[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: what's wrong with my pf.conf and altq



Ok, now ...

int_if="sis0"
ext_if="sis2"
services_out_tcp="{ 22, 53, 80, 443 }"
services_out_udp="{ 53, 67, 68 }"
icmp_types="echoreq"
ignore_virus="{ 135, 137, 139, 445 }"

# options
set block-policy return
set loginterface $ext_if

#scrub 
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id

# queueing
altq on $ext_if cbq bandwidth 40Kb queue { high_priority, low_priority }
queue high_priority bandwidth 60% priority 7 cbq(red, borrow )
queue low_priority bandwidth 40% priority 1 cbq(default)

#nat and ftp-proxy redirection
nat on $ext_if from !($ext_if) -> ($ext_if)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

#default block sisX and allow loopback
block log-all quick inet6 all
pass quick on lo0 all
#block log-all on $int_if all
#block in quick on $ext_if inet proto { tcp, udp } from any to any port
$ignore_virus label virus 
block log-all on $ext_if all
block out log-all quick on $ext_if from $int_if:network to any

# EXTERNAL INTERFACE
pass out quick on $ext_if proto udp from any port = bootpc to any port =
bootps queue high_priority
pass in quick on $ext_if proto udp from any port = bootps to $ext_if port =
bootpc 
pass out on $ext_if inet proto tcp from $ext_if to any port
$services_out_tcp modulate state queue high_priority
pass out on $ext_if inet proto udp from $ext_if to any port
$services_out_udp keep state queue high_priority
pass out on $ext_if inet proto tcp from $ext_if to any port { 21, 119 } keep
state queue low_priority
pass in on $ext_if inet proto tcp from any port 20 to $ext_if port 55000 ><
57000 user proxy flags S/SA keep state
pass out on $ext_if inet proto tcp from $ext_if to any port 20 flags
S/AUPRFS modulate state queue low_priority
pass out on $ext_if inet proto tcp from $ext_if to any port > 1024 flags
S/AUPRFS modulate state queue low_priority

antispoof log-all quick for lo0



Visit your host, monkey.org