I spent the evening reworking my pf.conf file in order to get AltQ working.
I successfully have that working, but somewhere along the line I broke PPTP
and can no longer connect back to the office. I have compared by old and new
pf.conf files but have not quite found the problem. I also ran a tcpdump on
the connection but am honestly not sure what I'm looking for. Could I
trouble someone to look over this of.conf file and see if they can tell me
why PPTP will not work?
################ Macros ###################################
### Interfaces ###
ext_if ="fxp0"
wire_if="fxp1"
### Global Variables ###
ext_ip ="a.b.c.d"
wire_network ="192.168.1.0/24"
wire_gw ="192.168.1.1/32"
ftp_server ="192.168.1.5"
workstation ="192.168.1.100"
################ Tables ####################################
table <blacklist> persist file "/etc/tables/blacklist"
table <ftp-auth> persist file "/etc/tables/ftp-auth"
table <sinokorea> const file "/etc/tables/sinokorea"
table <ssh-bruteforce> persist
table <voipservers> const file "/etc/tables/voipservers"
################ Options ##################################
# Misc Options
set require-order yes
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
################ Normalization #############################
scrub on $ext_if all random-id reassemble tcp fragment reassemble
################ Queueing ##################################
altq on $ext_if hfsc bandwidth 768Kb queue { ack, voip, stream, web, email,
p2p, general }
queue ack bandwidth 60% priority 7 qlimit 500 hfsc (realtime 50%)
queue voip bandwidth 10% priority 6 qlimit 500 hfsc (realtime 10%)
queue stream bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%)
queue web bandwidth 10% priority 4 qlimit 500 hfsc
queue email bandwidth 4% priority 3 qlimit 500 hfsc
queue p2p bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit
99%)
queue general bandwidth 5% priority 2 qlimit 500 hfsc (realtime 5%
default)
################ Translation ###############################
no rdr on lo0 from any to any
nat on egress from (self) to any tag EGRESS -> ($ext_if:0)
nat on egress from $wire_if:network to any tag EGRESS -> ($ext_if:0)
# DENY rouge redirections
no rdr
################ Filtering #################################
# Deny spoofed packets
antispoof log quick for { lo0 $wire_if ($ext_if) }
# Block to/from illegal sources/destinations
block drop quick inet6
block in log quick from no-route to any
block in quick on $ext_if from <blacklist> to any
block in quick on $ext_if from <sinokorea> to any
block in quick on $ext_if from <ssh-bruteforce> to any
block in quick on $ext_if from any to 255.255.255.255
block return in quick on $wire_if from any to <blacklist>
block return in quick on $wire_if from any to 224.0.0.1
# BLOCK all in/out on all interfaces by default
block log on $ext_if
block return log on $wire_if
# $ext_if inbound
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type 8 code 0
keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 flags S/SA
keep state queue (general) tagged FTPPROXY
pass in quick log on $ext_if inet proto tcp from any to $ext_if port ssh
flags S/SA synproxy state (max 10, source-track rule, max-src-conn 10,
max-src-nodes 5, max-src-conn-rate 3/30, overload <ssh-bruteforce> flush
global)
# $wire_if outbound
pass out on $wire_if inet proto tcp from $wire_if to $wire_if:network
flags S/SAFR modulate state
pass out on $wire_if inet proto tcp to $ftp_server port 21
user proxy flags S/SA keep state
pass out on $wire_if inet proto udp from $wire_if to $wire_if:network keep
state
pass out on $wire_if inet proto icmp from $wire_if to $wire_if:network
icmp-type 8 code 0 keep state
# $wire_if inbound
pass in on $wire_if inet proto tcp from $wire_if:network to $wire_if
flags S/SAFR modulate state
pass in on $wire_if inet proto tcp from $wire_if:network to !$wire_if
flags S/SAFR modulate state
pass in on $wire_if inet proto udp from $wire_if:network to $wire_if keep
state
pass in on $wire_if inet proto udp from $wire_if:network to !$wire_if keep
state
pass in on $wire_if inet proto icmp from $wire_if:network to $wire_if
icmp-type 8 code 0 keep state
# $ext_if outbound
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SAFR
modulate state queue (general, ack) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 25 flags
S/SAFR modulate state queue (email) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 flags
S/SAFR modulate state queue (web) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 110 flags
S/SAFR modulate state queue (email) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 443 flags
S/SAFR modulate state queue (web) tagged EGRESS
pass out on $ext_if inet proto tcp from ($ext_if) to any port 8008 flags
S/SAFR modulate state queue (stream) tagged EGRESS
pass out on $ext_if inet proto udp from ($ext_if) to any queue (general)
keep state tagged EGRESS
pass out quick on $ext_if inet proto udp from ($ext_if) to <voipservers>
tos 0xb8 queue (voip) keep state tagged EGRESS
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state queue
(general) tagged EGRESS
################ END #######################################
