action [direction] [log] [quick] [on interface] [af] [proto protocol] \
[from src_addr [port src_port]] [to dst_addr [port dst_port]] \
[flags tcp_flags] [state]
/etc/pf.conf(continue)
#######################################################
#
# Packet Queuing Rules
altq on $ext_if hfsc bandwidth 256Kb queue{ highqueue, lowqueue, bitqueue, other }
queue highqueue hfsc(linkshare (50% 10000 65%) upperlimit (60% 5000 75%))
queue lowqueue hfsc(linkshare (35% 5000 20%) upperlimit (35% 5000 20%))
queue bitqueue hfsc(linkshare (5% 1000 3%) upperlimit (5% 1000 5%))
queue other hfsc(default)
#######################################################
#
# Packet Redirection rules
# Do Masquerading (NAT)
nat on $ext_if inet proto $nat_proto from $prv_ad to any -> ($ext_if)
# Send all outgoing traffic on port 80 to my web proxy (Squid)
no rdr on $int_if inet proto tcp from $int_webproxy to any port 80
rdr on $int_if proto tcp from $prv_ad to any port 80 -> $int_webproxy port 3128
no nat on $int_if proto tcp from $int_if to $prv_ad
nat on $int_if proto tcp from $prv_ad to $int_webproxy port 3128 -> $int_if
#######################################################
#
# Packet Filtering Rules
# generally block all incoming packets on the external interface
block in on $ext_if all
block out on $ext_if all
# pass all to loopback interface
pass quick on lo0 all
# pass all connections from our LAN
pass in quick on $int_if from any to any flags S/SA
pass out quick on $int_if from any to any flags S/SA
# pass all for the name server (if installed)
pass in on $ext_if inet proto tcp from any to $int_nameserver port 53 flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to $int_nameserver port 53 keep state
# return destination-unreachable to auth requests
block return-icmp in quick on $ext_if proto tcp from any to $ext_ads port auth
# block spoofed packets
block in quick log on $ext_if from $prv_ads
antispoof for $ext_if
antispoof for $int_if
# allow the ping (echo 8)
pass in quick inet proto icmp icmp-type 8 code 0 keep state
# allow ssh
pass in quick inet proto tcp from any to $ext_ad port 22 flags S/SA keep state
# Assign Traffic to queus
# highqueue
pass out quick on $ext_if inet proto udp from any to any
port $highqueueports keep state queue highqueue
pass out quick on $ext_if inet proto tcp from any to any
port $highqueueports synproxy state queue highqueue
# lowqueue
pass out quick on $ext_if inet proto udp from any to any
port $lowqueueports keep state queue lowqueue
pass out quick on $ext_if inet proto tcp from any to any
port $lowqueueports synproxy state queue lowqueue
# bitqueue
pass out quick on $ext_if inet proto tcp from any to any
port $torrentports synproxy state queue bitqueue
# pass all connections originating from the firewall
pass out quick on $ext_if inet proto tcp from ($ext_if) to any
modulate state queue other
pass out quick on $ext_if inet proto udp from ($ext_if) to any
keep state queue other
pass out quick on $ext_if inet proto icmp from ($ext_if) to any