[FUG-BR] RES: Para os gurus do PF+ALTQ

[duany em feesc.org.br]

vo te mandar um modelo que vo comecar a usar aki 

# definitions
ext_if = "xl0"
int_if = "xl1"
int_net = "192.168.10.0/24"
voip_addr="{ 192.168.10.1, 192.168.10.2, 192.168.10.3 }"

# configuracoes personalizadas para as pilhas tcp, udp e icmp.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
#set loginterface $int_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalizacao de pacotes
scrub all reassemble tcp

# Limitacao de Banda usando ALTQ+CBQ c/ PRIQ
altq on $ext_if cbq bandwidth 1000Kb queue {voip, http, std, ssh }
queue voip bandwidth 30% priority 1 cbq
queue http bandwidth 50% priority 6 cbq(borrow)
queue std bandwidth 10% priority 2 cbq(default borrow)# Redirect (Port Forward)
#Squid
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> 192.168.10.254 port 3128

# Bloqueia Toda a entrada
block drop in on $ext_if from any to $ext_if
block drop in on $int_if from any to $int_if

# bloqueando spoof
antispoof for { $ext_if } inet

# bloqueando scanners
block drop in quick on { $ext_if } from any os { NMAP }

# liberando ping/traceroute
pass out log on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in log on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

#Libera o trafego SIP
pass in  quick on $ext_if proto udp from any to any port 5060 keep state queue voip
pass out quick on $ext_if proto udp from $ext_if to any port 16384:32768 tos 0xb8 keep state queue voip

# Libera o trafego interno
pass in on $int_if from any to any
pass out on $int_if from any to any

#Libera o trafego HTTP e HTTPS
pass on $ext_if proto tcp from ($ext_if) to any port { 80 , 443 }  flags S/SA keep state queue http

# Libera acesso SSH vindo da rede interna na porta 22
pass  in  on $ext_if proto tcp from any to $ext_if port 22 flags S/SA keep state queue ssh
pass  out on $ext_if proto { tcp, udp } all keep state

# Liberando demais portas permitidas
pass on $ext_if proto tcp from ($ext_if) to any port { 21, 25, 53, 110, 143 } flags S/SA keep state queue std

queue ssh bandwidth 10% priority 5 cbq(borrow)

#nat para os ipphones e ATAS
nat on $ext_if proto udp from $voip_addr to any -> ($ext_if) static-port

#NAT Geral para a rede interna
nat on $ext_if from $int_net to any -> ($ext_if)

# Redirect (Port Forward)
#Squid
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> 192.168.10.254 port 3128

# Bloqueia Toda a entrada
block drop in on $ext_if from any to $ext_if
block drop in on $int_if from any to $int_if

# bloqueando spoof
antispoof for { $ext_if } inet

# bloqueando scanners
block drop in quick on { $ext_if } from any os { NMAP }

# liberando ping/traceroute
pass out log on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in log on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

#Libera o trafego SIP
pass in  quick on $ext_if proto udp from any to any port 5060 keep state queue voip
pass out quick on $ext_if proto udp from $ext_if to any port 16384:32768 tos 0xb8 keep state queue voip

# Libera o trafego interno
pass in on $int_if from any to any
pass out on $int_if from any to any

#Libera o trafego HTTP e HTTPS
pass on $ext_if proto tcp from ($ext_if) to any port { 80 , 443 }  flags S/SA keep state queue http

# Libera acesso SSH vindo da rede interna na porta 22
pass  in  on $ext_if proto tcp from any to $ext_if port 22 flags S/SA keep state queue ssh
pass  out on $ext_if proto { tcp, udp } all keep state

# Liberando demais portas permitidas
pass on $ext_if proto tcp from ($ext_if) to any port { 21, 25, 53, 110, 143 } flags S/SA keep state queue std