# # Nugget pf.conf (redacted) # # $Id: pf.conf,v 1.5 2005/03/10 20:29:09 nugget Exp $ # scrub in all ext_if="xl0" int_if="fxp0" riva="68.93.27.57" grid="68.93.27.58" suburbia="68.93.27.59" dazed="68.93.27.60" natpool="68.93.27.61" colo="69.41.170.136" local_net = "{ 68.93.27.56/29 69.155.245.192/28 }" #local_net = "0.0.0.0/0" bulk_ports = "{ 25 80 443 }" pri_ports = "{ 1:1023 6667 }" game_ports = "{ 27015 }" # Enable ALTQ traffic shaping altq on $ext_if cbq bandwidth 400Kb queue { std_out, pri_out, bulk_out, ssh_out, voip_out, glue_out } queue bulk_out priority 0 queue std_out bandwidth 95% priority 1 cbq(default) queue pri_out bandwidth 95% priority 2 queue ssh_out bandwidth 95% priority 3 cbq(red) queue voip_out bandwidth 95% priority 4 queue glue_out bandwidth 95% priority 5 altq on $int_if cbq bandwidth 6Mb queue { std_in, pri_in, bulk_in, ssh_in, voip_in, glue_in } queue bulk_in priority 0 queue std_in bandwidth 95% priority 1 cbq(default) queue pri_in bandwidth 95% priority 2 queue ssh_in bandwidth 95% priority 3 cbq(red) queue voip_in bandwidth 95% priority 4 queue glue_in bandwidth 95% priority 5 # localhost needs to be high performance! :) pass quick on lo0 all # Safety for traffic to and from dazed pass quick on $int_if from 172.16.92.0/24 to 172.16.92.0/24 # External inbound traffic pass in on $ext_if all # External outbound traffic pass out on $ext_if all queue(std_out, pri_out) pass out on $ext_if proto tcp from any to any flags S/SA keep state queue(std_out, glue_out) pass out on $ext_if proto {tcp udp} from any port $pri_ports to any queue pri_out pass out on $ext_if proto {tcp udp} from any port $game_ports to any queue pri_out pass out on $ext_if proto udp from $suburbia to any keep state queue voip_out pass out on $ext_if proto udp from any to $colo keep state queue voip_out pass out on $ext_if proto {tcp udp} to any port domain keep state queue glue_out pass out on $ext_if proto tcp to any port 22 keep state queue(bulk_out, ssh_out) pass out on $ext_if proto tcp from any port 22 keep state queue(bulk_out, ssh_out) pass out on $ext_if proto tcp from any port $bulk_ports keep state queue bulk_out pass out on $ext_if proto tcp tos 0x08 keep state queue bulk_out # Internal inbound traffic block in on $int_if all pass in on $int_if from $local_net # Internal outbound traffic block out on $int_if all pass out on $int_if from any to $local_net queue(std_in, pri_in) pass out on $int_if proto tcp from any to $local_net flags S/SA keep state queue(std_in, glue_in) pass out on $int_if proto {tcp udp} from any to $local_net port $pri_ports queue pri_in pass out on $int_if proto {tcp udp} from any port $game_ports to $local_net queue pri_in pass out on $int_if proto {tcp udp} from any port domain to $local_net queue glue_in pass out on $int_if proto udp from any to $suburbia keep state queue voip_in pass out on $int_if proto udp from $colo to any keep state queue voip_in pass out on $int_if proto tcp from any port 22 to $local_net queue(bulk_in, ssh_in) pass out on $int_if proto tcp from any to $local_net port 22 queue(bulk_in, ssh_in) pass out on $int_if proto tcp from any to $local_net port $bulk_ports keep state queue bulk_in pass out on $int_if proto tcp tos 0x08 keep state queue bulk_in