API tools faq
paste
Guest User

Untitled

a guest
Oct 21st, 2017
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.03 KB | None | 0 0
raw download clone embed print report
  1. int_if="em0"
  2. ext_if="dc0"
  3. dmz_if="sk0"
  4. tun_if="gif0"
  5.  
  6. set skip on lo
  7. set block-policy return
  8. #set loginterface $ext_if
  9.  
  10.  
  11. altq on $ext_if bandwidth 1700Kb hfsc queue { ack, dns, ssh, web, games, mail, bulk, bittor}
  12. queue ack bandwidth 30% priority 9 qlimit 500 hfsc (realtime 20%)
  13. queue games bandwidth 14% priority 8 qlimit 500 hfsc (realtime 5% ecn)
  14. queue dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 5%)
  15. queue ssh bandwidth 20% priority 6 qlimit 500 hfsc (realtime 15%) {ssh_login, ssh_bulk}
  16. queue ssh_login bandwidth 50% priority 6 qlimit 500 hfsc
  17. queue ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc (ecn)
  18. queue web bandwidth 5% priority 5 qlimit 500 hfsc (realtime (10%, 10000, 5%))
  19. queue bulk bandwidth 20% priority 4 qlimit 500 hfsc (realtime 20% default, ecn)
  20. queue mail bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5%)
  21. queue bittor bandwidth 1% priority 2 qlimit 500 hfsc (upperlimit 95%)
  22.  
  23. # filter rules and anchor for ftp-proxy(8)
  24. anchor "ftp-proxy/*"
  25. pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
  26.  
  27. # anchor for relayd(8)
  28. #anchor "relayd/*"
  29.  
  30.  
  31. #match in all scrub (no-df)
  32. match out on egress inet from !(egress) to any nat-to (egress:0)
  33.  
  34. block all
  35. pass proto icmp
  36. pass proto icmp6
  37. block in quick from urpf-failed
  38.  
  39. pass out on $tun_if
  40.  
  41. pass out on $int_if to $int_if:network
  42. pass in on $int_if from $int_if:network
  43.  
  44. pass out on $dmz_if to $dmz_if:network
  45. pass in on $dmz_if from $dmz_if:network to !($int_if:network)
  46.  
  47. pass out on $ext_if queue (bulk, ack)
  48.  
  49. #queue specific stuff
  50. pass out on $ext_if inet proto tcp to any port ssh modulate state queue (ssh_bulk, ssh_login)
  51. pass out on $ext_if inet proto tcp to any port {http, https} modulate state queue (web)
  52. pass out on $ext_if inet proto tcp to any port {smtp, smtps} modulate state queue (mail)
  53. pass out on $ext_if inet proto udp to any port domain modulate state queue (mail)
  54. pass out on $ext_if inet proto udp to any port 27960 modulate state queue (games)
  55. pass out on $ext_if inet proto icmp to any queue (ack)
  56.  
  57. pass in quick on $ext_if proto udp from any to port domain
  58.  
  59.  
  60. #redirects
  61. pass in quick on $ext_if inet proto tcp from any to any port 8026 rdr-to 192.168.3.101 port ssh queue (ssh_bulk, ssh_login)
  62. pass in quick on $ext_if inet proto tcp from any to any port ssh rdr-to 192.168.3.108 port ssh queue (ssh_bulk, ssh_login)
  63. pass in quick on $ext_if inet proto tcp from any to any port http rdr-to 192.168.3.80 port http
  64. pass in quick on $ext_if inet proto tcp from any to any port 9418 rdr-to 192.168.3.101 port 9418
  65. pass in quick on $ext_if inet proto udp from any to any port 7777:7780 rdr-to 192.168.2.130 queue (games)
  66. pass in quick on $ext_if inet proto udp from any to any port 27960 rdr-to 192.168.3.102 queue (games)
  67. pass in quick on $ext_if inet proto tcp from any to any port 8027 rdr-to 192.168.3.103 queue (bittor)
  68.  
  69. #ipv6 passthrough
  70. pass in quick on {$tun_if,$ext_if} inet6 proto tcp from any to 2001:470:e2de:3:5054:ff:fee9:a0bb port ssh
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!