ichtus

looking for all firewall solution and found that pf (port from OpenBSD) in FreeBSD can gave me this:

references:
http://www.benzedrine.cx/pf.html
http://www.freebsd.org/doc/handbook/firewalls-pf.html
http://www.kuro5hin.org/story/2002/11/23/14927/477

need to know if in FreeBSD 5.x already have a pf inside, but need to enable ALTQ in kernel (and recompile kernel) to get a bandwidth limiting

the situation is:
——|
       |Internet ——————— Prolink ADSL with Speedy Telkom ————- (rl0) pf FreeBSD router (vr0) —– LAN
       |
——|

bandwidth from my ISP:
download: 384kbps
upload: 64kbps

the goal is:
1. to limit bandwidth and provide quota bandhwidth and prioritize some network like marketing nets, and management nets
2. combine with transparant proxy with squid

here is my pf.conf:
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed easily.
ext_if="rl0"    # replace with actual external interface name i.e., dc0 
int_if="vr0"    # replace with actual internal interface name i.e., dc1
internal_net="10.0.0.0/24"
external_addr="10.0.10.1"

# add by ichtus
priv_nets       = "{ 10.0.0.0/24 }"
iec_nets        = "{ x.x.x.x    y.y.y.y }"
highlander_nets = "{ x.x.x.x    y.y.y.y }"
logts_nets      = "{ x.x.x.x    y.y.y.y }"
accnt_nets      = "{ x.x.x.x    y.y.y.y }"
mrkt_nets       = "{ x.x.x.x    y.y.y.y }"
mngmt_nets      = "{ x.x.x.x    y.y.y.y }"

# … in the filtering section of pf.conf …
icmp_types    = "echoreq"
tcp_services  = "{ 21, 22, 80 }"
ssh_ports     = "{ 22 8022 }"
http_ports    = "{ 21 80 443 }"
mail_ports    = "{ 25, 110 995 }"
im_vnc_ports  = "{ 1863 5190 5222 5900 5901 5902}"

# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# Queueing: rule-based bandwidth control.
# enable queueing on the external interface to control traffic going to
# the Internet. (calculate 90% from total bandwidth)
altq on $ext_if bandwidth 58Kb hfsc queue { std_out, http_out, ssh_out, mail_out, vnc_out, rsets, tcp_ack_out }
queue   std_out   bandwidth 10Kb priority 2 hfsc(default realtime 16Kb)
queue   ssh_out   bandwidth 8Kb priority 5
queue   http_out  bandwidth 10Kb priority 3 hfsc(realtime 14Kb)
queue   mail_out  bandwidth 16Kb priority 4 hfsc(realtime 16Kb)
queue   vnc_out   bandwidth 8Kb priority 5
queue   rsets     bandwidth 6Kb priority 0 hfsc(realtime 7500b)
queue   tcp_ack_out     priority 6

# enable queueing on the internal interface to control traffic coming in
# from the Internet. (calculate 90% from total bandwidth)
altq on $int_if bandwidth 345Kb hfsc queue { std_in, ssh_im_in, mail_in, http_in, dns_in, highlander_in }
queue std_in         bandwidth 24Kb hfsc(realtime 16Kb default)
queue ssh_im_in      bandwidth 24Kb priority 4 hfsc(realtime 24Kb)
queue mail_in        bandwidth 144Kb priority 5 hfsc(realtime 120Kb) { mail_in_mrkt, mail_in_mngmt, mail_in_iec, mail_in_logts, mail_in_accnt }
   queue mail_in_logts       priority 3 hfsc(realtime 20Kb linkshare 15%)
   queue mail_in_accnt       priority 3 hfsc(realtime 16Kb linkshare 15%)
   queue mail_in_iec         priority 6 hfsc(realtime 24Kb linkshare 25%)
   queue mail_in_mngmt       priority 5 hfsc(realtime 28Kb linkshare 20%)
   queue mail_in_mrkt        priority 6 hfsc(realtime 28Kb linkshare 25%)
queue http_in        bandwidth 96Kb priority 4 hfsc(realtime 80Kb) { http_in_mngmt, http_in_iec, http_in_nets }
   queue http_in_nets        priority 3 hfsc(linkshare 20%)
   queue http_in_mngmt       priority 3 hfsc(linkshare 40%)
   queue http_in_iec         priority 3 hfsc(linkshare 35%)
queue highlander_in  bandwidth 56Kb priority 3
queue dns_in         priority 7

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
rdr on $ext_if proto tcp from any to any port 443 -> [dmz serverip address] port 443

# rdr outgoing HTTP, HTTPS, FTP requests to the squid-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 3128
rdr on $int_if proto tcp from any to any port http -> 127.0.0.1 port 3128
rdr on $int_if proto tcp from any to any port https -> 127.0.0.1 port 3128

# forward to central mail server for sending mail
rdr on $int_if proto tcp from any to any port smtp -> 127.0.0.1 port 25

# add by ichtus, filter rules
block all
block in log all
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block return in on $ext_if inet all queue rsets

# anti spoof for eksternal network
antispoof for $ext_if inet
block drop in on ! $ext_if inet from 10.0.10.0/24 to any
block drop in inet from 10.0.10.1 to any

# anti spoof for internal network
antispoof for $int_if inet
block drop in on ! $int_if inet from 10.0.0.1/24 to any
block drop in inet from 10.0.0.1 to any
pass quick on lo0 all

# limit bandwith packet keluar dari external interface dari internal networks
pass out on $ext_if inet proto tcp from $ext_if to any flags S/SA keep state queue(std_out, tcp_act_out)
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if proto {tcp, udp} from any port domain to $priv_nets queue(tcp_act_out)
pass out on $ext_if inet proto tcp from $ext_if to any port $mail_ports flags S/SA keep state queue(mail_out)
pass out on $ext_if inet proto tcp from $ext_if to any port $http_ports flags S/SA keep state queue(http_out)
pass out on $ext_if inet proto tcp from $ext_if to any port $ssh_ports flags S/SA keep state queue(ssh_out, tcp_act_out)
pass out on $ext_if inet proto tcp from $ext_if to any port $im_vnc_ports flags S/SA keep state queue(vnc_out, tcp_act_out)

# allow echo-request icmp
pass in inet proto icmp all icmp-type $icmp_types keep state

# limit bandwidht packet dari internet ke server https secara DNAT
pass in on $ext_if proto tcp from any to any port 443 keep state queue(http_out)

# allow packet dari internet ke port services di router
pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# allow packet dari router ke internal network
#pass in on $int_if from $priv_nets
pass in on $int_if from $int_if:network to any keep state

# limit bandwidth packet masuk dari internet ke internal network
pass out on $int_if from any to $priv_nets queue(std_in)
pass out on $int_if proto { tcp udp } from any port domain to $priv_nets queue(dns_in)
pass out on $int_if proto tcp from any port $mail_ports to $mrkt_nets  queue(mail_in_mrkt)
pass out on $int_if proto tcp from any port $mail_ports to $mngmt_nets queue(mail_in_mngmt)
pass out on $int_if proto tcp from any port $mail_ports to $logts_nets queue(mail_in_logts)
pass out on $int_if proto tcp from any port $mail_ports to $accnt_nets queue(mail_in_accnt)
pass out on $int_if proto tcp from any port $mail_ports to $iec_nets   queue(mail_in_iec)
pass out on $int_if proto tcp from any port $http_ports to $priv_nets  queue(http_in_nets)
pass out on $int_if proto tcp from any port $http_ports to $mngmt_nets queue(http_in_mngmt)
pass out on $int_if proto tcp from any port $http_ports to $iec_nets   queue(http_in_iec)
pass out on $int_if proto tcp from any port $ssh_ports to $priv_nets   queue(ssh_im_in, dns_in)
pass out on $int_if proto tcp from any port $im_vnc_ports to $priv_nets queue(ssh_im_in, dns_in)

# limit to highlander network
pass out on $int_if proto tcp from 10.0.0.1 port { 22 80 3000 1241 } to $highlander_nets
pass out on $int_if proto tcp from any port { 80 443 21 5901 5902 22 8022 110 } to $highlander_nets queue(highlander_in)

any comment and question? feel free to contact me at
ichtus81-linux at yahoo.com

the ones is running linux, the other can control linux comp using bluetooth…
( u decide which one )
good decision when sell my N6230, very happy nw than before..
that’s a good advices. what do u think? …ehm good life

http://www.lirc.org/ 
- linux remote control (try before using FC1, using Panasonic remote control via irda)
      LIRC is a package that allows you to decode and send
      infra-red signals of many (but not all) commonly used
      remote controls.

http://www.geocities.com/saravkrish/progs/bluemote/index.html
- bluemote, use your bluetooth enabled T610 (or compatible Sony Ericsson phones) as a remote for your Linux PC.

MultiSync

MultiSync



is a free modular program to synchronize calendars, addressbooks and
other PIM data between programs on your computer and other computers, mobile
devices, PDAs or cell phones. MultiSync works on any Gnome platform, such as
Linux. It supports IrMC Mobile Client synchronization (supported by e.g.
SonyEricsson T39/T68i, Siemens S45i/S55 phones etc.) via Bluetooth or IrDA on
Linux or cable connection.

bluexmms

bluexmms



allows remote control of XMMS using a bluetooth-enabled
    Ericsson mobile phone, assuming you also have a bluetooth-capable
    laptop/computer.