Bon, le pépin est résolu, j’avais tout simplement chié sur une regle.
si jamais ca peut servir …
[code]# $FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $
$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
Macros: define common values, so they can be referenced and changed easily.
ext_if="xl0"
int_if="re0"
internal_net=“192.168.0.1/24”
#external_addr=“192.168.1.1”
forward="{XXXXX}“
forward_udp=”{XXXX}“
local=”{22, XXXX }“
pri_ports=”{80,21,2121}"
#local_udp="{22, XXXXX }“
netbios=”{135,137:139,445}"
Tables: similar to macros, but more flexible for many addresses.
table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
table { 62.4.23.42, 194.126.217.2 }
table persist
Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub log on $ext_if no-df fragment reassemble
scrub log on $ext_if all reassemble tcp
Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
altq on $ext_if cbq bandwidth 600Kb qlimit 100 queue { q_pri, q_def, q_ftp }
queue q_pri bandwidth 10% priority 7 cbq(borrow)
queue q_def bandwidth 89% priority 3 cbq(default,borrow)
queue q_ftp bandwidth 1% priority 1 cbq(borrow)
Translation: specify how addresses are to be mapped or redirected.
nat: packets going out through $ext_if with source address $internal_net will
get translated as coming from the address of $ext_if, a state is created for
such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr: packets coming in on $ext_if with destination $external_addr:1234 will
be redirected to 10.1.1.1:5678. A state is created for such packets, and
outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
rdr on $ext_if proto tcp from to ($ext_if) port 113 -> 192.168.0.2 port 113
rdr on $ext_if proto tcp from any to ($ext_if) port $forward -> 192.168.0.2
rdr on $ext_if proto udp from any to ($ext_if) port $forward_udp -> 192.168.0.2
rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
spamd-setup puts addresses to be redirected into table .
#table persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025
Filtering: the implicit first two rules are
#pass in all
#pass out all
allow traffic on local IFs.
pass in on $int_if
pass out on $int_if
pass in on lo0
pass out on lo0
prio: interactive protocols output (HTTP/FTP)
pass out quick on $ext_if proto tcp from any to any port $pri_ports keep state queue q_pri
prio: DNS & ICMP
pass out quick on $ext_if proto udp from any to any port 53 keep state queue q_pri
pass quick on $ext_if proto icmp all keep state queue q_pri # TODO : restric ICMP traffic
out cx (prio: TCP_ACK)
pass out quick on $ext_if proto tcp all keep state queue (q_def, q_pri)
pass out quick on $ext_if proto udp all keep state
lock netbios traffic
block in quick on $ext_if proto { udp, tcp } from any to any port $netbios
block all incoming packets … (with deny replies)
block log quick on $ext_if from to any
#block return in on $ext_if from to any
block return in log on $ext_if
local services (prio: TCP_ACK)
pass in quick on $ext_if proto tcp from any to any port $local
flags S/SA keep state queue (q_def, q_pri)
#pass in quick on $ext_if proto udp from any to any port $local_udp \
keep state
forwarded services (prio: TCP_ACK)
pass in quick on $ext_if proto tcp from any to any port $forward
flags S/SA keep state queue (q_def, q_pri)
pass in quick on $ext_if proto udp from any to any port $forward_udp
keep state
ident for IRCNET
pass in quick on $ext_if proto tcp from to any port 113
flags S/SA keep state
DHCP (freebox)
pass in on $ext_if proto udp from $ext_if:network to ($ext_if) port {67,68}
pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state[/code]
Note : j’ai profité des tips l’excelent article http://www.benzedrine.cx/ackpri.html qui explique comment éviter les soucis liés a la saturation d’UL propres a l’ADSL