diff options
Diffstat (limited to 'share/examples/pf')
| -rw-r--r-- | share/examples/pf/Makefile | 9 | ||||
| -rw-r--r-- | share/examples/pf/Makefile.depend | 10 | ||||
| -rw-r--r-- | share/examples/pf/ackpri | 30 | ||||
| -rw-r--r-- | share/examples/pf/faq-example1 | 50 | ||||
| -rw-r--r-- | share/examples/pf/faq-example2 | 88 | ||||
| -rw-r--r-- | share/examples/pf/faq-example3 | 116 | ||||
| -rw-r--r-- | share/examples/pf/pf.conf | 34 | ||||
| -rw-r--r-- | share/examples/pf/queue1 | 20 | ||||
| -rw-r--r-- | share/examples/pf/queue2 | 28 | ||||
| -rw-r--r-- | share/examples/pf/queue3 | 15 | ||||
| -rw-r--r-- | share/examples/pf/queue4 | 19 | ||||
| -rw-r--r-- | share/examples/pf/spamd | 7 |
12 files changed, 426 insertions, 0 deletions
diff --git a/share/examples/pf/Makefile b/share/examples/pf/Makefile new file mode 100644 index 000000000000..3107fa346c65 --- /dev/null +++ b/share/examples/pf/Makefile @@ -0,0 +1,9 @@ +PACKAGE=examples +FILES= faq-example1 faq-example2 faq-example3 \ + ackpri queue1 queue2 queue3 queue4 \ + pf.conf \ + spamd + +FILESDIR= ${SHAREDIR}/examples/pf + +.include <bsd.prog.mk> diff --git a/share/examples/pf/Makefile.depend b/share/examples/pf/Makefile.depend new file mode 100644 index 000000000000..11aba52f82cf --- /dev/null +++ b/share/examples/pf/Makefile.depend @@ -0,0 +1,10 @@ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/share/examples/pf/ackpri b/share/examples/pf/ackpri new file mode 100644 index 000000000000..2dd42b9bb3b1 --- /dev/null +++ b/share/examples/pf/ackpri @@ -0,0 +1,30 @@ +# $OpenBSD: ackpri,v 1.3 2006/10/07 04:48:01 mcbride Exp $ + +# Use a simple priority queue to prioritize empty (no payload) TCP ACKs, +# which dramatically improves throughput on (asymmetric) links when the +# reverse direction is saturated. The empty ACKs use an insignificant +# part of the bandwidth, but if they get delayed, downloads suffer +# badly, so prioritize them. + +# Example: 512/128 kbps ADSL. Download is 50 kB/s. When a concurrent +# upload saturates the uplink, download drops to 7 kB/s. With the +# priority queue below, download drops only to 48 kB/s. + +# Replace lo0 with your real external interface + +ext_if="lo0" + +# For a 512/128 kbps ADSL with PPPoE link, using "bandwidth 100Kb" +# is optimal. Some experimentation might be needed to find the best +# value. If it's set too high, the priority queue is not effective, and +# if it's set too low, the available bandwidth is not fully used. +# A good starting point would be real_uplink_bandwidth * 90 / 100. + +altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } +queue q_pri priority 7 +queue q_def priority 1 priq(default) + +pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri) + +pass in on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri) + diff --git a/share/examples/pf/faq-example1 b/share/examples/pf/faq-example1 new file mode 100644 index 000000000000..9045cd86bc59 --- /dev/null +++ b/share/examples/pf/faq-example1 @@ -0,0 +1,50 @@ +# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $ + +# +# Firewall for Home or Small Office +# http://www.openbsd.org/faq/pf/example1.html +# + + +# macros +ext_if="fxp0" +int_if="xl0" + +tcp_services="{ 22, 113 }" +icmp_types="echoreq" + +comp3="192.168.0.3" + +# options +set block-policy return +set loginterface $ext_if + +set skip on lo + +# scrub +scrub in + +# nat/rdr +nat on $ext_if inet from !($ext_if) -> ($ext_if:0) +nat-anchor "ftp-proxy/*" +rdr-anchor "ftp-proxy/*" + +rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 +rdr on $ext_if proto tcp from any to any port 80 -> $comp3 + +# filter rules +block in + +pass out + +anchor "ftp-proxy/*" +antispoof quick for { lo $int_if } + +pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services + +pass in on $ext_if inet proto tcp from any to $comp3 port 80 \ + synproxy state + +pass in inet proto icmp all icmp-type $icmp_types + +pass quick on $int_if no state diff --git a/share/examples/pf/faq-example2 b/share/examples/pf/faq-example2 new file mode 100644 index 000000000000..e3dea440e83a --- /dev/null +++ b/share/examples/pf/faq-example2 @@ -0,0 +1,88 @@ +# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $ + +# +# Small, Home Network +# http://www.openbsd.org/faq/pf/queueing.html#example1 +# + + +# enable queueing on the external interface to control traffic going to +# the Internet. use the priq scheduler to control only priorities. set +# the bandwidth to 610Kbps to get the best performance out of the TCP +# ACK queue. + +altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \ + tcp_ack_out } + +# define the parameters for the child queues. +# std_out - the standard queue. any filter rule below that does not +# explicitly specify a queue will have its traffic added +# to this queue. +# ssh_im_out - interactive SSH and various instant message traffic. +# dns_out - DNS queries. +# tcp_ack_out - TCP ACK packets with no data payload. + +queue std_out priq(default) +queue ssh_im_out priority 4 priq(red) +queue dns_out priority 5 +queue tcp_ack_out priority 6 + +# enable queueing on the internal interface to control traffic coming in +# from the Internet. use the cbq scheduler to control bandwidth. max +# bandwidth is 2Mbps. + +altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in } + +# define the parameters for the child queues. +# std_in - the standard queue. any filter rule below that does not +# explicitly specify a queue will have its traffic added +# to this queue. +# ssh_im_in - interactive SSH and various instant message traffic. +# dns_in - DNS replies. +# bob_in - bandwidth reserved for Bob's workstation. allow him to +# borrow. + +queue std_in bandwidth 1.6Mb cbq(default) +queue ssh_im_in bandwidth 200Kb priority 4 +queue dns_in bandwidth 120Kb priority 5 +queue bob_in bandwidth 80Kb cbq(borrow) + + +# ... in the filtering section of pf.conf ... + +alice = "192.168.0.2" +bob = "192.168.0.3" +charlie = "192.168.0.4" +local_net = "192.168.0.0/24" +ssh_ports = "{ 22 2022 }" +im_ports = "{ 1863 5190 5222 }" + +# filter rules for fxp0 inbound +block in on fxp0 all + +# filter rules for fxp0 outbound +block out on fxp0 all +pass out on fxp0 inet proto tcp from (fxp0) to any \ + queue(std_out, tcp_ack_out) +pass out on fxp0 inet proto { udp icmp } from (fxp0) to any +pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \ + queue dns_out +pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \ + queue(std_out, ssh_im_out) +pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \ + queue(ssh_im_out, tcp_ack_out) + +# filter rules for dc0 inbound +block in on dc0 all +pass in on dc0 from $local_net + +# filter rules for dc0 outbound +block out on dc0 all +pass out on dc0 from any to $local_net +pass out on dc0 proto { tcp udp } from any port domain to $local_net \ + queue dns_in +pass out on dc0 proto tcp from any port $ssh_ports to $local_net \ + queue(std_in, ssh_im_in) +pass out on dc0 proto tcp from any port $im_ports to $local_net \ + queue ssh_im_in +pass out on dc0 from any to $bob queue bob_in diff --git a/share/examples/pf/faq-example3 b/share/examples/pf/faq-example3 new file mode 100644 index 000000000000..b4793110842d --- /dev/null +++ b/share/examples/pf/faq-example3 @@ -0,0 +1,116 @@ +# $OpenBSD: faq-example3,v 1.4 2006/10/07 04:48:01 mcbride Exp $ + +# +# Company Network +# http://www.openbsd.org/faq/pf/queueing.html#example2 +# + + +# enable queueing on the external interface to queue packets going out +# to the Internet. use the cbq scheduler so that the bandwidth use of +# each queue can be controlled. the max outgoing bandwidth is 1.5Mbps. + +altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } + +# define the parameters for the child queues. +# std_ext - the standard queue. also the default queue for +# outgoing traffic on fxp0. +# www_ext - container queue for WWW server queues. limit to +# 500Kbps. +# www_ext_http - http traffic from the WWW server; higher priority. +# www_ext_misc - all non-http traffic from the WWW server. +# boss_ext - traffic coming from the boss's computer. + +queue std_ext bandwidth 500Kb cbq(default borrow) +queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc } + queue www_ext_http bandwidth 50% priority 3 cbq(red borrow) + queue www_ext_misc bandwidth 50% priority 1 cbq(borrow) +queue boss_ext bandwidth 500Kb priority 3 cbq(borrow) + +# enable queueing on the internal interface to control traffic coming +# from the Internet or the DMZ. use the cbq scheduler to control the +# bandwidth of each queue. bandwidth on this interface is set to the +# maximum. traffic coming from the DMZ will be able to use all of this +# bandwidth while traffic coming from the Internet will be limited to +# 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1). + +altq on dc0 cbq bandwidth 100% queue { net_int, www_int } + +# define the parameters for the child queues. +# net_int - container queue for traffic from the Internet. bandwidth +# is 1.0Mbps. +# std_int - the standard queue. also the default queue for outgoing +# traffic on dc0. +# it_int - traffic to the IT Dept network; reserve them 500Kbps. +# boss_int - traffic to the boss's PC; assign a higher priority. +# www_int - traffic from the WWW server in the DMZ; full speed. + +queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int } + queue std_int bandwidth 250Kb cbq(default borrow) + queue it_int bandwidth 500Kb cbq(borrow) + queue boss_int bandwidth 250Kb priority 3 cbq(borrow) +queue www_int bandwidth 99Mb cbq(red borrow) + +# enable queueing on the DMZ interface to control traffic destined for +# the WWW server. cbq will be used on this interface since detailed +# control of bandwidth is necessary. bandwidth on this interface is set +# to the maximum. traffic from the internal network will be able to use +# all of this bandwidth while traffic from the Internet will be limited +# to 500Kbps. + +altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz } + +# define the parameters for the child queues. +# internal_dmz - traffic from the internal network. +# net_dmz - container queue for traffic from the Internet. +# net_dmz_http - http traffic; higher priority. +# net_dmz_misc - all non-http traffic. this is also the default queue. + +queue internal_dmz bandwidth 99Mb cbq(borrow) +queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc } + queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow) + queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow) + + +# ... in the filtering section of pf.conf ... + +main_net = "192.168.0.0/24" +it_net = "192.168.1.0/24" +int_nets = "{ 192.168.0.0/24, 192.168.1.0/24 }" +dmz_net = "10.0.0.0/24" + +boss = "192.168.0.200" +wwwserv = "10.0.0.100" + +# default deny +block on { fxp0, fxp1, dc0 } all + +# filter rules for fxp0 inbound +pass in on fxp0 proto tcp from any to $wwwserv port { 21, \ + > 49151 } queue www_ext_misc +pass in on fxp0 proto tcp from any to $wwwserv port 80 \ + queue www_ext_http + +# filter rules for fxp0 outbound +pass out on fxp0 from $int_nets to any +pass out on fxp0 from $boss to any queue boss_ext + +# filter rules for dc0 inbound +pass in on dc0 from $int_nets to any +pass in on dc0 from $it_net to any queue it_int +pass in on dc0 from $boss to any queue boss_int +pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \ + > 49151 } queue www_int + +# filter rules for dc0 outbound +pass out on dc0 from dc0 to $int_nets + +# filter rules for fxp1 inbound +pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 + +# filter rules for fxp1 outbound +pass out on fxp1 proto tcp from any to $wwwserv port { 21, \ + > 49151 } queue net_dmz_misc +pass out on fxp1 proto tcp from any to $wwwserv port 80 queue net_dmz_http +pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \ + 21, > 49151 } queue internal_dmz diff --git a/share/examples/pf/pf.conf b/share/examples/pf/pf.conf new file mode 100644 index 000000000000..24b92fd9411c --- /dev/null +++ b/share/examples/pf/pf.conf @@ -0,0 +1,34 @@ +# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ +# +# See pf.conf(5) and /usr/share/examples/pf for syntax and examples. +# Remember to set gateway_enable="YES" and/or ipv6_gateway_enable="YES" +# in /etc/rc.conf if packets are to be forwarded between interfaces. + +#ext_if="ext0" +#int_if="int0" + +#table <spamd-white> persist + +#set skip on lo + +#scrub in + +#nat-anchor "ftp-proxy/*" +#rdr-anchor "ftp-proxy/*" +#nat on $ext_if inet from !($ext_if) -> ($ext_if:0) +#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 +#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp +#rdr pass on $ext_if proto tcp from any to any port smtp \ +# -> 127.0.0.1 port spamd + +#anchor "ftp-proxy/*" +#block in +#pass out + +#pass quick on $int_if no state +#antispoof quick for { lo $int_if } + +#pass in on $ext_if proto tcp to ($ext_if) port ssh +#pass in log on $ext_if proto tcp to ($ext_if) port smtp +#pass out log on $ext_if proto tcp from ($ext_if) to port smtp +#pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex } diff --git a/share/examples/pf/queue1 b/share/examples/pf/queue1 new file mode 100644 index 000000000000..38824f38ee33 --- /dev/null +++ b/share/examples/pf/queue1 @@ -0,0 +1,20 @@ +# $OpenBSD: queue1,v 1.4 2006/10/07 04:48:01 mcbride Exp $ + +ext_if = "dc0" + +altq on $ext_if cbq bandwidth 10Mb \ + queue { deflt, http, ssh, mail, rsets } +queue deflt bandwidth 10% priority 0 cbq(default ecn) +queue http bandwidth 1.5Mb priority 3 { http_vhosts, http_cust1 } +queue http_vhosts bandwidth 40% cbq(borrow red) +queue http_cust1 bandwidth 0.5Mb +queue mail bandwidth 10% priority 1 +queue ssh bandwidth 100Kb priority 7 cbq(borrow) +queue rsets bandwidth 7500b priority 0 cbq(red) + +block return in on $ext_if inet all queue rsets +pass in on $ext_if inet proto tcp from any to any port 80 queue http +pass out on $ext_if inet proto tcp from any to any port 22 queue ssh +pass in on $ext_if inet proto tcp from any to any port 22 queue ssh +pass out on $ext_if inet proto tcp from any to any port 25 queue mail +pass out on $ext_if inet all diff --git a/share/examples/pf/queue2 b/share/examples/pf/queue2 new file mode 100644 index 000000000000..1968d8f3e8a3 --- /dev/null +++ b/share/examples/pf/queue2 @@ -0,0 +1,28 @@ +# $OpenBSD: queue2,v 1.4 2006/10/07 04:48:01 mcbride Exp $ +# advanced queue example. +# give interactive ssh traffic priority over ssh bulk transfers (scp, sftp) + +ext_if="dc0" +developerhosts="192.168.2.0/24" +employeehosts="192.168.0.0/23" + +altq on $ext_if cbq bandwidth 5Mb queue { std, http, mail, ssh } + +queue std bandwidth 10% cbq(default) +queue http bandwidth 60% priority 2 cbq(borrow red) { employees, developers } +queue developers bandwidth 75% cbq(borrow) +queue employees bandwidth 15% +queue mail bandwidth 10% priority 0 cbq(borrow ecn) +queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } +queue ssh_interactive bandwidth 25% priority 7 +queue ssh_bulk bandwidth 75% priority 0 + +block return out on $ext_if inet all queue std +pass out on $ext_if inet proto tcp from $developerhosts to any port 80 \ + queue developers +pass out on $ext_if inet proto tcp from $employeehosts to any port 80 \ + queue employees +pass out on $ext_if inet proto tcp from any to any port 22 \ + queue(ssh_bulk, ssh_interactive) +pass out on $ext_if inet proto tcp from any to any port 25 \ + queue mail diff --git a/share/examples/pf/queue3 b/share/examples/pf/queue3 new file mode 100644 index 000000000000..b33e7b8f2047 --- /dev/null +++ b/share/examples/pf/queue3 @@ -0,0 +1,15 @@ +# $OpenBSD: queue3,v 1.3 2006/10/07 04:48:01 mcbride Exp $ +# simple PRIQ example + +ext_if="lo0" + +altq on $ext_if priq bandwidth 10Mb queue { pri-low pri-med pri-high } +queue pri-low priority 0 +queue pri-med priority 1 priq(default) +queue pri-high priority 2 + +pass out on $ext_if proto tcp from any to any port 22 \ + queue(pri-med, pri-high) +pass out on $ext_if proto tcp from any to any port 80 queue pri-med +pass in on $ext_if proto tcp from any to any port 80 queue pri-low + diff --git a/share/examples/pf/queue4 b/share/examples/pf/queue4 new file mode 100644 index 000000000000..e42299cff37e --- /dev/null +++ b/share/examples/pf/queue4 @@ -0,0 +1,19 @@ +# $OpenBSD: queue4,v 1.2 2003/08/22 21:50:34 david Exp $ +# +# Hierarchical queueing for a university. +# Three faculties; engineering, law and art are defined. +# Departments under the engineering faculty are defined as child queues. +# The total bandwidth for engineering faculty is shared between three +# departments. CS department gets the half of the bandwidth, EE and IE +# departments get the thirty percent and twenty percent of bandwidth +# respectively. These sibling departments can use more than their linkshare +# whenever there is no backlogged sibling queue but when a queue gets +# backlogged, it is guaranteed that the queue gets its linkshare. + +altq on dc0 bandwidth 16Mb hfsc queue { eng law art } +queue eng bandwidth 10Mb { cs ee ie } +queue cs hfsc( default linkshare 50% ) +queue ee hfsc( linkshare 30% ) +queue ie hfsc( linkshare 20% ) +queue law bandwidth 3Mb +queue art bandwidth 3Mb diff --git a/share/examples/pf/spamd b/share/examples/pf/spamd new file mode 100644 index 000000000000..31b24adc3f55 --- /dev/null +++ b/share/examples/pf/spamd @@ -0,0 +1,7 @@ +# $OpenBSD: spamd,v 1.2 2005/08/06 19:52:37 jmc Exp $ + +# spamd-setup puts addresses to be redirected into table <spamd>. + +table <spamd> persist +no rdr on { lo0, lo1 } from any to any +rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port spamd |