Created
July 7, 2017 16:48
-
-
Save tonykwon/10d18de61708636a834532775cad6947 to your computer and use it in GitHub Desktop.
OpenBSD PF Queue Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # based on https://www.openbsd.org/faq/pf/example1.html | |
| # | |
| int_if="{ msk0 }" | |
| ext_if="{ axe0 }" | |
| table <martians> { 0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ | |
| 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ | |
| 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ | |
| 203.0.113.0/24 } | |
| set block-policy drop | |
| set loginterface egress | |
| set skip on lo0 | |
| # 5M is the max upload bandwidth | |
| # | |
| queue root on $ext_if bandwidth 5M max 5M burst 6250K for 3200ms | |
| queue dns parent root bandwidth 250K | |
| queue ack parent root bandwidth 2M | |
| queue bulk parent root bandwidth 2750K default | |
| match in all scrub (no-df random-id max-mss 1440) | |
| match out on egress inet from !(egress:network) to any nat-to (egress:0) | |
| match on egress proto tcp to port {21,80,443,5223} set queue (bulk,ack) set prio (3, 6) | |
| match out on egress proto udp set prio 4 | |
| match out on egress proto {tcp,udp} from any to any port 53 set queue dns set prio 7 | |
| block in quick on egress from <martians> to any | |
| block return out quick on egress from any to <martians> | |
| block all | |
| pass out quick inet | |
| pass in on $int_if inet | |
| pass in on egress inet proto tcp from any to (egress) port 22 set prio (3, 6) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment