'Multiple Queus'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Multiple Queus
From:       Carl Libra <crllbr () yahoo ! com>
Date:       2004-11-17 8:53:46
Message-ID: 20041117085346.7529.qmail () web61103 ! mail ! yahoo ! com
[Download RAW message or body]

Trying to get some queuing inplace for ACK's, DNS and
HTTP(S) and would 
like some feedback on what I've done is really going
to work. 

Thanks for any feedback. 

# Define interfaces 
int_if = "rtk0" 
ext_if = "tun0" 

# Opening the following ports from the outside http,
https and pop3-ssl 
tcp_services = "{ 80, 443, 995 }" 
icmp_types = "echoreq" 

# RFC1918 
priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16 
}" 

# options 
set block-policy return 
set loginterface $ext_if 

# Scrubbing 
scrub in all 

# Queueing 
# TCP/ACK frames go first, then DNS lookups, web
surfing, and the 
unwashed masses. 
altq on $ext_if priq bandwidth 735Kb queue { std_out,
http_out, 
dns_out, tcp_ack_out } 
queue std_out priority 1 priq(default) 
queue http_out priority 3 
queue dns_out priority 4 
queue tcp_ack_out priority 5 

# NAT/RDR directives 
nat on $ext_if from $int_if:network to any ->
($ext_if) 
rdr on $int_if proto tcp from any to any port 21 ->
127.0.0.1 port 8021 

# Filter rules 
block drop all 

# Local machine stuff 
pass quick on lo0 all 

# Clean invalid SRC/DST packets 
block drop in quick on $ext_if from $priv_nets to any 
block drop out quick on $ext_if from any to $priv_nets


# Pass in allowed servers 
pass in on $ext_if proto tcp from any to ($ext_if)
port $tcp_services 
flags S/SA keep state 
pass in inet proto icmp all icmp-type $icmp_types keep
state 

# Internal network(s) 
pass in on $int_if from $int_if:network to any keep
state 
pass out on $int_if from any to $int_if:network keep
state 

# Out to the 'net 
pass out on $ext_if proto tcp from ($ext_if) to any
flags S/SA modulate 
state queue(std_out, tcp_ack_out) 
pass out on $ext_if proto tcp from ($ext_if) to any
port { 80 443 } 
modulate state queue http_out 
pass out on $ext_if proto { tcp udp } from ($ext_if)
to any port domain 
keep state queue dns_out 
pass out on $ext_if proto { udp icmp } from ($ext_if)
to any keep state 
queue std_out 




		
__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com 
 
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic