Simple configuration

Brian John brianjohn at fusemail.com
Mon Apr 25 18:33:22 PDT 2005 

Hello,
I just want to setup a simple configuration.  I am using my FreeBSD 
desktop for 3 things:
- p2p downloading
- Browsing and Mail
- ssh

Right now ssh always times out on me when I try to connect to this box 
remotely, I think it is probably because I am downloading too much.  I 
want to make my p2p programs be able to use my full bandwidth, but when 
a client is trying to ssh in or I want browse or check mail I want those 
to take priority over downloading (or at least not timeout).  I have a 
DSL modem which averages about 2 Mb.  I've been working on my pf.conf 
for several hours now and so far it just doesn't seem to be working.  I 
spent a lot of time reading the manual and looking up stuff on Google 
but it seems everyone else's uses are much more complex than mine.

Attached is my pf.conf.  Can anyone help me out?

Thanks!

/Brian
-------------- next part --------------
#	$FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp $
#	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed easily.
#ext_if="ext0"	# replace with actual external interface name i.e., dc0
#int_if="int0"	# replace with actual internal interface name i.e., dc1
#internal_net="10.1.1.1/8"
#external_addr="192.168.1.1"

ext_if="vr0"

# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

altq on $ext_if cbq bandwidth 2Mb queue { web , p2p , ssh }
queue web bandwidth 40% priority 6 cbq(borrow)
queue ssh bandwidth 40% priority 6 cbq(borrow)
queue p2p bandwidth 20% cbq(borrow default)

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
#nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678

# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# Filtering: the implicit first two rules are
#pass in all
#pass out all

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
#pass  out on $ext_if proto { tcp, udp } all keep state

# pass incoming packets destined to the addresses given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state

# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

#pass in on $ext_if proto tcp all
pass in on $ext_if proto tcp from any to any port 22 keep state queue ssh
pass in on $ext_if proto tcp from any to any port 80 keep state queue web

#pass out on $ext_if all
pass out on $ext_if proto tcp from any to any port 22 keep state queue ssh
pass out on $ext_if proto tcp from any to any port 80 keep state queue web

More information about the freebsd-pf mailing list