Update pf examples from OpenBSD to catch up with new stateful defaults and

other syntax changes.  Move pf.conf from /etc to examples, too.

10 files changed, 121 insertions, 89 deletions

diff --git a/share/examples/pf/Makefile b/share/examples/pf/Makefile
index 9eabea1..a6c4470 100644
--- a/share/examples/pf/Makefile
+++ b/share/examples/pf/Makefile
@@ -4,6 +4,7 @@ NO_OBJ=
 
 FILES=	faq-example1 faq-example2 faq-example3 \
 	ackpri queue1 queue2 queue3 queue4 \
+	pf.conf \
 	spamd
 
 FILESDIR=	${SHAREDIR}/examples/pf
diff --git a/share/examples/pf/ackpri b/share/examples/pf/ackpri
index 18f008d..060b761 100644
--- a/share/examples/pf/ackpri
+++ b/share/examples/pf/ackpri
@@ -1,5 +1,5 @@
 # $FreeBSD$
-# $OpenBSD: ackpri,v 1.2 2003/03/10 14:24:33 henning Exp $
+# $OpenBSD: ackpri,v 1.3 2006/10/07 04:48:01 mcbride Exp $
 
 # Use a simple priority queue to prioritize empty (no payload) TCP ACKs,
 # which dramatically improves throughput on (asymmetric) links when the
@@ -25,9 +25,7 @@ altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
 queue q_pri priority 7
 queue q_def priority 1 priq(default)
 
-pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
-	keep state queue (q_def, q_pri)
+pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri)
 
-pass in  on $ext_if proto tcp from any to $ext_if flags S/SA \
-	keep state queue (q_def, q_pri)
+pass in  on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri)
 
diff --git a/share/examples/pf/faq-example1 b/share/examples/pf/faq-example1
index 2981203..91942f6 100644
--- a/share/examples/pf/faq-example1
+++ b/share/examples/pf/faq-example1
@@ -1,5 +1,5 @@
 # $FreeBSD$
-# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
+# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $
 
 #
 # Firewall for Home or Small Office
@@ -8,41 +8,44 @@
 
 
 # macros
-int_if = "fxp0"
-ext_if = "ep0"
+ext_if="fxp0"
+int_if="xl0"
 
-tcp_services = "{ 22, 113 }"
-icmp_types = "echoreq"
+tcp_services="{ 22, 113 }"
+icmp_types="echoreq"
+
+comp3="192.168.0.3"
 
-priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
-        
 # options
 set block-policy return
 set loginterface $ext_if
 
+set skip on lo
+
 # scrub
-scrub in all
+scrub in
 
 # nat/rdr
-nat on $ext_if from $int_if:network to any -> ($ext_if)
-rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
-   port 8021
+nat on $ext_if from !($ext_if) -> ($ext_if:0)
+nat-anchor "ftp-proxy/*"
+rdr-anchor "ftp-proxy/*"
+
+rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
+rdr on $ext_if proto tcp from any to any port 80 -> $comp3
 
 # filter rules
-block all
+block in
 
-pass quick on lo0 all
+pass out
 
-block drop in  quick on $ext_if from $priv_nets to any
-block drop out quick on $ext_if from any to $priv_nets
+anchor "ftp-proxy/*"
+antispoof quick for { lo $int_if }
 
-pass in on $ext_if inet proto tcp from any to ($ext_if) \
-   port $tcp_services flags S/SA keep state
+pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
 
-pass in inet proto icmp all icmp-type $icmp_types keep state
+pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
+    synproxy state
 
-pass in  on $int_if from $int_if:network to any keep state
-pass out on $int_if from any to $int_if:network keep state
+pass in inet proto icmp all icmp-type $icmp_types
 
-pass out on $ext_if proto tcp all modulate state flags S/SA
-pass out on $ext_if proto { udp, icmp } all keep state
+pass quick on $int_if no state
diff --git a/share/examples/pf/faq-example2 b/share/examples/pf/faq-example2
index 66e2f25..eded1e8 100644
--- a/share/examples/pf/faq-example2
+++ b/share/examples/pf/faq-example2
@@ -1,5 +1,5 @@
 # $FreeBSD$
-# $OpenBSD: faq-example2,v 1.2 2003/08/06 16:04:45 henning Exp $
+# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $
 
 #
 # Small, Home Network
@@ -43,9 +43,9 @@ altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
 # bob_in      - bandwidth reserved for Bob's workstation. allow him to
 #               borrow.
 
-queue std_in    cbq(default)
-queue ssh_im_in priority 4
-queue dns_in    priority 5
+queue std_in    bandwidth 1.6Mb cbq(default)
+queue ssh_im_in bandwidth 200Kb priority 4
+queue dns_in    bandwidth 120Kb priority 5
 queue bob_in    bandwidth 80Kb cbq(borrow)
 
 
@@ -63,15 +63,15 @@ block in on fxp0 all
 
 # filter rules for fxp0 outbound
 block out on fxp0 all
-pass  out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \
-        keep state queue(std_out, tcp_ack_out)
-pass  out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
+pass  out on fxp0 inet proto tcp from (fxp0) to any \
+        queue(std_out, tcp_ack_out)
+pass  out on fxp0 inet proto { udp icmp } from (fxp0) to any
 pass  out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
-        keep state queue dns_out
+        queue dns_out
 pass  out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
-        flags S/SA keep state queue(std_out, ssh_im_out)
+        queue(std_out, ssh_im_out)
 pass  out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
-        flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
+        queue(ssh_im_out, tcp_ack_out)
 
 # filter rules for dc0 inbound
 block in on dc0 all
diff --git a/share/examples/pf/faq-example3 b/share/examples/pf/faq-example3
index c6b7355..61e2c93 100644
--- a/share/examples/pf/faq-example3
+++ b/share/examples/pf/faq-example3
@@ -1,12 +1,12 @@
 # $FreeBSD$
-# $OpenBSD: faq-example3,v 1.2 2003/08/06 16:04:45 henning Exp $
+# $OpenBSD: faq-example3,v 1.4 2006/10/07 04:48:01 mcbride Exp $
 
 #
 # Company Network
 # http://www.openbsd.org/faq/pf/queueing.html#example2
 #
 
-   
+
 # enable queueing on the external interface to queue packets going out
 # to the Internet. use the cbq scheduler so that the bandwidth use of
 # each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
@@ -18,15 +18,15 @@ altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
 #                  outgoing traffic on fxp0.
 # www_ext        - container queue for WWW server queues. limit to
 #                  500Kbps.
-#   www_ext_http - http traffic from the WWW server
-#   www_ext_misc - all non-http traffic from the WWW server
-# boss_ext       - traffic coming from the boss's computer
+#   www_ext_http - http traffic from the WWW server; higher priority.
+#   www_ext_misc - all non-http traffic from the WWW server.
+# boss_ext       - traffic coming from the boss's computer.
 
-queue std_ext        cbq(default)
+queue std_ext        bandwidth 500Kb cbq(default borrow)
 queue www_ext        bandwidth 500Kb { www_ext_http, www_ext_misc }
-  queue www_ext_http priority 3 cbq(red)
-  queue www_ext_misc priority 1
-queue boss_ext       priority 3
+  queue www_ext_http bandwidth 50% priority 3 cbq(red borrow)
+  queue www_ext_misc bandwidth 50% priority 1 cbq(borrow)
+queue boss_ext       bandwidth 500Kb priority 3 cbq(borrow)
 
 # enable queueing on the internal interface to control traffic coming
 # from the Internet or the DMZ. use the cbq scheduler to control the
@@ -42,15 +42,15 @@ altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
 #              is 1.0Mbps.
 #   std_int  - the standard queue. also the default queue for outgoing
 #              traffic on dc0.
-#   it_int   - traffic to the IT Dept network.
-#   boss_int - traffic to the boss's PC.
-# www_int    - traffic from the WWW server in the DMZ.
+#   it_int   - traffic to the IT Dept network; reserve them 500Kbps.
+#   boss_int - traffic to the boss's PC; assign a higher priority.
+# www_int    - traffic from the WWW server in the DMZ; full speed.
 
 queue net_int    bandwidth 1.0Mb { std_int, it_int, boss_int }
-  queue std_int  cbq(default)
+  queue std_int  bandwidth 250Kb cbq(default borrow)
   queue it_int   bandwidth 500Kb cbq(borrow)
-  queue boss_int priority 3
-queue www_int    cbq(red)
+  queue boss_int bandwidth 250Kb priority 3 cbq(borrow)
+queue www_int    bandwidth 99Mb cbq(red borrow)
 
 # enable queueing on the DMZ interface to control traffic destined for
 # the WWW server. cbq will be used on this interface since detailed
@@ -64,13 +64,13 @@ altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
 # define the parameters for the child queues.
 # internal_dmz   - traffic from the internal network.
 # net_dmz        - container queue for traffic from the Internet.
-#   net_dmz_http - http traffic.
+#   net_dmz_http - http traffic; higher priority.
 #   net_dmz_misc - all non-http traffic. this is also the default queue.
 
-queue internal_dmz      # no special settings needed
+queue internal_dmz   bandwidth 99Mb cbq(borrow)
 queue net_dmz        bandwidth 500Kb { net_dmz_http, net_dmz_misc }
-  queue net_dmz_http priority 3 cbq(red)
-  queue net_dmz_misc priority 1 cbq(default)
+  queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow)
+  queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow)
 
 
 # ... in the filtering section of pf.conf ...
@@ -88,32 +88,30 @@ block on { fxp0, fxp1, dc0 } all
 
 # filter rules for fxp0 inbound
 pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
-        > 49151 } flags S/SA keep state queue www_ext_misc
+        > 49151 } queue www_ext_misc
 pass in on fxp0 proto tcp from any to $wwwserv port 80 \
-        flags S/SA keep state queue www_ext_http
+        queue www_ext_http
 
 # filter rules for fxp0 outbound
-pass out on fxp0 from $int_nets to any keep state
-pass out on fxp0 from $boss to any keep state queue boss_ext
+pass out on fxp0 from $int_nets to any
+pass out on fxp0 from $boss to any queue boss_ext
 
 # filter rules for dc0 inbound
-pass in on dc0 from $int_nets to any keep state
+pass in on dc0 from $int_nets to any
 pass in on dc0 from $it_net to any queue it_int
 pass in on dc0 from $boss to any queue boss_int
 pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
-        > 49151 } flags S/SA keep state queue www_int
+        > 49151 } queue www_int
 
 # filter rules for dc0 outbound
 pass out on dc0 from dc0 to $int_nets
 
 # filter rules for fxp1 inbound
-pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
-        keep state
+pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53
 
 # filter rules for fxp1 outbound
 pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
-        > 49151 } flags S/SA keep state queue net_dmz_misc
-pass out on fxp1 proto tcp from any to $wwwserv port 80 \
-        flags S/SA keep state queue net_dmz_http
+        > 49151 } queue net_dmz_misc
+pass out on fxp1 proto tcp from any to $wwwserv port 80 queue net_dmz_http
 pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
-        21, > 49151 } flags S/SA keep state queue internal_dmz
+        21, > 49151 } queue internal_dmz
diff --git a/share/examples/pf/pf.conf b/share/examples/pf/pf.conf
new file mode 100644
index 0000000..bd3091b
--- /dev/null
+++ b/share/examples/pf/pf.conf
@@ -0,0 +1,34 @@
+#	$FreeBSD$
+#	$OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
+#
+# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
+# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
+# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
+
+#ext_if="ext0"
+#int_if="int0"
+
+#table <spamd-white> persist
+
+#set skip on lo
+
+#scrub in
+
+#nat-anchor "ftp-proxy/*"
+#rdr-anchor "ftp-proxy/*"
+#nat on $ext_if from !($ext_if) -> ($ext_if:0)
+#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
+#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
+#rdr pass on $ext_if proto tcp from any to any port smtp \
+#	-> 127.0.0.1 port spamd
+
+#anchor "ftp-proxy/*"
+#block in
+#pass out
+
+#pass quick on $int_if no state
+#antispoof quick for { lo $int_if }
+
+#pass in on $ext_if proto tcp to ($ext_if) port ssh
+#pass in log on $ext_if proto tcp to ($ext_if) port smtp
+#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
diff --git a/share/examples/pf/queue1 b/share/examples/pf/queue1
index 73c3839..5aad7c9 100644
--- a/share/examples/pf/queue1
+++ b/share/examples/pf/queue1
@@ -1,5 +1,5 @@
 # $FreeBSD$
-# $OpenBSD: queue1,v 1.3 2003/01/20 16:14:23 henning Exp $
+# $OpenBSD: queue1,v 1.4 2006/10/07 04:48:01 mcbride Exp $
 
 ext_if = "dc0"
 
@@ -14,10 +14,8 @@ queue	ssh bandwidth 100Kb priority 7 cbq(borrow)
 queue	rsets bandwidth 7500b priority 0 cbq(red)
 
 block return in on $ext_if inet all queue rsets
-pass in on $ext_if inet proto tcp from any to any port 80 keep state queue http
-pass out on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
-pass in  on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
-pass out on $ext_if inet proto tcp from any to any port 25 keep state queue mail
-pass out on $ext_if inet all keep state
-
-
+pass in on $ext_if inet proto tcp from any to any port 80 queue http
+pass out on $ext_if inet proto tcp from any to any port 22 queue ssh
+pass in  on $ext_if inet proto tcp from any to any port 22 queue ssh
+pass out on $ext_if inet proto tcp from any to any port 25 queue mail
+pass out on $ext_if inet all
diff --git a/share/examples/pf/queue2 b/share/examples/pf/queue2
index 20684e9..c60d1c3 100644
--- a/share/examples/pf/queue2
+++ b/share/examples/pf/queue2
@@ -1,5 +1,5 @@
 # $FreeBSD$
-# $OpenBSD: queue2,v 1.2 2003/01/20 16:14:23 henning Exp $
+# $OpenBSD: queue2,v 1.4 2006/10/07 04:48:01 mcbride Exp $
 # advanced queue example.
 # give interactive ssh traffic priority over ssh bulk transfers (scp, sftp)
 
@@ -15,15 +15,15 @@ queue  developers bandwidth 75% cbq(borrow)
 queue  employees bandwidth 15%
 queue mail bandwidth 10% priority 0 cbq(borrow ecn)
 queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
-queue  ssh_interactive priority 7
-queue  ssh_bulk priority 0
+queue  ssh_interactive bandwidth 25% priority 7
+queue  ssh_bulk bandwidth 75% priority 0
 
 block return out on $ext_if inet all queue std
 pass out on $ext_if inet proto tcp from $developerhosts to any port 80 \
-    keep state queue developers
+    queue developers
 pass out on $ext_if inet proto tcp from $employeehosts to any port 80 \
-    keep state queue employees
+    queue employees
 pass out on $ext_if inet proto tcp from any to any port 22 \
-    keep state queue(ssh_bulk, ssh_interactive)
+    queue(ssh_bulk, ssh_interactive)
 pass out on $ext_if inet proto tcp from any to any port 25 \
-    keep state queue mail
+    queue mail
diff --git a/share/examples/pf/queue3 b/share/examples/pf/queue3
index 855e74f..6db5eb4 100644
--- a/share/examples/pf/queue3
+++ b/share/examples/pf/queue3
@@ -1,5 +1,5 @@
 # $FreeBSD$
-# $OpenBSD: queue3,v 1.2 2003/01/20 16:14:23 henning Exp $
+# $OpenBSD: queue3,v 1.3 2006/10/07 04:48:01 mcbride Exp $
 # simple PRIQ example
 
 ext_if="lo0"
@@ -9,8 +9,8 @@ queue pri-low priority 0
 queue pri-med priority 1 priq(default)
 queue pri-high priority 2
 
-pass out on $ext_if proto tcp from any to any port 22 keep state \
+pass out on $ext_if proto tcp from any to any port 22 \
     queue(pri-med, pri-high)
-pass out on $ext_if proto tcp from any to any port 80 keep state queue pri-med
-pass in  on $ext_if proto tcp from any to any port 80 keep state queue pri-low
+pass out on $ext_if proto tcp from any to any port 80 queue pri-med
+pass in  on $ext_if proto tcp from any to any port 80 queue pri-low
 
diff --git a/share/examples/pf/spamd b/share/examples/pf/spamd
index 780e879..ad12268 100644
--- a/share/examples/pf/spamd
+++ b/share/examples/pf/spamd
@@ -1,8 +1,8 @@
 # $FreeBSD$
-# $OpenBSD: spamd,v 1.1 2003/08/22 15:25:01 henning Exp $
+# $OpenBSD: spamd,v 1.2 2005/08/06 19:52:37 jmc Exp $
 
 # spamd-setup puts addresses to be redirected into table <spamd>.
 
 table <spamd> persist
 no rdr on { lo0, lo1 } from any to any
-rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
+rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port spamd