xref: /freebsd/share/examples/pf/faq-example2 (revision d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf) 
1# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $
2
3#
4# Small, Home Network
5# http://www.openbsd.org/faq/pf/queueing.html#example1
6#
7
8
9# enable queueing on the external interface to control traffic going to
10# the Internet. use the priq scheduler to control only priorities. set
11# the bandwidth to 610Kbps to get the best performance out of the TCP
12# ACK queue.
13
14altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \
15        tcp_ack_out }
16
17# define the parameters for the child queues.
18# std_out      - the standard queue. any filter rule below that does not
19#                explicitly specify a queue will have its traffic added
20#                to this queue.
21# ssh_im_out   - interactive SSH and various instant message traffic.
22# dns_out      - DNS queries.
23# tcp_ack_out  - TCP ACK packets with no data payload.
24
25queue std_out     priq(default)
26queue ssh_im_out  priority 4 priq(red)
27queue dns_out     priority 5
28queue tcp_ack_out priority 6
29
30# enable queueing on the internal interface to control traffic coming in
31# from the Internet. use the cbq scheduler to control bandwidth. max
32# bandwidth is 2Mbps.
33
34altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
35
36# define the parameters for the child queues.
37# std_in      - the standard queue. any filter rule below that does not
38#               explicitly specify a queue will have its traffic added
39#               to this queue.
40# ssh_im_in   - interactive SSH and various instant message traffic.
41# dns_in      - DNS replies.
42# bob_in      - bandwidth reserved for Bob's workstation. allow him to
43#               borrow.
44
45queue std_in    bandwidth 1.6Mb cbq(default)
46queue ssh_im_in bandwidth 200Kb priority 4
47queue dns_in    bandwidth 120Kb priority 5
48queue bob_in    bandwidth 80Kb cbq(borrow)
49
50
51# ... in the filtering section of pf.conf ...
52
53alice         = "192.168.0.2"
54bob           = "192.168.0.3"
55charlie       = "192.168.0.4"
56local_net     = "192.168.0.0/24"
57ssh_ports     = "{ 22 2022 }"
58im_ports      = "{ 1863 5190 5222 }"
59
60# filter rules for fxp0 inbound
61block in on fxp0 all
62
63# filter rules for fxp0 outbound
64block out on fxp0 all
65pass  out on fxp0 inet proto tcp from (fxp0) to any \
66        queue(std_out, tcp_ack_out)
67pass  out on fxp0 inet proto { udp icmp } from (fxp0) to any
68pass  out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
69        queue dns_out
70pass  out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
71        queue(std_out, ssh_im_out)
72pass  out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
73        queue(ssh_im_out, tcp_ack_out)
74
75# filter rules for dc0 inbound
76block in on dc0 all
77pass  in on dc0 from $local_net
78
79# filter rules for dc0 outbound
80block out on dc0 all
81pass  out on dc0 from any to $local_net
82pass  out on dc0 proto { tcp udp } from any port domain to $local_net \
83        queue dns_in
84pass  out on dc0 proto tcp from any port $ssh_ports to $local_net \
85        queue(std_in, ssh_im_in)
86pass  out on dc0 proto tcp from any port $im_ports to $local_net \
87        queue ssh_im_in
88pass  out on dc0 from any to $bob queue bob_in
89