From owner-freebsd-stable@FreeBSD.ORG  Fri Jul 18 08:19:00 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EB7B437B401
	for <stable@freebsd.org>; Fri, 18 Jul 2003 08:18:59 -0700 (PDT)
Received: from da7ec.unt0.etta.i-u.de (da7ec.unt0.etta.i-u.de
	[212.126.218.126])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F2F7343FAF
	for <stable@freebsd.org>; Fri, 18 Jul 2003 08:18:58 -0700 (PDT)
	(envelope-from atodorov@acm.org)
Received: from mailer.i-u.de ([212.126.209.130])
	by da7ec.unt0.etta.i-u.de with esmtp (Exim 3.36 #2 (Debian))
	id 19dX0b-00032K-00
	for <stable@freebsd.org>; Fri, 18 Jul 2003 17:18:57 +0200
Received: from att.stu.i-u.de ([172.16.13.98]) by mailer.i-u.de with Microsoft
	SMTPSVC(5.0.2195.5329);	 Fri, 18 Jul 2003 17:18:55 +0200
Date: Fri, 18 Jul 2003 17:19:01 +0200
From: Angel Todorov <atodorov@acm.org>
To: stable@freebsd.org
Message-Id: <20030718171901.21b88ba6.atodorov@acm.org>
Organization: N/A
X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd5.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 18 Jul 2003 15:18:55.0783 (UTC)
	FILETIME=[E7729370:01C34D3F]
Subject: pf
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2003 15:19:00 -0000

ei tuka imam edin pf conf obache pravi mnogo nomera, kato se pusne parvoto koeto e dropva paketi, timeoutva po serverite i t.n.. i speed-a e mnogo baven, vijte ako nqkoi moje da otkrie generalna greshka da reply :) vapreki che ne e freebsd-specific :P ne sym go pisal az a i ne sam mnogo mnogo zapoznat s pf zatova ako nqkoi moje da pomogne e dobre doshyl :) btw moje i neshto ot tia opcii kato set timeout i optimization da e :]


 Macros: define common values, so they can be referenced and changed easily.
extif="fxp1"    # replace with actual external interface name i.e., dc0
intif="fxp0"    # replace with actual internal interface name i.e., dc1
internal_net="172.16.0.0/16"
external_addr="192.168.173.34"

loif="lo0"

set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 10000, frags 5000 }
set optimization normal
#set block-policy drop
#set require-order yes


############ SHAPING goes here ###############################

altq on $intif cbq bandwidth 100Mb queue {etherdown, downstream}


queue etherdown bandwidth 96% cbq(default)
queue downstream bandwidth 4% cbq

altq on $extif cbq bandwidth 100Mb queue { etherup, upstream}

queue etherup bandwidth 99Mb cbq(default)
queue upstream bandwidth 386Kb  cbq


pass in quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherdown
pass out quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherup
pass in on $intif proto tcp from 172.16.0.0/16 to any port 80 keep state queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 53 keep state queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 8080 keep state queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 5190 queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 443 queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 4000 queue downstream
pass in on $intif proto tcp from 172.16.0.0/16 to any port 25 queue downstream
pass in on $intif proto icmp from 172.16.0.0/16 to any queue downstream
pass in on $intif proto udp from 172.16.0.0/16 to any port 80 queue downstream
pass in on $intif proto udp from 172.16.0.0/16 to any port 53 queue downstream


### manage upstream here

pass out quick on $extif from 172.16.0.0/16 to 172.17.0.0/16 queue etherup
pass out quick on $extif from 172.16.0.0/16 to 172.20.0.0/16 queue etherup
pass out on $extif proto tcp from 172.16.0.0/16 to any port 80 keep state queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 53 keep state queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 8080 keep state queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 443 queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 4000 queue upstream
pass out on $extif proto tcp from 172.16.0.0/16 to any port 25 queue upstream

pass out on $extif proto udp from 172.16.0.0/16 to any port 53 queue upstream
pass out on $extif proto udp from 172.16.0.0/16 to any port 80 queue upstream
pass out on $extif proto icmp from 172.16.0.0/16 to any queue upstream