pf

Angel Todorov atodorov at acm.org
Fri Jul 18 08:19:00 PDT 2003 

ei tuka imam edin pf conf obache pravi mnogo nomera, kato se pusne parvoto koeto e dropva paketi, timeoutva po serverite i t.n.. i speed-a e mnogo baven, vijte ako nqkoi moje da otkrie generalna greshka da reply :) vapreki che ne e freebsd-specific :P ne sym go pisal az a i ne sam mnogo mnogo zapoznat s pf zatova ako nqkoi moje da pomogne e dobre doshyl :) btw moje i neshto ot tia opcii kato set timeout i optimization da e :]


 Macros: define common values, so they can be referenced and changed easily.
extif="fxp1"    # replace with actual external interface name i.e., dc0
intif="fxp0"    # replace with actual internal interface name i.e., dc1
internal_net="172.16.0.0/16"
external_addr="192.168.173.34"

loif="lo0"

set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 10000, frags 5000 }
set optimization normal
#set block-policy drop
#set require-order yes


############ SHAPING goes here ###############################

altq on $intif cbq bandwidth 100Mb queue {etherdown, downstream}


queue etherdown bandwidth 96% cbq(default)
queue downstream bandwidth 4% cbq

altq on $extif cbq bandwidth 100Mb queue { etherup, upstream}

queue etherup bandwidth 99Mb cbq(default)
queue upstream bandwidth 386Kb  cbq


pass in quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherdown
pass out quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherup
pass in on $intif proto tcp from 172.16.0.0/16 to any port 80 keep state queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 53 keep state queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 8080 keep state queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 5190 queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 443 queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 4000 queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 25 queue downstream
pass in on $intif proto icmp from 172.16.0.0/16 to any queue downstream
pass in on $intif proto udp from 172.16.0.0/16 to any port 80 queue downstream
pass in on $intif proto udp from 172.16.0.0/16 to any port 53 queue downstream


### manage upstream here

pass out quick on $extif from 172.16.0.0/16 to 172.17.0.0/16 queue etherup
pass out quick on $extif from 172.16.0.0/16 to 172.20.0.0/16 queue etherup
pass out on $extif proto tcp from 172.16.0.0/16 to any port 80 keep state queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 53 keep state queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 8080 keep state queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 443 queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 4000 queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 25 queue upstream

pass out on $extif proto udp from 172.16.0.0/16 to any port 53 queue upstream
pass out on $extif proto udp from 172.16.0.0/16 to any port 80 queue upstream
pass out on $extif proto icmp from 172.16.0.0/16 to any queue upstream

More information about the freebsd-stable mailing list