ack_out  - TCP ACK packets with no data payload.
25
26queue std_out     priq(default)
27queue ssh_im_out  priority 4 priq(red)
28queue dns_out     priority 5
29queue tcp_ack_out priority 6
30
31# enable queueing on the internal interface to control traffic coming in
32# from the Internet. use the cbq scheduler to control bandwidth. max
33# bandwidth is 2Mbps.
34
35altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
36
37# define the parameters for the child queues.
38# std_in      - the standard queue. any filter rule below that does not
39#               explicitly specify a queue will have its traffic added
40#               to this queue.
41# ssh_im_in   - interactive SSH and various instant message traffic.
42# dns_in      - DNS replies.
43# bob_in      - bandwidth reserved for Bob's workstation. allow him to
44#               borrow.
45
46queue std_in    bandwidth 1.6Mb cbq(default)
47queue ssh_im_in bandwidth 200Kb priority 4
48queue dns_in    bandwidth 120Kb priority 5
49queue bob_in    bandwidth 80Kb cbq(borrow)
50
51
52# ... in the filtering section of pf.conf ...
53
54alice         = "192.168.0.2"
55bob           = "192.168.0.3"
56charlie       = "192.168.0.4"
57local_net     = "192.168.0.0/24"
58ssh_ports     = "{ 22 2022 }"
59im_ports      = "{ 1863 5190 5222 }"
60
61# filter rules for fxp0 inbound
62block in on fxp0 all
63
64# filter rules for fxp0 outbound
65block out on fxp0 all
66pass  out on fxp0 inet proto tcp from (fxp0) to any \
67        queue(std_out, tcp_ack_out)
68pass  out on fxp0 inet proto { udp icmp } from (fxp0) to any
69pass  out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
70        queue dns_out
71pass  out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
72        queue(std_out, ssh_im_out)
73pass  out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
74        queue(ssh_im_out, tcp_ack_out)
75
76# filter rules for dc0 inbound
77block in on dc0 all
78pass  in on dc0 from $local_net
79
80# filter rules for dc0 outbound
81block out on dc0 all
82pass  out on dc0 from any to $local_net
83pass  out on dc0 proto { tcp udp } from any port domain to $local_net \
84        queue dns_in
85pass  out on dc0 proto tcp from any port $ssh_ports to $local_net \
86        queue(std_in, ssh_im_in)
87pass  out on dc0 proto tcp from any port $im_ports to $local_net \
88        queue ssh_im_in
89pass  out on dc0 from any to $bob queue bob_in
90