OpenBSD PF ALTQ firewall setup
This firewall (config is based on OpenBSD 4.3) is set up redundent with pfsync and carp, and functions as a traffic shaper as well with ALTQ bandwidth queueing.
It
consists of two machines with four network cards each, connecting the
outside, inside, wireless and DMZ networks. A VPN will be integrated
later as well with the OpenVPN package, but I haven't gotten around to configure that one yet.
I
post this here in case someone can use this to set up their own
firewall. The examples I found so far on the net were not quite as
clear as I hoped.
This one's not completely cleaned up yet as I'm still experimenting with some rules so some parts might seem out of place.
(text in bold are notes and not part of the pf.conf file)
After learning a bit more about tagging I've been replacing most rules with policy rules based on tagging specific traffic.
20091122, changed hfsc to cbq to accommodate option changes from version 4.3 to later version and added the borrow option to just about all queues.
For a nice overview on how your queues are doing install the pftop package.
# macros
if_wan= "xl0" Outside network
if_lan= "rl0" Inside network
if_dmz= "rl1" Demilitarized zone
if_wlan= "rl2" Wireless network
if_vpn= "tap0" To be used for the VPN network
Addresses assigned to the carp interfaces:
wan= "88.159.80.221/32"
lan= "172.16.128.254/32"
dmz= "172.16.64.254/32"
wlan= "172.16.192.254/32"
defgw= "88.159.81.254/32"
net_lan= "172.16.128.0/24"
net_dmz= "172.16.64.0/24"
net_wlan= "172.16.192.0/24"
net_vpn= "172.16.32.0/24"
net_grasso= "10.205.0.0/20"
# servers
via01= "172.16.128.1/32"
via02= "172.16.128.2/32"
via03= "172.16.64.3/32"
via04= "172.16.64.4/32"
via05= "172.16.128.5/32"
# VMware servers
vm01= "172.16.128.50/32"
vm02= "172.16.128.54/32"
vm03= "172.16.128.55/32"
# jails
dns= "172.16.64.21/32"
tiny= "172.16.64.22/32"
mail= "172.16.64.11/32"
web= "172.16.64.31/32"
proxy= "172.16.64.35/32"
dnscache= "172.16.128.11/32"
tinydns= "172.16.128.12/32"
packager= "172.16.128.26/32"
# local stations
dell01w= "172.16.192.11/32"
dell01x= "172.16.128.111/32"
dell02w= "172.16.192.12/32"
dell02x= "172.16.128.112/32"
# remote stations To be connected to through VPN
gcmsrvr= "10.205.0.5/32"
nb7011= "10.205.15.16/32"
# port ranges
torrent_6= "6666"
torrent_7= "7777"
ftp_ports= "50000:60000" To be used for an FTP server
# tables
table <local> {$wan, $lan, $dmz, $wlan}
table <if_me> {$if_wan, $if_lan, $if_dmz, $if_wlan}
table <if_sync> {172.16.0.241/32, 172.16.0.242/32}
table <mail_clients> {$dell02w, $dell02x}
table <nfs_clients> {$dell02w, $dell02x, $via05}
table <smb_clients> {$dell01w, $dell01x}
table <vmware_clients> {$dell01w, $dell01x}
table <proxy_clients> {$dell01w, $dell01x, $dell02w, $dell02x, $via02, $via03, $via05,\
$packager}
table <ssh_clients> {$dell01w, $dell01x, $dell02w, $dell02x, $wan, $lan, $dmz, $wlan}
table <http_clients> {$dell02w, $dell02x}
table <vpn_att_clients> {$dell01w, $dell01x, $dell02w, $dell02x}
table <dns_clients> {$dell01w, $dell01x, $dell02w, $dell02x, \
$via01, $via02, $via03, $via04, $via05,\
$dmz}
table <ntp_clients> {$dell01w, $dell01x, $dell02w, $dell02x, \
$via01, $via02, $via03, $via04, $via05, \
$wan, $if_lan}
table <cvs_clients> {$dell02w, $via02}
table <mail_servers> {$mail}
table <smb_servers> {$via01, $via02, $via03, $via04, $via05}
table <nfs_servers> {$via01, $via02, $via03, $via04, $via05}
table <vm_servers> {$vm01, $vm02, $vm03}
table <proxy_servers> {$proxy}
table <ssh_servers> {$via01, $via02, $via03, $via04, $via05,\
$vm01, $vm02, $vm03,\
$mail, $proxy, $web, $dns, $tiny, $packager,\
$dell02w, $dell02x, $wan, $lan, $dmz, $wlan}
table <torrent_servers> {$via03, $via05}
table <dns_servers> {$dns, $dnscache}
table <web_servers> {$web}
table <ntp_servers> {$if_lan, $lan, $dmz, $wlan}
table <cvs_servers> {62.250.3.15, 212.61.39.128} FreeBSD CVS update servers
table <winrouters> {172.16.128.60/32, 172.16.128.61/32, 172.16.128.62/32, \
172.16.128.63/32, 172.16.128.64/32}
table <ip_att> {ip addresses used for AT&T VPN at the office}
table <http_servers> {145.58.30.41, 145.58.30.134}
table
<net_vm>
{10.16.0.0/24, 10.128.0.0/24, 10.64.0.0/24, 10.32.0.0/24, 10.20.0.0/24,
\
10.8.0.0/24,10.1.0.0/24, 172.16.128.60/32}
table <net_all> {$net_lan, $net_dmz, $net_vpn, $net_wlan, $net_grasso}
table <spamd> persist
table <spamd-allowed> persist file "/usr/local/etc/spamd-allowed"
table <spamd-denied> persist file "/usr/local/etc/spamd-denied"
table <spamd-white> persist
table <rdr_ftp> {$net_lan, !$proxy}
# rules
# pre See the OpenBSD FAQ on PF
set skip on lo0
set state-policy if-bound
scrub all no-df random-id reassemble tcp
# queueing This is where the fun of traffic shaping starts
# wan carp9/xl0
altq on $if_wan cbq bandwidth 92160Kb queue {q9_def, q9_1, q9_2, q9_3, q9_4, q9_5, q9_6, q9_sys} Yes, 100 Mb fiber :-)
queue q9_def on $if_wan bandwidth 10240Kb priority 0 cbq \
(red, default)
queue q9_1 on $if_wan bandwidth 20480Kb priority 1 cbq {q9_torrent}
queue q9_torrent on $if_wan bandwidth 5120Kb priority 1 cbq \
(red)
queue q9_2 on $if_wan bandwidth 10240Kb priority 2 cbq {q9_http, q9_ftp, q9_cvs, q9_proxy}
queue q9_http on $if_wan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q9_ftp on $if_wan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q9_cvs on $if_wan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q9_proxy on $if_wan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q9_3 on $if_wan bandwidth 10240Kb priority 3 cbq {q9_mail}
queue q9_mail on $if_wan bandwidth 1024Kb priority 3 cbq (borrow red)
queue q9_4 on $if_wan bandwidth 10240Kb priority 4 cbq {q9_vpn}
queue q9_vpn on $if_wan bandwidth 1024Kb priority 4 cbq (borrow red)
queue q9_5 on $if_wan bandwidth 10240Kb priority 5 cbq {q9_rdp, q9_vnc}
queue q9_rdp on $if_wan bandwidth 1024Kb priority 5 cbq (borrow red)
queue q9_vnc on $if_wan bandwidth 1024Kb priority 5 cbq (borrow red)
queue q9_6 on $if_wan bandwidth 10240Kb priority 6 cbq {q9_ssh, q9_dns, q9_icmp}
queue q9_ssh on $if_wan bandwidth 1024Kb priority 6 cbq (borrow red)
queue q9_dns on $if_wan bandwidth 1024Kb priority 6 cbq (borrow red)
queue q9_icmp on $if_wan bandwidth 1024Kb priority 6 cbq (borrow red)
queue q9_sys on $if_wan bandwidth 10240Kb priority 7 cbq {q9_carp, q9_ntp, q9_ack}
queue q9_carp on $if_wan bandwidth 1024Kb priority 7 cbq (borrow red)
queue q9_ntp on $if_wan bandwidth 1024Kb priority 7 cbq (borrow red)
queue q9_ack on $if_wan bandwidth 1024Kb priority 7 cbq (borrow red)
# lan carp0/rl0
altq on $if_lan cbq bandwidth 91260Kb queue {q0_def, q0_1, q0_2, q0_3, q0_4, q0_5, q0_6, q0_sys}
queue q0_def on $if_lan bandwidth 5120Kb priority 0 cbq \
(red, default)
queue q0_1 on $if_lan bandwidth 10240Kb priority 1 cbq {q0_torrent}
queue q0_torrent on $if_lan bandwidth 4096Kb priority 1 cbq \
(red)
queue q0_2 on $if_lan bandwidth 10240Kb priority 2 cbq \
{q0_smb, q0_nfs, q0_rsync, q0_cvs, q0_proxy}
queue q0_smb on $if_lan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q0_nfs on $if_lan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q0_rsync on $if_lan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q0_cvs on $if_lan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q0_proxy on $if_lan bandwidth 1024Kb priority 2 cbq (borrow red)
queue q0_3 on $if_lan bandwidth 10240Kb priority 3 cbq {q0_distcc, q0_mail}
queue q0_distcc on $if_lan bandwidth 1024Kb priority 3 cbq (borrow red)
queue q0_mail on $if_lan bandwidth 1024Kb priority 3 cbq (borrow red)
queue q0_4 on $if_lan bandwidth 10240Kb priority 4 cbq (borrow red)
queue q0_5 on $if_lan bandwidth 10240Kb priority 5 cbq {q0_rdp, q0_vnc, q0_vmware}
queue q0_rdp on $if_lan bandwidth 1024Kb priority 5 cbq (borrow red)
queue q0_vnc on $if_lan bandwidth 1024Kb priority 5 cbq (borrow red)
queue q0_vmware on $if_lan bandwidth 1024Kb priority 5 cbq (borrow red)
queue q0_6 on $if_lan bandwidth 10240Kb priority 6 cbq {q0_ssh,q0_dns, q0_icmp}
queue q0_ssh on $if_lan bandwidth 1024Kb priority 6 cbq (borrow red)
queue q0_dns on $if_lan bandwidth 1024Kb priority 6 cbq (borrow red)
queue q0_icmp on $if_lan bandwidth 1024Kb priority 6 cbq (borrow red)
queue q0_sys on $if_lan bandwidth 10240Kb priority 7 cbq {q0_carp, q0_pfsync, q0_ntp, q0_ack}
queue q0_carp on $if_lan bandwidth 1024Kb priority 7 cbq (borrow red)
queue q0_pfsync on $if_lan bandwidth 1024Kb priority 7 cbq (borrow red)
queue q0_ntp on $if_lan bandwidth 1024Kb priority 7 cbq (borrow red)
queue q0_ack on $if_lan bandwidth 1024Kb priority 7 cbq (borrow red)
# dmz carp1/rl1
altq on $if_dmz cbq bandwidth 91260Mb queue {q1_def, q1_1, q1_2, q1_3, q1_4, q1_5, q1_6, q1_sys}
queue q1_def on $if_dmz bandwidth 5120Kb priority 0 cbq \
(red, default)
queue q1_1 on $if_dmz bandwidth 20480Kb priority 1 cbq {q1_torrent}
queue q1_torrent on $if_dmz bandwidth 5120Kb priority 1 cbq \
(red)
queue q1_2 on $if_dmz bandwidth 10240Kb priority 2 cbq \
{q1_smb, q1_nfs, q1_rsync, q1_cvs, q1_proxy}
queue q1_smb on $if_dmz bandwidth 1024Kb priority 2 cbq (borrow red)
queue q1_nfs on $if_dmz bandwidth 1024Kb priority 2 cbq (borrow red)
queue q1_rsync on $if_dmz bandwidth 1024Kb priority 2 cbq (borrow red)
queue q1_cvs on $if_dmz bandwidth 1024Kb priority 2 cbq (borrow red)
queue q1_proxy on $if_dmz bandwidth 1024Kb priority 2 cbq (borrow red)
queue q1_3 on $if_dmz bandwidth 10240Kb priority 3 cbq {q1_distcc, q1_mail}
queue q1_distcc on $if_dmz bandwidth 1024Kb priority 3 cbq (borrow red)
queue q1_mail on $if_dmz bandwidth 1024Kb priority 3 cbq (borrow red)
queue q1_4 on $if_dmz bandwidth 10240Kb priority 4 cbq
queue q1_5 on $if_dmz bandwidth 10240Kb priority 5 cbq
queue q1_6 on $if_dmz bandwidth 10240Kb priority 6 cbq {q1_ssh, q1_dns, q1_icmp}
queue q1_ssh on $if_dmz bandwidth 1024Kb priority 6 cbq (borrow red)
queue q1_dns on $if_dmz bandwidth 1024Kb priority 6 cbq (borrow red)
queue q1_icmp on $if_dmz bandwidth 1024Kb priority 6 cbq (borrow red)
queue q1_sys on $if_dmz bandwidth 10240Kb priority 7 cbq {q1_carp, q1_ntp, q1_ack}
queue q1_carp on $if_dmz bandwidth 1024Kb priority 7 cbq (borrow red)
queue q1_ntp on $if_dmz bandwidth 1024Kb priority 7 cbq (borrow red)
queue q1_ack on $if_dmz bandwidth 1024Kb priority 7 cbq (borrow red)
# wlan carp2/rl2
altq on $if_wlan cbq bandwidth 10240Kb queue {q2_def, q2_1, q2_2, q2_3, q2_4, q2_5, q2_6, q2_sys}
queue q2_def on $if_wlan bandwidth 512Kb priority 0 cbq (red, default)
queue q2_1 on $if_wlan bandwidth 1024Kb priority 1 cbq
queue q2_2 on $if_wlan bandwidth 1024Kb priority 2 cbq \
{q2_smb, q2_nfs, q2_rsync, q2_cvs, q2_http, q2_proxy}
queue q2_smb on $if_wlan bandwidth 128Kb priority 2 cbq (borrow red)
queue q2_nfs on $if_wlan bandwidth 256Kb priority 2 cbq (borrow red)
queue q2_rsync on $if_wlan bandwidth 128Kb priority 2 cbq (borrow red)
queue q2_cvs on $if_wlan bandwidth 128Kb priority 2 cbq (borrow red)
queue q2_http on $if_wlan bandwidth 128Kb priority 2 cbq (borrow red)
queue q2_proxy on $if_wlan bandwidth 128Kb priority 2 cbq (borrow red)
queue q2_3 on $if_wlan bandwidth 1024Kb priority 3 cbq {q2_distcc, q2_mail}
queue q2_distcc on $if_wlan bandwidth 128Kb priority 3 cbq (borrow red)
queue q2_mail on $if_wlan bandwidth 128Kb priority 3 cbq (borrow red)
queue q2_4 on $if_wlan bandwidth 1024Kb priority 4 cbq {q2_vpn}
queue q2_vpn on $if_wlan bandwidth 128Kb priority 4 cbq (borrow red)
queue q2_5 on $if_wlan bandwidth 1024Kb priority 5 cbq {q2_rdp, q2_vnc, q2_vmware}
queue q2_rdp on $if_wlan bandwidth 128Kb priority 5 cbq (borrow red)
queue q2_vnc on $if_wlan bandwidth 128Kb priority 5 cbq (borrow red)
queue q2_vmware on $if_wlan bandwidth 128Kb priority 5 cbq (borrow red)
queue q2_6 on $if_wlan bandwidth 1024Kb priority 6 cbq {q2_ssh, q2_dns, q2_icmp}
queue q2_ssh on $if_wlan bandwidth 128Kb priority 6 cbq (borrow red)
queue q2_dns on $if_wlan bandwidth 128Kb priority 6 cbq (borrow red)
queue q2_icmp on $if_wlan bandwidth 128Kb priority 6 cbq (borrow red)
queue q2_sys on $if_wlan bandwidth 1024Kb priority 7 cbq {q2_carp, q2_ntp, q2_ack}
queue q2_carp on $if_wlan bandwidth 128Kb priority 7 cbq (borrow red)
queue q2_ntp on $if_wlan bandwidth 128Kb priority 7 cbq (borrow red)
queue q2_ack on $if_wlan bandwidth 128Kb priority 7 cbq (borrow red)
# nat
no nat on $if_wan from {<net_all>, <net_vm>} to {<net_all>, <net_vm>}
nat on $if_wan tagged http_client -> $wan
nat on $if_wan tagged proxy_server -> $wan
nat on $if_wan tagged dns_server -> $wan
nat on $if_wan tagged vpn_att_client -> $wan
nat on $if_wan tagged torrent_server -> $wan
nat on $if_wan tagged mail_server -> $wan
nat on $if_wan tagged cvs_client -> $wan
# redirects
# mail
rdr pass on $if_wan proto tcp from <spamd> to $wan\
port smtp tag mail_rdr -> 127.0.0.1 port spamd
rdr pass on $if_wan proto tcp\
from {<spamd-white>, <spamd-allowed>} to $wan\
port smtp tag mail_rdr -> $mail
rdr pass on $if_wan proto tcp from !<spamd-allowed> to $wan\
port smtp tag mail_rdr -> 127.0.0.1 port spamd
# port smtp tag mail_rdr -> $mail
rdr pass on $if_lan proto tcp from <proxy> to $wan port http tag web_rdr -> $web
rdr pass on $if_wan proto tcp from any to $wan port http tag web_rdr -> $web
rdr pass on $if_lan proto tcp from any to $wan port http tag web_rdr -> $web
rdr pass on $if_dmz proto tcp from <proxy> to $wan port http tag web_rdr -> $web
rdr pass on $if_wlan proto tcp from any to $wan port http tag web_rdr -> $web
rdr pass on $if_dmz proto tcp from !<net_all> to $wan port 6001:6999 tag torrent_client -> $via03
rdr pass on $if_dmz proto udp from !<net_all> to $wan port 6001:6999 tag torrent_client -> $via03
#rdr pass on $if_wan proto tcp from any to $wan port 1414 tag ext_proxy_rdr -> $proxy
# default
block log all
block in quick on $if_wan proto igmp all
block in on $if_wan proto {tcp, udp} from !<net_all> to $wan
# antispoof on all interfaces
block in quick log on !$if_wan from {($if_wan), $wan} to any
block in quick log from {($if_wan), $wan} to any
block in quick log on !$if_lan from {($if_lan), $lan} to any
block in quick log from {($if_lan), $lan} to any
block in quick log on !$if_dmz from {($if_dmz), $dmz} to any
block in quick log from {($if_dmz), $dmz} to any
block in quick log on !$if_wlan from {($if_wlan), $wlan} to any
block in quick log from {($if_wlan), $wlan} to any
# interconnect in
# pfsync in
pass quick on $if_lan proto pfsync queue q0_pfsync
# carp in
pass quick on $if_lan proto carp queue q0_carp
pass quick on $if_wan proto carp queue q9_carp
pass quick on $if_dmz proto carp queue q1_carp
pass quick on $if_wlan proto carp queue q2_carp
# ssh in
pass in quick on $if_wan proto tcp from any to $wan port 22\
queue (q9_ssh, q9_ack)
pass in quick on $if_lan proto tcp from <if_sync> to ($if_lan) port 22\
queue (q0_ssh, q0_ack)
pass in quick on $if_lan proto tcp from <ssh_clients> to <ssh_servers> port 22\
tag ssh_client queue (q0_ssh, q0_ack)
pass in quick on $if_wlan proto tcp from <ssh_clients> to <ssh_servers> port 22\
tag ssh_client queue (q2_ssh, q2_ack)
pass out quick on $if_lan proto tcp from ($if_lan) to <if_sync> port 22\
queue (q0_ssh, q0_ack)
pass out quick on $if_lan proto tcp from <local> to <ssh_servers> port 22\
queue (q0_ssh, q0_ack)
pass out quick on $if_dmz proto tcp from <local> to <ssh_servers> port 22\
queue (q1_ssh, q1_ack)
pass out quick on $if_wlan proto tcp from <local> to <ssh_servers> port 22\
queue (q2_ssh, q2_ack)
pass quick on $if_lan tagged ssh_client queue (q0_ssh, q0_ack)
pass quick on $if_dmz tagged ssh_client queue (q1_ssh, q1_ack)
pass quick on $if_wlan tagged ssh_client queue (q2_ssh, q2_ack)
# vpn att
pass in quick on $if_wlan proto {tcp, udp}\
from <vpn_att_clients> to any port {500, 4500}\
tag vpn_att_client queue (q2_vpn, q2_ack)
pass quick on $if_wan tagged vpn_att_client queue (q9_vpn, q9_ack)
# vpn private
#pass in quick on $if_wan proto tcp from <ip_att> to $wan
# nfs
pass in quick on $if_lan proto udp\
from <nfs_clients> to <nfs_servers>\
port {nfsd, sunrpc, 112, 111, 2049}\
tag nfs_client queue (q0_nfs, q0_ack)
pass in quick on $if_lan proto tcp\
from <nfs_clients> to <nfs_servers>\
port {2049}\
tag nfs_client queue (q0_nfs, q0_ack)
pass in quick on $if_wlan proto udp\
from <nfs_clients> to <nfs_servers>\
port {nfsd, sunrpc, 112}\
tag nfs_client queue (q2_nfs, q2_ack)
pass quick on $if_lan tagged nfs_client queue (q0_nfs, q0_ack)
pass quick on $if_dmz tagged nfs_client queue (q1_nfs, q1_ack)
# dns
pass in quick on $if_lan proto udp\
from $net_lan to <dns_servers> port 53\
tag dns_client queue (q0_dns, q0_ack)
pass in quick on $if_dmz proto {tcp, udp}\
from <dns_servers> to any port 53\
tag dns_server queue (q1_dns, q1_ack)
pass in quick on $if_wlan proto udp\
from $net_wlan to <dns_servers> port 53\
tag dns_client queue (q2_dns, q2_ack)
pass out quick on $if_dmz proto {tcp, udp}\
from <dns_clients> to <dns_servers> port 53\
queue (q1_dns, q1_ack)
pass quick on $if_lan tagged dns_client queue (q9_dns, q9_ack)
pass quick on $if_dmz tagged dns_client queue (q1_dns, q1_ack)
pass quick on $if_wan tagged dns_server queue (q9_dns, q9_ack)
# ntp
pass in quick on $if_wlan proto udp\
from <ntp_clients> to <ntp_servers> port 123\
queue q2_ntp
pass in quick on $if_lan proto udp\
from <ntp_clients> to <ntp_servers> port 123\
queue q0_ntp
pass in quick on $if_dmz proto udp\
from <ntp_clients> to <ntp_servers> port 123\
queue q1_ntp
pass out log quick on $if_wan proto {tcp, udp}\
from $wan to !<net_all> port 123\
queue q9_ntp
# igmp, icmp
pass in quick on $if_wan proto icmp\
from any to $wan icmp-type 3 queue q9_icmp
pass in quick on $if_wan proto icmp\
from any to $wan icmp-type 8 queue q9_icmp
pass out quick on $if_wan proto icmp\
from $wan to any icmp-type 8 queue q9_icmp
pass out quick on $if_wan proto icmp\
from $wan to <ip_att> icmp-type 0 queue q9_icmp
pass out quick on $if_dmz proto icmp\
from any to $via03 icmp-type 3 queue q1_icmp
# samba
block in proto {udp, tcp} from any to any port {137, 138, 139, 445}
pass in quick on $if_lan proto {udp, tcp}\
from <smb_clients> to <smb_servers>\
port {137, 138, 139, 445}\
tag smb_client queue (q0_smb, q0_ack)
pass in quick on $if_wlan proto {udp, tcp}\
from <smb_clients> to <smb_servers>\
port {137, 138, 139, 445}\
tag smb_client queue (q2_smb, q2_ack)
pass quick on $if_lan tagged smb_client queue (q0_smb, q0_ack)
pass quick on $if_dmz tagged smb_client queue (q1_smb, q1_ack)
# Squid proxy
pass in quick on $if_wlan proto tcp\
from <proxy_clients> to <proxy_servers> port 3128\
tag proxy_client queue (q2_proxy, q2_ack)
pass in quick on $if_dmz proto tcp\
from <proxy_servers> to {any, !<net_all>}\
tag proxy_server queue (q1_proxy, q1_ack)
pass in quick on $if_lan proto tcp\
from <proxy_clients> to <proxy_servers> port 3128\
tag proxy_client queue (q0_proxy, q0_ack)
pass quick on $if_dmz tagged proxy_client queue (q1_proxy, q1_ack)
pass quick on $if_dmz tagged ext_proxy_rdr queue (q1_proxy, q1_ack)
pass quick on $if_wan tagged proxy_server queue (q9_proxy, q9_ack)
# mail
block quick proto tcp from <spamd-denied> to any port smtp
pass in quick on $if_lan proto tcp\
from <mail_clients> to <mail_servers> port {smtp, imap}\
tag mail_client queue (q0_mail, q0_ack)
pass in quick on $if_wlan proto tcp\
from <mail_clients> to <mail_servers> port {smtp, imap}\
tag mail_client queue (q2_mail, q2_ack)
pass in quick log on $if_lan proto tcp\
from <mail_servers> to any port {smtp, auth}\
tag mail_server queue (q0_mail, q0_ack)
pass in quick log on $if_dmz proto tcp\
from <mail_servers> to any port {smtp, auth}\
tag mail_server queue (q1_mail, q1_ack)
pass quick on $if_lan tagged mail_client queue (q0_mail, q0_ack)
pass quick on $if_dmz tagged mail_client queue (q1_mail, q1_ack)
pass out quick log on $if_lan proto tcp\
from any to <mail_servers> port smtp\
tagged mail_rdr queue (q0_mail, q0_ack)
pass out quick log on $if_dmz proto tcp\
from any to <mail_servers> port smtp\
tagged mail_rdr queue (q1_mail, q1_ack)
pass out quick on $if_wlan proto tcp\
from <mail_servers> to <mail_clients> port 113 queue (q2_mail, q2_ack)
pass quick on $if_wan tagged mail_server queue (q9_mail, q9_ack)
# vnc
pass in quick on $if_wlan proto tcp\
from $net_wlan to any port 5900\
tag vnc queue (q2_vnc, q2_ack)
pass quick on $if_lan tagged vnc queue (q0_vnc, q0_ack)
# http
pass in quick on $if_wlan proto tcp\
from <http_clients> to <http_servers> port http\
tag http_client queue (q2_http, q2_ack)
pass quick on $if_dmz\
tagged web_rdr queue (q1_http, q1_ack)
pass quick on $if_wan tagged http_client queue (q9_http, q9_ack)
# VMware console
pass in quick on $if_wlan proto tcp\
from <vmware_clients> to <vm_servers> port 902\
tag vmware_client queue (q2_vmware, q2_ack)
pass quick on $if_lan tagged vmware_client queue (q0_vmware, q0_ack)
# bittorrent
pass in quick on $if_dmz proto {tcp, udp}\
from <torrent_servers> to !<net_all>\
tag torrent_server queue (q1_torrent, q1_ack)
block quick on $if_dmz proto tcp\
from <torrent_servers> to !<net_all> tos 0x08
pass quick on $if_wan tagged torrent_server queue (q9_torrent, q9_ack)
# cvs
pass in quick on $if_lan proto tcp\
from <cvs_clients> to <cvs_servers> port 5999\
tag cvs_client queue (q0_cvs, q0_ack)
pass in quick on $if_wlan proto tcp\
from <cvs_clients> to <cvs_servers> port 5999\
tag cvs_client queue (q2_cvs, q2_ack)
pass quick on $if_wan tagged cvs_client queue (q9_cvs, q9_ack)
# temp
#pass out on $if_wan from $wan to any queue (q9_def, q9_ack)
#pass in log on $if_wlan from $dell02w to any