• Rule syntax
  • action [direction] [log] [quick] [on interface] [af] [proto protocol] \
    [from src_addr [port src_port]] [to dst_addr [port dst_port]] \
    [flags tcp_flags] [state]
    
  • /etc/pf.conf(continue)
  • #######################################################
    #
    # Packet Queuing Rules
    
    altq on $ext_if hfsc bandwidth 256Kb queue{ highqueue, lowqueue, bitqueue, other }
    
    	queue highqueue hfsc(linkshare (50% 10000 65%) upperlimit (60% 5000 75%))
    	queue lowqueue hfsc(linkshare (35% 5000 20%) upperlimit (35% 5000 20%))
    	queue bitqueue hfsc(linkshare (5% 1000 3%) upperlimit (5% 1000 5%))
    	queue other hfsc(default)
    
    #######################################################
    #
    # Packet Redirection rules
    
    # Do Masquerading (NAT)
    nat on $ext_if inet proto $nat_proto from $prv_ad to any -> ($ext_if)
    
    # Send all outgoing traffic on port 80 to my web proxy (Squid)
    no rdr on $int_if inet proto tcp from $int_webproxy to any port 80
    rdr on $int_if proto tcp from $prv_ad to any port 80 -> $int_webproxy port 3128
    
    no nat on $int_if proto tcp from $int_if to $prv_ad
    nat on $int_if proto tcp from $prv_ad to $int_webproxy port 3128 -> $int_if
    
    #######################################################
    #
    # Packet Filtering Rules
    
    # generally block all incoming packets on the external interface
    block in on $ext_if all
    block out on $ext_if all
    
    # pass all to loopback interface
    pass quick on lo0 all
    
    # pass all connections from our LAN
    pass in quick on $int_if from any to any flags S/SA
    pass out quick on $int_if from any to any flags S/SA
    
    # pass all for the name server (if installed)
    pass in on $ext_if inet proto tcp from any to $int_nameserver port 53 flags S/SA synproxy state
    pass in on $ext_if inet proto udp from any to $int_nameserver port 53 keep state
    
    # return destination-unreachable to auth requests
    block return-icmp in quick on $ext_if proto tcp from any to $ext_ads port auth
    
    # block spoofed packets
    block in quick log on $ext_if from $prv_ads
    antispoof for $ext_if
    antispoof for $int_if
    
    # allow the ping (echo 8)
    pass in quick inet proto icmp icmp-type 8 code 0 keep state
    
    # allow ssh
    pass in quick inet proto tcp from any to $ext_ad port 22 flags S/SA keep state
    
    # Assign Traffic to queus
    # highqueue
    pass out quick on $ext_if inet proto udp from any to any 
    	port $highqueueports keep state queue highqueue
    pass out quick on $ext_if inet proto tcp from any to any 
    	port $highqueueports synproxy state queue highqueue
    
    # lowqueue
    pass out quick on $ext_if inet proto udp from any to any 
    	port $lowqueueports keep state queue lowqueue
    pass out quick on $ext_if inet proto tcp from any to any 
    	port $lowqueueports synproxy state queue lowqueue
    
    # bitqueue
    pass out quick on $ext_if inet proto tcp from any to any 
    	port $torrentports synproxy state queue bitqueue
    
    # pass all connections originating from the firewall
    pass out quick on $ext_if inet proto tcp from ($ext_if) to any 
    	modulate state queue other
    pass out quick on $ext_if inet proto udp from ($ext_if) to any 
    	keep state queue other
    pass out quick on $ext_if inet proto icmp from ($ext_if) to any