Wangster
March 31st, 2004, 20:03
Hi I'm new to OpenBSD and PF, but I've been trying to find a simple pf.conf that doesn't filter any ports, but does help me optimize my 1.5M/1M DSL line. Can anyone point me in the right direction?? I just want a transparent bridge that does this, no nating no filtering, I think it's called queueing but I don't know. lol

ealwen
April 1st, 2004, 04:25
The PF FAQ on the openbsd.org site has an example (http://www.openbsd.org/faq/pf/index.html) listing at the end of it, just take out the "nat on" and the "rdr on" lines and your good.

elmore
April 1st, 2004, 09:47
filtering is important, that being said I think I have a transparent ruleset floating around the forum someplace. My current ruleset uses queueing I'll post that as well. Though it also does packet filtering as well. You'll just need to remove the filtering part.

The queueing below is optimized for an asynchronous DSL/Cable line.
[code:1:0664b452fd]

# Macros: define common values, so they can be referenced and changed easily.

ext_if="dc0" # replace with actual external interface name i.e., dc0
int_if="dc1" # replace with actual internal interface name i.e., dc1
internal_net="10.xxx.xxx.0/24"
ssh_ports="{ 22 2022 }"
sshhost="any"
im_ports="{ 1863 5190 5222 }"
NoRouteIP="{ 127.0.0.1/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"

#Normalization: reassemble fragments and resolve or reduce traffic #ambiguities.

scrub in on $ext_if all fragment reassemble

## Enable 200kb queue

altq on $ext_if priq bandwidth 200Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
altq on $int_if cbq bandwidth 3Mb queue { std_in, ssh_im_in, dns_in }

# define the parameters for the child queues.
# std_out - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_out - interactive SSH and various instant message traffic.
# dns_out - DNS queries.
# tcp_ack_out - TCP ACK packets with no data payload.

queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6

# enable queueing on the internal interface to control traffic coming in
# from the Internet. use the cbq scheduler to control bandwidth. max
# bandwidth is 2Mbps.

# altq on $int_if cbq bandwidth 3Mb queue { std_in, ssh_im_in, dns_in }

# define the parameters for the child queues.
# std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_in - interactive SSH and various instant message traffic.
# dns_in - DNS replies.
# bob_in - bandwidth reserved for Bob's workstation. allow him to
# borrow.

queue std_in cbq(default)
queue ssh_im_in priority 4
queue dns_in priority 5

#NAT to the internal network
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to $ext_if port 6881 -> xxx.xxx.xxx.xxx
rdr on $ext_if proto udp from any to $ext_if port 6881 -> xxx.xxx.xxx.xxx

#Don't allow anyone to spoof unroutable addresses

block in quick on $ext_if from $NoRouteIP to any
block out quick on $ext_if from any to $NoRouteIP

#Block all ipopts to fool NMAP attempts

block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU

#Block in Everything by default
block in on $ext_if all

#Allow Bit-Torrent
pass in quick on $ext_if inet proto tcp from any to any port = 6881
pass in quick on $ext_if inet proto udp from any to any port = 6881

# Allow isakmp
pass in quick on $ext_if inet proto udp from any to any port = 500
pass in quick on $ext_if inet proto esp from any to any

#Let outgoing traffic out and assign it to a queue
block out on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state \
queue (std_out, tcp_ack_out)
pass out on $ext_if inet proto udp from any to any port = 500
pass out on $ext_if inet proto esp from any to any
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
pass out on $ext_if inet proto { tcp udp } from $ext_if to any port domain \
keep state queue dns_out
pass out on $ext_if inet proto tcp from $ext_if to any port $ssh_ports \
flags S/SA keep state queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from $ext_if to any port $im_ports \
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)

# filter rules for dc0 inbound
block in on dc0 all
pass in on dc0 from $internal_net

# filter rules for $int_if outbound
block out on $int_if all
pass out on $int_if from any to $internal_net
pass out on $int_if proto { tcp udp } from any port domain to $internal_net \
queue dns_in
pass out on $int_if proto tcp from any port $ssh_ports to $internal_net \
queue(std_in, ssh_im_in)
pass out on $int_if proto tcp from any port $im_ports to $internal_net \
queue ssh_im_in
[/code:1:0664b452fd]