xref: /dflybsd-src/share/examples/pf/faq-example3 (revision 86d7f5d305c6adaa56ff4582ece9859d73106103) 
186d7f5d3SJohn Marino# $OpenBSD: faq-example3,v 1.3 2005/07/02 16:16:39 joel Exp $
286d7f5d3SJohn Marino# $DragonFly: src/share/examples/pf/faq-example3,v 1.1 2005/12/13 01:58:27 corecode Exp $
386d7f5d3SJohn Marino
486d7f5d3SJohn Marino#
586d7f5d3SJohn Marino# Company Network
686d7f5d3SJohn Marino# http://www.openbsd.org/faq/pf/queueing.html#example2
786d7f5d3SJohn Marino#
886d7f5d3SJohn Marino
986d7f5d3SJohn Marino
1086d7f5d3SJohn Marino# enable queueing on the external interface to queue packets going out
1186d7f5d3SJohn Marino# to the Internet. use the cbq scheduler so that the bandwidth use of
1286d7f5d3SJohn Marino# each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
1386d7f5d3SJohn Marino
1486d7f5d3SJohn Marinoaltq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
1586d7f5d3SJohn Marino
1686d7f5d3SJohn Marino# define the parameters for the child queues.
1786d7f5d3SJohn Marino# std_ext        - the standard queue. also the default queue for
1886d7f5d3SJohn Marino#                  outgoing traffic on fxp0.
1986d7f5d3SJohn Marino# www_ext        - container queue for WWW server queues. limit to
2086d7f5d3SJohn Marino#                  500Kbps.
2186d7f5d3SJohn Marino#   www_ext_http - http traffic from the WWW server; higher priority.
2286d7f5d3SJohn Marino#   www_ext_misc - all non-http traffic from the WWW server.
2386d7f5d3SJohn Marino# boss_ext       - traffic coming from the boss's computer.
2486d7f5d3SJohn Marino
2586d7f5d3SJohn Marinoqueue std_ext        bandwidth 500Kb cbq(default borrow)
2686d7f5d3SJohn Marinoqueue www_ext        bandwidth 500Kb { www_ext_http, www_ext_misc }
2786d7f5d3SJohn Marino  queue www_ext_http bandwidth 50% priority 3 cbq(red borrow)
2886d7f5d3SJohn Marino  queue www_ext_misc bandwidth 50% priority 1 cbq(borrow)
2986d7f5d3SJohn Marinoqueue boss_ext       bandwidth 500Kb priority 3 cbq(borrow)
3086d7f5d3SJohn Marino
3186d7f5d3SJohn Marino# enable queueing on the internal interface to control traffic coming
3286d7f5d3SJohn Marino# from the Internet or the DMZ. use the cbq scheduler to control the
3386d7f5d3SJohn Marino# bandwidth of each queue. bandwidth on this interface is set to the
3486d7f5d3SJohn Marino# maximum. traffic coming from the DMZ will be able to use all of this
3586d7f5d3SJohn Marino# bandwidth while traffic coming from the Internet will be limited to
3686d7f5d3SJohn Marino# 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1).
3786d7f5d3SJohn Marino
3886d7f5d3SJohn Marinoaltq on dc0 cbq bandwidth 100% queue { net_int, www_int }
3986d7f5d3SJohn Marino
4086d7f5d3SJohn Marino# define the parameters for the child queues.
4186d7f5d3SJohn Marino# net_int    - container queue for traffic from the Internet. bandwidth
4286d7f5d3SJohn Marino#              is 1.0Mbps.
4386d7f5d3SJohn Marino#   std_int  - the standard queue. also the default queue for outgoing
4486d7f5d3SJohn Marino#              traffic on dc0.
4586d7f5d3SJohn Marino#   it_int   - traffic to the IT Dept network; reserve them 500Kbps.
4686d7f5d3SJohn Marino#   boss_int - traffic to the boss's PC; assign a higher priority.
4786d7f5d3SJohn Marino# www_int    - traffic from the WWW server in the DMZ; full speed.
4886d7f5d3SJohn Marino
4986d7f5d3SJohn Marinoqueue net_int    bandwidth 1.0Mb { std_int, it_int, boss_int }
5086d7f5d3SJohn Marino  queue std_int  bandwidth 250Kb cbq(default borrow)
5186d7f5d3SJohn Marino  queue it_int   bandwidth 500Kb cbq(borrow)
5286d7f5d3SJohn Marino  queue boss_int bandwidth 250Kb priority 3 cbq(borrow)
5386d7f5d3SJohn Marinoqueue www_int    bandwidth 99Mb cbq(red borrow)
5486d7f5d3SJohn Marino
5586d7f5d3SJohn Marino# enable queueing on the DMZ interface to control traffic destined for
5686d7f5d3SJohn Marino# the WWW server. cbq will be used on this interface since detailed
5786d7f5d3SJohn Marino# control of bandwidth is necessary. bandwidth on this interface is set
5886d7f5d3SJohn Marino# to the maximum. traffic from the internal network will be able to use
5986d7f5d3SJohn Marino# all of this bandwidth while traffic from the Internet will be limited
6086d7f5d3SJohn Marino# to 500Kbps.
6186d7f5d3SJohn Marino
6286d7f5d3SJohn Marinoaltq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
6386d7f5d3SJohn Marino
6486d7f5d3SJohn Marino# define the parameters for the child queues.
6586d7f5d3SJohn Marino# internal_dmz   - traffic from the internal network.
6686d7f5d3SJohn Marino# net_dmz        - container queue for traffic from the Internet.
6786d7f5d3SJohn Marino#   net_dmz_http - http traffic; higher priority.
6886d7f5d3SJohn Marino#   net_dmz_misc - all non-http traffic. this is also the default queue.
6986d7f5d3SJohn Marino
7086d7f5d3SJohn Marinoqueue internal_dmz   bandwidth 99Mb cbq(borrow)
7186d7f5d3SJohn Marinoqueue net_dmz        bandwidth 500Kb { net_dmz_http, net_dmz_misc }
7286d7f5d3SJohn Marino  queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow)
7386d7f5d3SJohn Marino  queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow)
7486d7f5d3SJohn Marino
7586d7f5d3SJohn Marino
7686d7f5d3SJohn Marino# ... in the filtering section of pf.conf ...
7786d7f5d3SJohn Marino
7886d7f5d3SJohn Marinomain_net  = "192.168.0.0/24"
7986d7f5d3SJohn Marinoit_net    = "192.168.1.0/24"
8086d7f5d3SJohn Marinoint_nets  = "{ 192.168.0.0/24, 192.168.1.0/24 }"
8186d7f5d3SJohn Marinodmz_net   = "10.0.0.0/24"
8286d7f5d3SJohn Marino
8386d7f5d3SJohn Marinoboss      = "192.168.0.200"
8486d7f5d3SJohn Marinowwwserv   = "10.0.0.100"
8586d7f5d3SJohn Marino
8686d7f5d3SJohn Marino# default deny
8786d7f5d3SJohn Marinoblock on { fxp0, fxp1, dc0 } all
8886d7f5d3SJohn Marino
8986d7f5d3SJohn Marino# filter rules for fxp0 inbound
9086d7f5d3SJohn Marinopass in on fxp0 proto tcp from any to $wwwserv port { 21, \
9186d7f5d3SJohn Marino        > 49151 } flags S/SA keep state queue www_ext_misc
9286d7f5d3SJohn Marinopass in on fxp0 proto tcp from any to $wwwserv port 80 \
9386d7f5d3SJohn Marino        flags S/SA keep state queue www_ext_http
9486d7f5d3SJohn Marino
9586d7f5d3SJohn Marino# filter rules for fxp0 outbound
9686d7f5d3SJohn Marinopass out on fxp0 from $int_nets to any keep state
9786d7f5d3SJohn Marinopass out on fxp0 from $boss to any keep state queue boss_ext
9886d7f5d3SJohn Marino
9986d7f5d3SJohn Marino# filter rules for dc0 inbound
10086d7f5d3SJohn Marinopass in on dc0 from $int_nets to any keep state
10186d7f5d3SJohn Marinopass in on dc0 from $it_net to any queue it_int
10286d7f5d3SJohn Marinopass in on dc0 from $boss to any queue boss_int
10386d7f5d3SJohn Marinopass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
10486d7f5d3SJohn Marino        > 49151 } flags S/SA keep state queue www_int
10586d7f5d3SJohn Marino
10686d7f5d3SJohn Marino# filter rules for dc0 outbound
10786d7f5d3SJohn Marinopass out on dc0 from dc0 to $int_nets
10886d7f5d3SJohn Marino
10986d7f5d3SJohn Marino# filter rules for fxp1 inbound
11086d7f5d3SJohn Marinopass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
11186d7f5d3SJohn Marino        keep state
11286d7f5d3SJohn Marino
11386d7f5d3SJohn Marino# filter rules for fxp1 outbound
11486d7f5d3SJohn Marinopass out on fxp1 proto tcp from any to $wwwserv port { 21, \
11586d7f5d3SJohn Marino        > 49151 } flags S/SA keep state queue net_dmz_misc
11686d7f5d3SJohn Marinopass out on fxp1 proto tcp from any to $wwwserv port 80 \
11786d7f5d3SJohn Marino        flags S/SA keep state queue net_dmz_http
11886d7f5d3SJohn Marinopass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
11986d7f5d3SJohn Marino        21, > 49151 } flags S/SA keep state queue internal_dmz
120