Update pf examples from OpenBSD to catch up with new stateful defaults and
other syntax changes. Move pf.conf from /etc to examples, too.
This commit is contained in:
parent
dffc4d533f
commit
42a227f8ba
@ -14,7 +14,7 @@ BIN1= amd.map apmd.conf auth.conf \
|
||||
hosts hosts.allow hosts.equiv hosts.lpd \
|
||||
inetd.conf libalias.conf login.access login.conf mac.conf motd \
|
||||
netconfig network.subr networks newsyslog.conf nsswitch.conf \
|
||||
portsnap.conf pf.conf pf.os phones profile protocols \
|
||||
portsnap.conf pf.os phones profile protocols \
|
||||
rc rc.bsdextended rc.firewall rc.firewall6 rc.initdiskless \
|
||||
rc.sendmail rc.shutdown \
|
||||
rc.subr remote rpc services shells \
|
||||
|
83
etc/pf.conf
83
etc/pf.conf
@ -1,83 +0,0 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
|
||||
#
|
||||
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
|
||||
# Required order: options, normalization, queueing, translation, filtering.
|
||||
# Macros and tables may be defined and used anywhere.
|
||||
# Note that translation rules are first match while filter rules are last match.
|
||||
|
||||
# Macros: define common values, so they can be referenced and changed easily.
|
||||
#ext_if="ext0" # replace with actual external interface name i.e., dc0
|
||||
#int_if="int0" # replace with actual internal interface name i.e., dc1
|
||||
#internal_net="10.1.1.1/8"
|
||||
#external_addr="192.168.1.1"
|
||||
|
||||
# Tables: similar to macros, but more flexible for many addresses.
|
||||
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
|
||||
|
||||
# Options: tune the behavior of pf, default values are given.
|
||||
#set timeout { interval 10, frag 30 }
|
||||
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
|
||||
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
|
||||
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
|
||||
#set timeout { icmp.first 20, icmp.error 10 }
|
||||
#set timeout { other.first 60, other.single 30, other.multiple 60 }
|
||||
#set timeout { adaptive.start 0, adaptive.end 0 }
|
||||
#set limit { states 10000, frags 5000 }
|
||||
#set loginterface none
|
||||
#set optimization normal
|
||||
#set block-policy drop
|
||||
#set require-order yes
|
||||
#set fingerprints "/etc/pf.os"
|
||||
|
||||
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
|
||||
#scrub in all
|
||||
|
||||
# Queueing: rule-based bandwidth control.
|
||||
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
|
||||
#queue dflt bandwidth 5% cbq(default)
|
||||
#queue developers bandwidth 80%
|
||||
#queue marketing bandwidth 15%
|
||||
|
||||
# Translation: specify how addresses are to be mapped or redirected.
|
||||
# nat: packets going out through $ext_if with source address $internal_net will
|
||||
# get translated as coming from the address of $ext_if, a state is created for
|
||||
# such packets, and incoming packets will be redirected to the internal address.
|
||||
#nat on $ext_if from $internal_net to any -> ($ext_if)
|
||||
|
||||
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
|
||||
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
|
||||
# outgoing packets will be translated as coming from the external address.
|
||||
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
|
||||
|
||||
# rdr outgoing FTP requests to the ftp-proxy
|
||||
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
|
||||
|
||||
# spamd-setup puts addresses to be redirected into table <spamd>.
|
||||
#table <spamd> persist
|
||||
#no rdr on { lo0, lo1 } from any to any
|
||||
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
|
||||
|
||||
# Filtering: the implicit first two rules are
|
||||
#pass in all
|
||||
#pass out all
|
||||
|
||||
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
|
||||
# connections and keep state, logging blocked packets.
|
||||
#block in log all
|
||||
#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
|
||||
#pass out on $ext_if proto { tcp, udp } all keep state
|
||||
|
||||
# pass incoming packets destined to the addresses given in table <foo>.
|
||||
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
|
||||
|
||||
# pass incoming ports for ftp-proxy
|
||||
#pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state
|
||||
|
||||
# Alternate rule to pass incoming ports for ftp-proxy
|
||||
# NOTE: Please see pf.conf(5) BUGS section before using user/group rules.
|
||||
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
|
||||
|
||||
# assign packets to a queue.
|
||||
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
|
||||
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
|
@ -4,6 +4,7 @@ NO_OBJ=
|
||||
|
||||
FILES= faq-example1 faq-example2 faq-example3 \
|
||||
ackpri queue1 queue2 queue3 queue4 \
|
||||
pf.conf \
|
||||
spamd
|
||||
|
||||
FILESDIR= ${SHAREDIR}/examples/pf
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: ackpri,v 1.2 2003/03/10 14:24:33 henning Exp $
|
||||
# $OpenBSD: ackpri,v 1.3 2006/10/07 04:48:01 mcbride Exp $
|
||||
|
||||
# Use a simple priority queue to prioritize empty (no payload) TCP ACKs,
|
||||
# which dramatically improves throughput on (asymmetric) links when the
|
||||
@ -25,9 +25,7 @@ altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
|
||||
queue q_pri priority 7
|
||||
queue q_def priority 1 priq(default)
|
||||
|
||||
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
|
||||
keep state queue (q_def, q_pri)
|
||||
pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri)
|
||||
|
||||
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
|
||||
keep state queue (q_def, q_pri)
|
||||
pass in on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
|
||||
# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $
|
||||
|
||||
#
|
||||
# Firewall for Home or Small Office
|
||||
@ -8,41 +8,44 @@
|
||||
|
||||
|
||||
# macros
|
||||
int_if = "fxp0"
|
||||
ext_if = "ep0"
|
||||
ext_if="fxp0"
|
||||
int_if="xl0"
|
||||
|
||||
tcp_services = "{ 22, 113 }"
|
||||
icmp_types = "echoreq"
|
||||
tcp_services="{ 22, 113 }"
|
||||
icmp_types="echoreq"
|
||||
|
||||
comp3="192.168.0.3"
|
||||
|
||||
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
|
||||
|
||||
# options
|
||||
set block-policy return
|
||||
set loginterface $ext_if
|
||||
|
||||
set skip on lo
|
||||
|
||||
# scrub
|
||||
scrub in all
|
||||
scrub in
|
||||
|
||||
# nat/rdr
|
||||
nat on $ext_if from $int_if:network to any -> ($ext_if)
|
||||
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
|
||||
port 8021
|
||||
nat on $ext_if from !($ext_if) -> ($ext_if:0)
|
||||
nat-anchor "ftp-proxy/*"
|
||||
rdr-anchor "ftp-proxy/*"
|
||||
|
||||
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
|
||||
rdr on $ext_if proto tcp from any to any port 80 -> $comp3
|
||||
|
||||
# filter rules
|
||||
block all
|
||||
block in
|
||||
|
||||
pass quick on lo0 all
|
||||
pass out
|
||||
|
||||
block drop in quick on $ext_if from $priv_nets to any
|
||||
block drop out quick on $ext_if from any to $priv_nets
|
||||
anchor "ftp-proxy/*"
|
||||
antispoof quick for { lo $int_if }
|
||||
|
||||
pass in on $ext_if inet proto tcp from any to ($ext_if) \
|
||||
port $tcp_services flags S/SA keep state
|
||||
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
|
||||
|
||||
pass in inet proto icmp all icmp-type $icmp_types keep state
|
||||
pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
|
||||
synproxy state
|
||||
|
||||
pass in on $int_if from $int_if:network to any keep state
|
||||
pass out on $int_if from any to $int_if:network keep state
|
||||
pass in inet proto icmp all icmp-type $icmp_types
|
||||
|
||||
pass out on $ext_if proto tcp all modulate state flags S/SA
|
||||
pass out on $ext_if proto { udp, icmp } all keep state
|
||||
pass quick on $int_if no state
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: faq-example2,v 1.2 2003/08/06 16:04:45 henning Exp $
|
||||
# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $
|
||||
|
||||
#
|
||||
# Small, Home Network
|
||||
@ -43,9 +43,9 @@ altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
|
||||
# bob_in - bandwidth reserved for Bob's workstation. allow him to
|
||||
# borrow.
|
||||
|
||||
queue std_in cbq(default)
|
||||
queue ssh_im_in priority 4
|
||||
queue dns_in priority 5
|
||||
queue std_in bandwidth 1.6Mb cbq(default)
|
||||
queue ssh_im_in bandwidth 200Kb priority 4
|
||||
queue dns_in bandwidth 120Kb priority 5
|
||||
queue bob_in bandwidth 80Kb cbq(borrow)
|
||||
|
||||
|
||||
@ -63,15 +63,15 @@ block in on fxp0 all
|
||||
|
||||
# filter rules for fxp0 outbound
|
||||
block out on fxp0 all
|
||||
pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \
|
||||
keep state queue(std_out, tcp_ack_out)
|
||||
pass out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
|
||||
pass out on fxp0 inet proto tcp from (fxp0) to any \
|
||||
queue(std_out, tcp_ack_out)
|
||||
pass out on fxp0 inet proto { udp icmp } from (fxp0) to any
|
||||
pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
|
||||
keep state queue dns_out
|
||||
queue dns_out
|
||||
pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
|
||||
flags S/SA keep state queue(std_out, ssh_im_out)
|
||||
queue(std_out, ssh_im_out)
|
||||
pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
|
||||
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
|
||||
queue(ssh_im_out, tcp_ack_out)
|
||||
|
||||
# filter rules for dc0 inbound
|
||||
block in on dc0 all
|
||||
|
@ -1,12 +1,12 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: faq-example3,v 1.2 2003/08/06 16:04:45 henning Exp $
|
||||
# $OpenBSD: faq-example3,v 1.4 2006/10/07 04:48:01 mcbride Exp $
|
||||
|
||||
#
|
||||
# Company Network
|
||||
# http://www.openbsd.org/faq/pf/queueing.html#example2
|
||||
#
|
||||
|
||||
|
||||
|
||||
# enable queueing on the external interface to queue packets going out
|
||||
# to the Internet. use the cbq scheduler so that the bandwidth use of
|
||||
# each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
|
||||
@ -18,15 +18,15 @@ altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
|
||||
# outgoing traffic on fxp0.
|
||||
# www_ext - container queue for WWW server queues. limit to
|
||||
# 500Kbps.
|
||||
# www_ext_http - http traffic from the WWW server
|
||||
# www_ext_misc - all non-http traffic from the WWW server
|
||||
# boss_ext - traffic coming from the boss's computer
|
||||
# www_ext_http - http traffic from the WWW server; higher priority.
|
||||
# www_ext_misc - all non-http traffic from the WWW server.
|
||||
# boss_ext - traffic coming from the boss's computer.
|
||||
|
||||
queue std_ext cbq(default)
|
||||
queue std_ext bandwidth 500Kb cbq(default borrow)
|
||||
queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc }
|
||||
queue www_ext_http priority 3 cbq(red)
|
||||
queue www_ext_misc priority 1
|
||||
queue boss_ext priority 3
|
||||
queue www_ext_http bandwidth 50% priority 3 cbq(red borrow)
|
||||
queue www_ext_misc bandwidth 50% priority 1 cbq(borrow)
|
||||
queue boss_ext bandwidth 500Kb priority 3 cbq(borrow)
|
||||
|
||||
# enable queueing on the internal interface to control traffic coming
|
||||
# from the Internet or the DMZ. use the cbq scheduler to control the
|
||||
@ -42,15 +42,15 @@ altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
|
||||
# is 1.0Mbps.
|
||||
# std_int - the standard queue. also the default queue for outgoing
|
||||
# traffic on dc0.
|
||||
# it_int - traffic to the IT Dept network.
|
||||
# boss_int - traffic to the boss's PC.
|
||||
# www_int - traffic from the WWW server in the DMZ.
|
||||
# it_int - traffic to the IT Dept network; reserve them 500Kbps.
|
||||
# boss_int - traffic to the boss's PC; assign a higher priority.
|
||||
# www_int - traffic from the WWW server in the DMZ; full speed.
|
||||
|
||||
queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int }
|
||||
queue std_int cbq(default)
|
||||
queue std_int bandwidth 250Kb cbq(default borrow)
|
||||
queue it_int bandwidth 500Kb cbq(borrow)
|
||||
queue boss_int priority 3
|
||||
queue www_int cbq(red)
|
||||
queue boss_int bandwidth 250Kb priority 3 cbq(borrow)
|
||||
queue www_int bandwidth 99Mb cbq(red borrow)
|
||||
|
||||
# enable queueing on the DMZ interface to control traffic destined for
|
||||
# the WWW server. cbq will be used on this interface since detailed
|
||||
@ -64,13 +64,13 @@ altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
|
||||
# define the parameters for the child queues.
|
||||
# internal_dmz - traffic from the internal network.
|
||||
# net_dmz - container queue for traffic from the Internet.
|
||||
# net_dmz_http - http traffic.
|
||||
# net_dmz_http - http traffic; higher priority.
|
||||
# net_dmz_misc - all non-http traffic. this is also the default queue.
|
||||
|
||||
queue internal_dmz # no special settings needed
|
||||
queue internal_dmz bandwidth 99Mb cbq(borrow)
|
||||
queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc }
|
||||
queue net_dmz_http priority 3 cbq(red)
|
||||
queue net_dmz_misc priority 1 cbq(default)
|
||||
queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow)
|
||||
queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow)
|
||||
|
||||
|
||||
# ... in the filtering section of pf.conf ...
|
||||
@ -88,32 +88,30 @@ block on { fxp0, fxp1, dc0 } all
|
||||
|
||||
# filter rules for fxp0 inbound
|
||||
pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
|
||||
> 49151 } flags S/SA keep state queue www_ext_misc
|
||||
> 49151 } queue www_ext_misc
|
||||
pass in on fxp0 proto tcp from any to $wwwserv port 80 \
|
||||
flags S/SA keep state queue www_ext_http
|
||||
queue www_ext_http
|
||||
|
||||
# filter rules for fxp0 outbound
|
||||
pass out on fxp0 from $int_nets to any keep state
|
||||
pass out on fxp0 from $boss to any keep state queue boss_ext
|
||||
pass out on fxp0 from $int_nets to any
|
||||
pass out on fxp0 from $boss to any queue boss_ext
|
||||
|
||||
# filter rules for dc0 inbound
|
||||
pass in on dc0 from $int_nets to any keep state
|
||||
pass in on dc0 from $int_nets to any
|
||||
pass in on dc0 from $it_net to any queue it_int
|
||||
pass in on dc0 from $boss to any queue boss_int
|
||||
pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
|
||||
> 49151 } flags S/SA keep state queue www_int
|
||||
> 49151 } queue www_int
|
||||
|
||||
# filter rules for dc0 outbound
|
||||
pass out on dc0 from dc0 to $int_nets
|
||||
|
||||
# filter rules for fxp1 inbound
|
||||
pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
|
||||
keep state
|
||||
pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53
|
||||
|
||||
# filter rules for fxp1 outbound
|
||||
pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
|
||||
> 49151 } flags S/SA keep state queue net_dmz_misc
|
||||
pass out on fxp1 proto tcp from any to $wwwserv port 80 \
|
||||
flags S/SA keep state queue net_dmz_http
|
||||
> 49151 } queue net_dmz_misc
|
||||
pass out on fxp1 proto tcp from any to $wwwserv port 80 queue net_dmz_http
|
||||
pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
|
||||
21, > 49151 } flags S/SA keep state queue internal_dmz
|
||||
21, > 49151 } queue internal_dmz
|
||||
|
34
share/examples/pf/pf.conf
Normal file
34
share/examples/pf/pf.conf
Normal file
@ -0,0 +1,34 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
|
||||
#
|
||||
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
|
||||
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
|
||||
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
|
||||
|
||||
#ext_if="ext0"
|
||||
#int_if="int0"
|
||||
|
||||
#table <spamd-white> persist
|
||||
|
||||
#set skip on lo
|
||||
|
||||
#scrub in
|
||||
|
||||
#nat-anchor "ftp-proxy/*"
|
||||
#rdr-anchor "ftp-proxy/*"
|
||||
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
|
||||
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
|
||||
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
|
||||
#rdr pass on $ext_if proto tcp from any to any port smtp \
|
||||
# -> 127.0.0.1 port spamd
|
||||
|
||||
#anchor "ftp-proxy/*"
|
||||
#block in
|
||||
#pass out
|
||||
|
||||
#pass quick on $int_if no state
|
||||
#antispoof quick for { lo $int_if }
|
||||
|
||||
#pass in on $ext_if proto tcp to ($ext_if) port ssh
|
||||
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
|
||||
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
|
@ -1,5 +1,5 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: queue1,v 1.3 2003/01/20 16:14:23 henning Exp $
|
||||
# $OpenBSD: queue1,v 1.4 2006/10/07 04:48:01 mcbride Exp $
|
||||
|
||||
ext_if = "dc0"
|
||||
|
||||
@ -14,10 +14,8 @@ queue ssh bandwidth 100Kb priority 7 cbq(borrow)
|
||||
queue rsets bandwidth 7500b priority 0 cbq(red)
|
||||
|
||||
block return in on $ext_if inet all queue rsets
|
||||
pass in on $ext_if inet proto tcp from any to any port 80 keep state queue http
|
||||
pass out on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
|
||||
pass in on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
|
||||
pass out on $ext_if inet proto tcp from any to any port 25 keep state queue mail
|
||||
pass out on $ext_if inet all keep state
|
||||
|
||||
|
||||
pass in on $ext_if inet proto tcp from any to any port 80 queue http
|
||||
pass out on $ext_if inet proto tcp from any to any port 22 queue ssh
|
||||
pass in on $ext_if inet proto tcp from any to any port 22 queue ssh
|
||||
pass out on $ext_if inet proto tcp from any to any port 25 queue mail
|
||||
pass out on $ext_if inet all
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: queue2,v 1.2 2003/01/20 16:14:23 henning Exp $
|
||||
# $OpenBSD: queue2,v 1.4 2006/10/07 04:48:01 mcbride Exp $
|
||||
# advanced queue example.
|
||||
# give interactive ssh traffic priority over ssh bulk transfers (scp, sftp)
|
||||
|
||||
@ -15,15 +15,15 @@ queue developers bandwidth 75% cbq(borrow)
|
||||
queue employees bandwidth 15%
|
||||
queue mail bandwidth 10% priority 0 cbq(borrow ecn)
|
||||
queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
|
||||
queue ssh_interactive priority 7
|
||||
queue ssh_bulk priority 0
|
||||
queue ssh_interactive bandwidth 25% priority 7
|
||||
queue ssh_bulk bandwidth 75% priority 0
|
||||
|
||||
block return out on $ext_if inet all queue std
|
||||
pass out on $ext_if inet proto tcp from $developerhosts to any port 80 \
|
||||
keep state queue developers
|
||||
queue developers
|
||||
pass out on $ext_if inet proto tcp from $employeehosts to any port 80 \
|
||||
keep state queue employees
|
||||
queue employees
|
||||
pass out on $ext_if inet proto tcp from any to any port 22 \
|
||||
keep state queue(ssh_bulk, ssh_interactive)
|
||||
queue(ssh_bulk, ssh_interactive)
|
||||
pass out on $ext_if inet proto tcp from any to any port 25 \
|
||||
keep state queue mail
|
||||
queue mail
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: queue3,v 1.2 2003/01/20 16:14:23 henning Exp $
|
||||
# $OpenBSD: queue3,v 1.3 2006/10/07 04:48:01 mcbride Exp $
|
||||
# simple PRIQ example
|
||||
|
||||
ext_if="lo0"
|
||||
@ -9,8 +9,8 @@ queue pri-low priority 0
|
||||
queue pri-med priority 1 priq(default)
|
||||
queue pri-high priority 2
|
||||
|
||||
pass out on $ext_if proto tcp from any to any port 22 keep state \
|
||||
pass out on $ext_if proto tcp from any to any port 22 \
|
||||
queue(pri-med, pri-high)
|
||||
pass out on $ext_if proto tcp from any to any port 80 keep state queue pri-med
|
||||
pass in on $ext_if proto tcp from any to any port 80 keep state queue pri-low
|
||||
pass out on $ext_if proto tcp from any to any port 80 queue pri-med
|
||||
pass in on $ext_if proto tcp from any to any port 80 queue pri-low
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
# $FreeBSD$
|
||||
# $OpenBSD: spamd,v 1.1 2003/08/22 15:25:01 henning Exp $
|
||||
# $OpenBSD: spamd,v 1.2 2005/08/06 19:52:37 jmc Exp $
|
||||
|
||||
# spamd-setup puts addresses to be redirected into table <spamd>.
|
||||
|
||||
table <spamd> persist
|
||||
no rdr on { lo0, lo1 } from any to any
|
||||
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
|
||||
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port spamd
|
||||
|
Loading…
x
Reference in New Issue
Block a user