wan_ip="61.183.X.X"
lan_ip="X.X.0.0/16"
lan_5_ip="X.X.5.0/24"
lan_6_ip="X.X.6.0/24"
lan_7_ip="X.X.7.0/24"
lan_8_ip="X.X.8.0/24"
lan_9_ip="X.X.9.0/24"
lan_10_ip="X.X.10.0/24"
lan_11_ip="X.X.11.0/24"
lan_15_ip="X.X.15.0/24"
#ip_deny="{X.X.6.56,X.X.7.119}"
ip_deny="{X.X.7.119}"
wan_if="em0"
lan_if="em1"
# Normalization:
# reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
# Outgoing bandwidth limit
altq on $wan_if cbq bandwidth 20Mb queue { std_out }
queue std_out bandwidth 10Mb cbq(default)
altq on $lan_if bandwidth 100Mb cbq queue {lan_5,lan_6,lan_7,lan_8,lan_9,lan_10,lan_11}
queue lan_5 bandwidth 2Mb
queue lan_6 bandwidth 80Mb cbq(default)
queue lan_7 bandwidth 2Mb
queue lan_8 bandwidth 2Mb
queue lan_9 bandwidth 2Mb
queue lan_10 bandwidth 2Mb
queue lan_11 bandwidth 4Mb
#------------NAT---------------------
nat on $wan_if from $lan_ip to any -> ($wan_if)
#------Filter Rules------------------
#block in quick proto icmp from any to $wan_if
#block in from any to any
#block out from any to any
block in proto tcp from $ip_deny to any
block in log quick on $lan_if inet proto tcp from $ip_deny to any
block drop in quick proto {tcp,udp} from any to any port {135,139,445,1433,1434}
#block drop in quick proto {tcp,udp} from X.X.5.164 to any port {3128}
#block drop in quick proto {tcp,udp} from any to X.X.5.164 port {3128}
pass out on $wan_if proto tcp from any to any flags S/SA modulate state
pass in on $lan_if proto tcp from any to any flags S/SA keep state (source-track, max-src-states 120)
pass out on $wan_if proto tcp from $lan_ip to any queue std_out
pass out quick on $lan_if from any to $lan_5_ip queue lan_5
pass out quick on $lan_if from any to $lan_6_ip queue lan_6
pass out quick on $lan_if from any to $lan_7_ip queue lan_7
pass out quick on $lan_if from any to $lan_8_ip queue lan_8
pass out quick on $lan_if from any to $lan_9_ip queue lan_9
pass out quick on $lan_if from any to $lan_10_ip queue lan_10
pass out quick on $lan_if from any to $lan_11_ip queue lan_11
pass out on $wan_if proto { udp, icmp } from any to any keep state
pass out on $wan_if proto { udp, icmp } from any to any keep state
lan_ip="X.X.0.0/16"
lan_5_ip="X.X.5.0/24"
lan_6_ip="X.X.6.0/24"
lan_7_ip="X.X.7.0/24"
lan_8_ip="X.X.8.0/24"
lan_9_ip="X.X.9.0/24"
lan_10_ip="X.X.10.0/24"
lan_11_ip="X.X.11.0/24"
lan_15_ip="X.X.15.0/24"
#ip_deny="{X.X.6.56,X.X.7.119}"
ip_deny="{X.X.7.119}"
wan_if="em0"
lan_if="em1"
# Normalization:
# reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
# Outgoing bandwidth limit
altq on $wan_if cbq bandwidth 20Mb queue { std_out }
queue std_out bandwidth 10Mb cbq(default)
altq on $lan_if bandwidth 100Mb cbq queue {lan_5,lan_6,lan_7,lan_8,lan_9,lan_10,lan_11}
queue lan_5 bandwidth 2Mb
queue lan_6 bandwidth 80Mb cbq(default)
queue lan_7 bandwidth 2Mb
queue lan_8 bandwidth 2Mb
queue lan_9 bandwidth 2Mb
queue lan_10 bandwidth 2Mb
queue lan_11 bandwidth 4Mb
#------------NAT---------------------
nat on $wan_if from $lan_ip to any -> ($wan_if)
#------Filter Rules------------------
#block in quick proto icmp from any to $wan_if
#block in from any to any
#block out from any to any
block in proto tcp from $ip_deny to any
block in log quick on $lan_if inet proto tcp from $ip_deny to any
block drop in quick proto {tcp,udp} from any to any port {135,139,445,1433,1434}
#block drop in quick proto {tcp,udp} from X.X.5.164 to any port {3128}
#block drop in quick proto {tcp,udp} from any to X.X.5.164 port {3128}
pass out on $wan_if proto tcp from any to any flags S/SA modulate state
pass in on $lan_if proto tcp from any to any flags S/SA keep state (source-track, max-src-states 120)
pass out on $wan_if proto tcp from $lan_ip to any queue std_out
pass out quick on $lan_if from any to $lan_5_ip queue lan_5
pass out quick on $lan_if from any to $lan_6_ip queue lan_6
pass out quick on $lan_if from any to $lan_7_ip queue lan_7
pass out quick on $lan_if from any to $lan_8_ip queue lan_8
pass out quick on $lan_if from any to $lan_9_ip queue lan_9
pass out quick on $lan_if from any to $lan_10_ip queue lan_10
pass out quick on $lan_if from any to $lan_11_ip queue lan_11
pass out on $wan_if proto { udp, icmp } from any to any keep state
pass out on $wan_if proto { udp, icmp } from any to any keep state