Untitled

ip_gate =    "9.9.9.9"
ext_if =     "xl0"
flag1 =""
flag = "flags S/SA keep state (source-track global, max-src-states 100, if-bound)"
int_if =     "xl1"
ports="{1><24,26><444,446><65535}"


prv_hosts =  "192.168.0.0/24"
unfiltered = "{lo0}"
icmp_types = "{ 0, 8, 15, 30 }"

dl =            "8192Kb"
ul =            "740Kb"
noc_download = "1"
noc_upload   = "1"

set loginterface $ext_if
set loginterface $int_if

set optimization aggressive
set block-policy drop
set require-order yes
set limit frags 300000
scrub in all fragment reassemble
scrub out all fragment reassemble

#antispoof for $int_if
#antispoof for $ext_if

altq on $int_if hfsc bandwidth $dl queue { def \
_2 \
_3 \
_4 \
_5 \
_6 \
_7 \
_8 \
_9 \
_10 \
}
altq on $ext_if hfsc bandwidth $ul queue { defu \
_2u \
_3u \
_4u \
_5u \
_6u \
_7u \
_8u \
_9u \
_10u \
}
queue def bandwidth 1% hfsc(default upperlimit 8192Kb)
queue defu bandwidth 1% hfsc(default upperlimit 630Kb)
 queue _2               bandwidth 1%  hfsc( upperlimit 850Kb )
 queue _2u              bandwidth 1%  hfsc( upperlimit 80Kb )
 queue _3               bandwidth 1%  hfsc( upperlimit 900Kb )
 queue _3u              bandwidth 1%  hfsc( upperlimit 85Kb )
 queue _4               bandwidth 1%  hfsc( upperlimit 800Kb )
 queue _4u              bandwidth 1%  hfsc( upperlimit 85Kb )
 queue _5               bandwidth 1%  hfsc( upperlimit 800Kb )
 queue _5u              bandwidth 1%  hfsc( upperlimit 85Kb )
 queue _6               bandwidth 1%  hfsc( upperlimit 800Kb )
 queue _6u              bandwidth 1%  hfsc( upperlimit 85Kb )
 queue _7               bandwidth 1%  hfsc( upperlimit 500Kb )
 queue _7u              bandwidth 1%  hfsc( upperlimit 360Kb )
 queue _8               bandwidth 1%  hfsc( upperlimit 800Kb )
 queue _8u              bandwidth 1%  hfsc( upperlimit 95Kb )
 queue _9               bandwidth 1%  hfsc( upperlimit 500Kb )
 queue _9u              bandwidth 1%  hfsc( upperlimit 85Kb )
 queue _10              bandwidth 1%  hfsc( upperlimit 800Kb )
 queue _10u             bandwidth 1%  hfsc( upperlimit 85Kb )

nat on $ext_if from $prv_hosts -> $ip_gate


pass out quick on $ext_if inet from {$int_if} to any flags S/SA keep state
pass in quick on $int_if inet proto tcp from any to 192.168.0.1 port 8080
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080
#pass in quick on $ext_if inet proto udp from any port 53 to any label "DNS-in"
pass in quick on $int_if inet proto tcp from $prv_hosts to $int_if port 22 label "ssh-int"
pass in quick on $ext_if inet proto tcp from 0.0.0.0/0 to $ext_if port 22 label "ssh-ext"
pass in quick on $ext_if inet proto { tcp, udp } from 0.0.0.0/0 to $ext_if port 161 label "snmp"
pass in quick on $ext_if inet proto tcp from 0.0.0.0/0 to $ext_if port 80 label "ipfm-www"
pass in quick inet proto icmp all icmp-type echoreq label "passed-icmp" modulate state
pass out quick on $ext_if inet proto icmp from $ext_if to any keep state icmp-type $icmp_types label "snmp"
block in quick on $ext_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-ext"
block in quick on $ext_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds-ext"
block in quick on $int_if inet proto tcp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds"
block in quick on $int_if inet proto udp from any to any port {1080,3128,4588,6588,445,3306,134 >< 140} label "ms-ds"

pass quick on $unfiltered label "loopback"
block in quick on $ext_if inet from any to 255.255.255.255 label "broadcast"
block in all label "blocked"


pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.2 to any port $ports $flag queue _2 tag host2
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _2u tagged host2

pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.3 to any port $ports $flag queue _3 tag host3
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _3u tagged host3


pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.4 to any port $ports $flag queue _4 tag host4
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _4u tagged host4

pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.5 to any port $ports $flag queue _5 tag host5
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _5u tagged host5

pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.6 to any port $ports $flag queue _6 tag host6
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _6u tagged host6

pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.7 to any port $ports $flag queue _7 tag host7
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _7u tagged host7

pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.8 to any port $ports $flag queue _8 tag host8
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _8u tagged host8

pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.9 to any port $ports $flag queue _9 tag host9
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _9u tagged host9

pass in quick on $int_if inet proto {tcp,udp} from 192.168.0.10 to any port $ports $flag queue _10 tag host10
pass out quick on $ext_if inet proto {tcp,udp} from $ext_if to any port $ports $flag queue _10u tagged host10

#pass in log on $ext_if inet proto tcp from any to $int_if port 1:65535 keep state

#block in quick on $int_if  from any to any
pass in quick on $int_if from any to any label default
pass out quick on $int_if from any to any label default-upload
pass out on $ext_if from ($ext_if) to any keep state

antispoof for $int_if
antispoof for $ext_if