xref: /dragonfly/share/examples/pf/faq-example3 (revision 19fe1c42) 
1# $OpenBSD: faq-example3,v 1.3 2005/07/02 16:16:39 joel Exp $
2# $DragonFly: src/share/examples/pf/faq-example3,v 1.1 2005/12/13 01:58:27 corecode Exp $
3
4#
5# Company Network
6# http://www.openbsd.org/faq/pf/queueing.html#example2
7#
8
9
10# enable queueing on the external interface to queue packets going out
11# to the Internet. use the cbq scheduler so that the bandwidth use of
12# each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
13
14altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
15
16# define the parameters for the child queues.
17# std_ext        - the standard queue. also the default queue for
18#                  outgoing traffic on fxp0.
19# www_ext        - container queue for WWW server queues. limit to
20#                  500Kbps.
21#   www_ext_http - http traffic from the WWW server; higher priority.
22#   www_ext_misc - all non-http traffic from the WWW server.
23# boss_ext       - traffic coming from the boss's computer.
24
25queue std_ext        bandwidth 500Kb cbq(default borrow)
26queue www_ext        bandwidth 500Kb { www_ext_http, www_ext_misc }
27  queue www_ext_http bandwidth 50% priority 3 cbq(red borrow)
28  queue www_ext_misc bandwidth 50% priority 1 cbq(borrow)
29queue boss_ext       bandwidth 500Kb priority 3 cbq(borrow)
30
31# enable queueing on the internal interface to control traffic coming
32# from the Internet or the DMZ. use the cbq scheduler to control the
33# bandwidth of each queue. bandwidth on this interface is set to the
34# maximum. traffic coming from the DMZ will be able to use all of this
35# bandwidth while traffic coming from the Internet will be limited to
36# 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1).
37
38altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
39
40# define the parameters for the child queues.
41# net_int    - container queue for traffic from the Internet. bandwidth
42#              is 1.0Mbps.
43#   std_int  - the standard queue. also the default queue for outgoing
44#              traffic on dc0.
45#   it_int   - traffic to the IT Dept network; reserve them 500Kbps.
46#   boss_int - traffic to the boss's PC; assign a higher priority.
47# www_int    - traffic from the WWW server in the DMZ; full speed.
48
49queue net_int    bandwidth 1.0Mb { std_int, it_int, boss_int }
50  queue std_int  bandwidth 250Kb cbq(default borrow)
51  queue it_int   bandwidth 500Kb cbq(borrow)
52  queue boss_int bandwidth 250Kb priority 3 cbq(borrow)
53queue www_int    bandwidth 99Mb cbq(red borrow)
54
55# enable queueing on the DMZ interface to control traffic destined for
56# the WWW server. cbq will be used on this interface since detailed
57# control of bandwidth is necessary. bandwidth on this interface is set
58# to the maximum. traffic from the internal network will be able to use
59# all of this bandwidth while traffic from the Internet will be limited
60# to 500Kbps.
61
62altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
63
64# define the parameters for the child queues.
65# internal_dmz   - traffic from the internal network.
66# net_dmz        - container queue for traffic from the Internet.
67#   net_dmz_http - http traffic; higher priority.
68#   net_dmz_misc - all non-http traffic. this is also the default queue.
69
70queue internal_dmz   bandwidth 99Mb cbq(borrow)
71queue net_dmz        bandwidth 500Kb { net_dmz_http, net_dmz_misc }
72  queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow)
73  queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow)
74
75
76# ... in the filtering section of pf.conf ...
77
78main_net  = "192.168.0.0/24"
79it_net    = "192.168.1.0/24"
80int_nets  = "{ 192.168.0.0/24, 192.168.1.0/24 }"
81dmz_net   = "10.0.0.0/24"
82
83boss      = "192.168.0.200"
84wwwserv   = "10.0.0.100"
85
86# default deny
87block on { fxp0, fxp1, dc0 } all
88
89# filter rules for fxp0 inbound
90pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
91        > 49151 } flags S/SA keep state queue www_ext_misc
92pass in on fxp0 proto tcp from any to $wwwserv port 80 \
93        flags S/SA keep state queue www_ext_http
94
95# filter rules for fxp0 outbound
96pass out on fxp0 from $int_nets to any keep state
97pass out on fxp0 from $boss to any keep state queue boss_ext
98
99# filter rules for dc0 inbound
100pass in on dc0 from $int_nets to any keep state
101pass in on dc0 from $it_net to any queue it_int
102pass in on dc0 from $boss to any queue boss_int
103pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
104        > 49151 } flags S/SA keep state queue www_int
105
106# filter rules for dc0 outbound
107pass out on dc0 from dc0 to $int_nets
108
109# filter rules for fxp1 inbound
110pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
111        keep state
112
113# filter rules for fxp1 outbound
114pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
115        > 49151 } flags S/SA keep state queue net_dmz_misc
116pass out on fxp1 proto tcp from any to $wwwserv port 80 \
117        flags S/SA keep state queue net_dmz_http
118pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
119        21, > 49151 } flags S/SA keep state queue internal_dmz
120