alternative to smoothwall

Discussion in 'Linux & BSD' started by canadian_divx, Apr 9, 2007.

  1. canadian_divx

    canadian_divx Canadian_divx

    does anyone know of any other applications/OS like smoothwall? or like ipcop?

    if so can you post links to them here?
     
  2. ClarkConnect.
     
  3. canadian_divx

    canadian_divx Canadian_divx

    hmmm interesting. checking it out, thanks


    any others?
     
  4. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    m0n0wall
     
  5. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    pfSense.
     
  6. canadian_divx

    canadian_divx Canadian_divx

    hmmm ive done some research on them but does anyone have any personal information on speed performance with torrents? ive noticed my smoothwall killing my speed.

    any info?
     
  7. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    you need to open the ports inwards. pfSense is FreeBSD with PF running on top of it, and I have not had a problem with torrenting. On my home connection I have a 1.2 Ghz Machine with 896 MB of ram and a 20 GB hard drive with around 5000 states open, with 7 guys doing packet filtering and queueing with no slow downs.
     
  8. canadian_divx

    canadian_divx Canadian_divx

    i have all the ports needed right now on smoothwall with packet filtering but its been getting slow lately and its not the line.

    the system is a p3 1ghz with 512sdram and 40GB hdd
     
  9. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    896MB of RAM?
     
  10. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    512 + 256 + 128! Only three ram slots all are filled. It is still old SDram, and I don't have any bigger sticks to replace the 128 or 256.

    Code:
    Breached# pfctl -sa
    TRANSLATION RULES:
    nat on vr0 inet from 10.10.10.0/24 to any -> (vr0) round-robin
    rdr on vr0 inet proto tcp from any to any port = 9090 -> 10.10.10.22 port 9090
    rdr on vr0 inet proto udp from any to any port = 9090 -> 10.10.10.22 port 9090
    
    FILTER RULES:
    scrub in on vr0 all fragment reassemble
    scrub in on xl0 all fragment reassemble
    scrub out all random-id fragment reassemble
    block drop in quick on ! lo inet6 from ::1 to any
    block drop in quick on ! lo inet from 127.0.0.0/8 to any
    block drop in quick on ! lo inet from 127.0.0.2 to any
    block drop in quick on ! lo inet from 127.0.0.3 to any
    block drop in quick on ! lo inet from 127.0.0.4 to any
    block drop in quick on lo0 inet6 from fe80::1 to any
    block drop in quick inet6 from ::1 to any
    block drop in quick inet from 127.0.0.1 to any
    block drop in quick inet from 127.0.0.2 to any
    block drop in quick inet from 127.0.0.3 to any
    block drop in quick inet from 127.0.0.4 to any
    block drop in quick on ! xl0 inet from 10.10.10.0/24 to any
    block drop in quick on ! xl0 inet from 10.10.10.12 to any
    block drop in quick on ! xl0 inet from 10.10.10.13 to any
    block drop in quick on ! xl0 inet from 10.10.10.14 to any
    block drop in quick on ! xl0 inet from 10.10.10.15 to any
    block drop in quick on ! xl0 inet from 10.10.10.16 to any
    block drop in quick on ! xl0 inet from 10.10.10.17 to any
    block drop in quick on ! xl0 inet from 10.10.10.18 to any
    block drop in quick on ! xl0 inet from 10.10.10.19 to any
    block drop in quick on ! xl0 inet from 10.10.10.20 to any
    block drop in quick inet from 10.10.10.11 to any
    block drop in quick inet from 10.10.10.12 to any
    block drop in quick inet from 10.10.10.13 to any
    block drop in quick inet from 10.10.10.14 to any
    block drop in quick inet from 10.10.10.15 to any
    block drop in quick inet from 10.10.10.16 to any
    block drop in quick inet from 10.10.10.17 to any
    block drop in quick inet from 10.10.10.18 to any
    block drop in quick inet from 10.10.10.19 to any
    block drop in quick inet from 10.10.10.20 to any
    block drop in all
    block drop out quick on vr0 proto tcp from any to any port = smtp
    block return in quick on vr0 proto tcp from any to any port = auth
    block return out quick on vr0 from any to <blocked>
    pass in quick on vr0 proto tcp from any to any port = 9090 keep state queue in_std
    pass in quick on vr0 proto udp from any to any port = 9090 keep state queue in_std
    pass out quick on xl0 proto tcp from any to any port = 9090 keep state queue in_std
    pass out quick on xl0 proto udp from any to any port = 9090 keep state queue in_std
    pass in log quick proto tcp from any to any port = ssh keep state label "ssh" queue in_lcl
    pass in log quick proto esp all keep state label "vpn" queue in_highpri
    pass in quick on xl0 proto tcp from any to <int_ips> port = ftp flags S/SA keep state queue in_lcl
    pass in quick on xl0 proto tcp from any to <int_ips> port = domain flags S/SA keep state queue in_lcl
    pass in quick on xl0 proto tcp from any to <int_ips> port = http flags S/SA keep state queue in_lcl
    pass in quick on xl0 proto tcp from any to <int_ips> port 55535:65535 flags S/SA keep state queue in_lcl
    pass in quick on xl0 proto udp from any to <int_ips> port = domain keep state queue in_lcl
    pass in quick on xl0 proto udp from any to <int_ips> port = bootps keep state queue in_lcl
    pass in quick on xl0 proto udp from any to <int_ips> port = bootpc keep state queue in_lcl
    pass in quick on xl0 proto udp from any to <int_ips> port = ntp keep state queue in_lcl
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = http flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = pop3 flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = imap flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = https flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = isakmp flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = submission flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = pptp flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 1863 flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = aol flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = jabber-client flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 33333 flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 5223 flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 10000 flags S/SA keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = http keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = pop3 keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = imap keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = https keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = isakmp keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = submission keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 1723 keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 1863 keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = aol keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = jabber-client keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 33333 keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 5223 keep state queue in_highpri
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 10000 keep state queue in_highpri
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port 27000:27040 flags S/SA keep state queue in_games
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 27910 flags S/SA keep state queue in_games
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 27960 flags S/SA keep state queue in_games
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port 7777:7788 flags S/SA keep state queue in_games
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 27900 flags S/SA keep state queue in_games
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port 20100:20120 flags S/SA keep state queue in_games
    pass in quick on xl0 inet proto tcp from 10.10.10.0/24 to ! 10.10.10.11 port = 3724 flags S/SA keep state queue in_games
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port 27000:27040 keep state queue in_games
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 27910 keep state queue in_games
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 27960 keep state queue in_games
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port 7777:7788 keep state queue in_games
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 27900 keep state queue in_games
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port 20100:20120 keep state queue in_games
    pass in quick on xl0 inet proto udp from 10.10.10.0/24 to ! 10.10.10.11 port = 3724 keep state queue in_games
    pass in quick on xl0 inet from 10.10.10.0/24 to ! 10.10.10.11 flags S/SA keep state
    block drop out on xl0 all
    pass out quick on xl0 inet proto udp from <int_ips> to 10.10.10.0/24 keep state queue in_lcl
    pass out quick on xl0 inet proto tcp from <int_ips> to 10.10.10.0/24 keep state queue in_lcl
    pass out quick on xl0 inet proto icmp from <int_ips> to 10.10.10.0/24 keep state queue in_lcl
    block drop out on vr0 all
    pass out quick on vr0 proto udp from (vr0) to any port = domain keep state queue out_dns
    pass out quick on vr0 proto tcp from (vr0) to any port = domain keep state queue out_dns
    pass out quick on vr0 proto udp from (vr0) to any port = http keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = pop3 keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = imap keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = https keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = isakmp keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = submission keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 1723 keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 1863 keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = aol keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = jabber-client keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 33333 keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 5223 keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 10000 keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = http flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = pop3 flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = imap flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = https flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = isakmp flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = submission flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = pptp flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 1863 flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = aol flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = jabber-client flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 33333 flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 5223 flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 10000 flags S/SA keep state queue(out_highpri, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port 27000:27040 flags S/SA keep state queue(out_games, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 27910 flags S/SA keep state queue(out_games, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 27960 flags S/SA keep state queue(out_games, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port 7777:7788 flags S/SA keep state queue(out_games, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 27900 flags S/SA keep state queue(out_games, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port 20100:20120 flags S/SA keep state queue(out_games, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = 3724 flags S/SA keep state queue(out_games, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port 27000:27040 keep state queue(out_games, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 27910 keep state queue(out_games, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 27960 keep state queue(out_games, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port 7777:7788 keep state queue(out_games, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 27900 keep state queue(out_games, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port 20100:20120 keep state queue(out_games, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any port = 3724 keep state queue(out_games, out_ack)
    pass out quick on vr0 proto tcp from (vr0) to any port = ssh flags S/SA keep state queue(out_std, out_highpri)
    pass out quick on vr0 proto tcp from (vr0) to any flags S/SA keep state queue(out_std, out_ack)
    pass out quick on vr0 proto udp from (vr0) to any keep state
    pass inet proto icmp all icmp-type echoreq keep state
    pass inet proto icmp all icmp-type unreach keep state
    
    ALTQ:
    queue root_vr0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) {out_std, out_games, out_highpri, out_dns, out_ack}
    queue  out_std bandwidth 600Kb qlimit 100 cbq( red borrow default ) 
    queue  out_games bandwidth 200Kb qlimit 100 cbq( borrow ) 
    queue  out_highpri bandwidth 100Kb priority 4 qlimit 100 cbq( borrow ) 
    queue  out_dns bandwidth 50Kb priority 4 qlimit 100 cbq( borrow ) 
    queue  out_ack bandwidth 40Kb priority 7 qlimit 100 cbq( borrow ) 
    queue root_xl0 bandwidth 100Mb priority 0 qlimit 100 cbq( wrr root ) {in_lcl, in_net}
    queue  in_lcl bandwidth 88Mb qlimit 100 cbq( red borrow ) 
    queue  in_net bandwidth 12Mb {in_std, in_games, in_highpri}
    queue   in_std bandwidth 1.20Mb qlimit 300 cbq( red ecn rio borrow default ) 
    queue   in_games bandwidth 1.80Mb qlimit 100 cbq( red borrow ) 
    queue   in_highpri bandwidth 9Mb priority 4 qlimit 100 cbq( red ecn rio borrow ) 
    
    STATES:
    1270 currently.
    
    INFO:
    Status: Enabled for 54 days 23:24:58          Debug: Urgent
    
    Hostid: 0x3cc98a5b
    
    Interface Stats for vr0               IPv4             IPv6
      Bytes In                    376342375358                0
      Bytes Out                   142109393208                0
      Packets In
        Passed                       398441186                0
        Blocked                        4809576                0
      Packets Out
        Passed                       355949573                0
        Blocked                         165975                0
    
    State Table                          Total             Rate
      current entries                     1316               
      searches                      1551360596          326.6/s
      inserts                         18293775            3.9/s
      removals                        18292459            3.9/s
    Counters
      match                           47940116           10.1/s
      bad-offset                             0            0.0/s
      fragment                           10536            0.0/s
      short                                 80            0.0/s
      normalize                       13384093            2.8/s
      memory                            254777            0.1/s
      bad-timestamp                          0            0.0/s
      congestion                             0            0.0/s
      ip-option                           9923            0.0/s
      proto-cksum                            0            0.0/s
      state-mismatch                    206801            0.0/s
      state-insert                           0            0.0/s
      state-limit                            0            0.0/s
      src-limit                              0            0.0/s
      synproxy                               0            0.0/s
    
    LABEL COUNTERS:
    ssh 1580341 2995 590810
    vpn 984153 0 0
    
    TIMEOUTS:
    tcp.first                    30s
    tcp.opening                   5s
    tcp.established           18000s
    tcp.closing                  60s
    tcp.finwait                  30s
    tcp.closed                   30s
    tcp.tsdiff                   10s
    udp.first                    60s
    udp.single                   30s
    udp.multiple                 60s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start                0 states
    adaptive.end                  0 states
    src.track                     0s
    
    LIMITS:
    states     hard limit  10000
    src-nodes  hard limit  10000
    frags      hard limit   5000
    
    TABLES:
    blocked
    int_ips
    
    OS FINGERPRINTS:
    348 fingerprints loaded
    Is my pfctl -sa output the rules are expanded from the origional rules that exist, now for my rules:

    see next post!
     
    Last edited: Apr 10, 2007
  11. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Code:
    # Define our outside interface
    ext_if="vr0"
    int_if="xl0"
    
    # Router IP address
    int_routeip="10.10.10.11"
    
    # All teh internal IP's
    
    table <int_ips> { $int_if }
    table <blocked> persist file "/etc/blocked"
    
    # ping requests
    icmp_types = "{ echoreq unreach }"
    
    # Set some options
    set optimization aggressive
    set block-policy drop
    set loginterface $ext_if
    set skip on lo
    
    # Ports we allow into the box from the local network
    tcpinports_int = "{ 21 53 80 55535:65535 }"
    udpinports_int = "{ 53 67 68 123 }"
    
    # Ports we allow into the box from the outside network
    tcpinports_ext = "{}"
    udpinports_ext = "{}"
    
    # Any traffic on these ports get logged allowed on both interfaces
    tcploginports = "{ ssh }"
    
    # Special ports that get higher priority (IM Traffic, HTTP traffic)
    highpri_ports = "{ 80 110 143 443 500 587 1723 1863 5190 5222 33333 5223 10000 }"
    
    # Certain ports are required for games. They will get their own queue
    #               Steam       Quake       UT              SOF 2       WoW
    game_ports = "{ 27000:27040 27910 27960 7777:7788 27900 20100:20120 3724 }"
    
    scrub in on $ext_if all fragment reassemble 
    scrub in on $int_if all fragment reassemble
    scrub out all random-id
    
    # Queueing!
    
    # Queueing on the external interface
    altq on $ext_if cbq bandwidth 1.0Mb qlimit 100 queue { out_std, out_games, out_highpri, out_dns, out_ack }
    
    queue out_std     on $ext_if bandwidth 60%            qlimit 100 cbq(default borrow red)
    queue out_games   on $ext_if bandwidth 20%            qlimit 100 cbq(borrow)
    queue out_highpri on $ext_if bandwidth 10% priority 4 qlimit 100 cbq(borrow)
    queue out_dns     on $ext_if bandwidth  5% priority 4 qlimit 100 cbq(borrow)
    queue out_ack     on $ext_if bandwidth  4% priority 7 qlimit 100 cbq(borrow)
    
    # Queueing on the internal interface
    altq on $int_if cbq bandwidth 100Mb qlimit 100 queue { in_lcl, in_net }
    
    queue in_lcl     on $int_if bandwidth 88Mb qlimit 100 cbq(red borrow)
    queue in_net     on $int_if bandwidth 12Mb { in_std, in_games, in_highpri, in_ack }
            queue in_std     on $int_if bandwidth 10%            qlimit 300 cbq(default borrow rio ecn)
            queue in_games   on $int_if bandwidth 15%            qlimit 100 cbq(borrow red)
            queue in_highpri on $int_if bandwidth 75% priority 4 qlimit 100 cbq(borrow ecn rio)
    
    # NAT
    nat on $ext_if from $int_if:network:0 to any -> ($ext_if)
    
    # Port forwarding (Forward it)
    rdr on $ext_if proto { tcp udp } from any to any port 9090 -> 10.10.10.22 port 9090
    
    
    # Don't allow spoofing, really simple ruleset gets expanded
    antispoof quick for { lo $int_if }
    
    # Standard deny anything and everything
    block in
    block out quick on $ext_if proto tcp to port 25
    block return in quick on $ext_if proto tcp to port 113
    block return out quick on $ext_if to <blocked>
    
    # Port forwarding (and allow it in, and out)
    pass in quick on $ext_if proto { tcp udp } to any port 9090 keep state queue in_std
    pass out quick on $int_if proto { tcp udp } to any port 9090 keep state queue in_std
    
    # Pass in SSH on both sides
    pass in quick log proto tcp to port $tcploginports keep state label "ssh" queue in_lcl
    pass in quick log proto esp from any to any keep state label "vpn" queue in_highpri
    #pass in quick proto tcp to port $tcpinports_ext keep state
    
    # Pass in just certain ports from the internal interface
    pass in quick on $int_if proto tcp to <int_ips> port $tcpinports_int keep state flags S/SA queue in_lcl
    pass in quick on $int_if proto udp to <int_ips> port $udpinports_int keep state queue in_lcl
    #pass in quick on $int_if proto tcp from 10.10.10.22 to any           keep state queue in_highpri
    
    # Pass in all traffic from internal interface, as long as it is not going towards an internal IP address
    pass in quick on $int_if proto { tcp udp } from $int_if:network:0 to ! $int_routeip port $highpri_ports keep state flags S/SA queue in_highpri
    pass in quick on $int_if proto { tcp udp } from $int_if:network:0 to ! $int_routeip port $game_ports    keep state flags S/SA queue in_games
    pass in quick on $int_if                   from $int_if:network:0 to ! $int_routeip                     keep state flags S/SA
    
    
    # Pass stuff on the internal interface
    block out on $int_if
    pass out quick on $int_if proto { udp tcp icmp }  from <int_ips>  to $int_if:network:0                     keep state queue in_lcl
    
    # Pass stuff on the external interface
    block out on $ext_if
    pass out quick on $ext_if proto { udp tcp } from ($ext_if) to any port domain         keep state            queue out_dns 
    pass out quick on $ext_if proto { udp tcp } from ($ext_if) to any port $highpri_ports keep state flags S/SA queue (out_highpri, out_ack)
    pass out quick on $ext_if proto { tcp udp } from ($ext_if) to any port $game_ports    keep state flags S/SA queue (out_games, out_ack)
    pass out quick on $ext_if proto tcp         from ($ext_if) to any port $tcploginports keep state flags S/SA queue (out_std, out_highpri)
    pass out quick on $ext_if proto tcp         from ($ext_if) to any                     keep state flags S/SA queue (out_std, out_ack)
    pass out quick on $ext_if proto udp         from ($ext_if) to any                     keep state
    
    # Ping's all around!
    pass inet proto icmp all icmp-type $icmp_types keep state
    This box keeps up VERY easily with 7 guys and constant use. Once again, it is an AMD Duron 1.2 Ghz, 896 Mb SDram (this is most important, states take up ram), and the 20 GB hard drive is basically used to boot from. This is all it does, nothing else, I don't host web servers on it, or any other things which could cause a slow down.