# rtorrent rules in pf config



## wonslung (Oct 25, 2013)

I decided to try to redo my router configuration last night.  For some reason *I* can't figure out the proper rules to allow rtorrent to work.  My system is set up like this:

rtorrent is running behind the router on 192.168.1.62
rtorrent is set up to use port 51001

I was able to get everything else working, but no matter what *I* do, rtorrent fails,  If *I* load my old configuration it works, but it's a very messy configuration. It allows a lot more stuff automatically.  The new config *I*'m trying to write blocks everything except what *I* allow (at least *I* think it does).

Here is my new configuration, thanks for any help with the rules.


```
### Interfaces ###
 ExtIf ="em1"
 IntIf ="em0"

### Hosts ###
 rtor = "192.168.1.62"
 ssh_zone = "192.168.1.55"
 raidz = "{ 192.168.1.14, 192.168.1.15 }"

###networks
 lan_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
 priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

### ports
 rtor_ports = "{http, https }"
 bittorrent = 51001
 www  = "{ http, https }"
 ntop = 3000
 mail = "{ 25, 110, 143, 465, 587, 993, 995 }"
 irc = "{ 6667, 7000 }"

### Queues, States and Types ###
 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Stateful Tracking Options (STO) ###
 OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
 SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
 SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
 WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
 table <BLOCKTEMP> counters
 table <BLOCKPERM> counters file "/etc/block_permanent"
 table <spamd-white>

################ Options ######################################################
### Misc Options
 set skip on lo
 set debug urgent
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize=Throughput
scrub out log on $ExtIf      all random-id set-tos 0x1c fragment reassemble
scrub     log on $ExtIf inet all reassemble tcp fragment reassemble


################ Queueing ####################################################
#
### FIOS Upload = 55Mb/s (queue at 97%)
 altq on $ExtIf bandwidth 53.35Mb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd }
  queue ack        bandwidth 35% qlimit 500 hfsc (realtime   20%)
  queue dns        bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue ssh        bandwidth 20% qlimit 500 hfsc (realtime   20%) {ssh_login, ssh_bulk}
   queue ssh_login bandwidth 50% qlimit 500 hfsc
   queue ssh_bulk  bandwidth 50% qlimit 500 hfsc
  queue bulk       bandwidth 20% qlimit 500 hfsc (realtime   20% default, ecn)
  queue web        bandwidth  5% qlimit 500 hfsc (realtime  (10%, 10000, 5%))
  queue mail       bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue bittor     bandwidth  3% qlimit 500 hfsc (upperlimit 95%)
  queue spamd      bandwidth  1% qlimit 500 hfsc (upperlimit 1Kb)



################ Translation #################################################
### NAT and Redirection rules are first match

# NAT
 nat on $ExtIf from $IntIf:network to any -> ($ExtIf)



# Rtorrent
rdr on $ExtIf inet proto tcp from any to ($ExtIf) port $bittorrent -> $rtor
rdr on $IntIf inet proto tcp from $IntIf:network to any port $bittorrent -> $rtor

# Openssh
 rdr on $ExtIf inet proto tcp from $IntIf:network to ($ExtIf) port ssh -> lo0
 rdr on $IntIf inet proto tcp from $IntIf:network to  $IntIf  port ssh -> lo0

#ntop
rdr on $IntIf inet proto tcp from $IntIf:network to $IntIf port $ntop -> lo0

# Apache or Nginx (internal webserver for the LAN to localhost?)
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port http  -> lo0
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port https -> lo0

# Bind or Unbound DNS for LAN machines
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

rdr on $ExtIf inet proto tcp from any to ($ExtIf) port 50022 -> $ssh_zone port ssh

# Anchors
 rdr-anchor "games"

# Ftp ( secure ftp-proxy for the internal LAN )
 nat-anchor "ftp-proxy/*"
 rdr-anchor "ftp-proxy/*"
 rdr pass on $IntIf proto tcp from $IntIf:network to any port 21 -> 127.0.0.1 port 8021

# DENY rouge redirection
 no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Notice we optimized the rules so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and perm tables
 block drop in  log quick on $ExtIf           from <BLOCKPERM> to any
 block drop in  log quick on $ExtIf proto udp from <BLOCKTEMP> to any
# block drop in  log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh


### $ExtIf default block with drop
 block drop in log on $ExtIf



### $ExtIf inbound


### $ExtIf outbound

 pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO queue (bulk, ack)
 pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO queue (bulk, ack)
 pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO queue (bulk, ack)
# pass out log on $ExtIf inet proto tcp  from $IntIf:network to any port $mail $TcpState $OpenSTO queue (mail, ack)
# pass out log on $ExtIf inet proto tcp  from ($ExtIf) to any port $bittorrent keep state
### $IntIf default block with return (TCP reset)
 block return in log on $IntIf inet

### $IntIf inbound (restrict LAN clients to external machines here)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port $mail  $TcpState $OpenSTO queue (mail, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port https  $TcpState $OpenSTO queue (web, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port www    $TcpState $OpenSTO queue (web, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  lo0     port ssh    $TcpState $OpenSTO queue (ssh, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  lo0     port $ntop    $TcpState $OpenSTO queue (web, ack)
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port domain $UdpState $OpenSTO queue (dns, ack)
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port ntp    $UdpState $OpenSTO queue (bulk, ack)
 pass in log on $IntIf inet proto icmp from  $IntIf:network to $IntIf  $IcmpPing   $UdpState $OpenSTO queue (bulk, ack)
 pass in log on $IntIf inet proto udp  from  $IntIf:network to any     port $bittorrent $UdpState $OpenSTO queue (bittor, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to any     port $bittorrent $TcpState $OpenSTO queue (bittor, ack)
### $IntIf ftp secure secure proxy for LAN
 anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
 pass out log on $IntIf inet proto tcp  from $IntIf to $IntIf:network $TcpState queue (bulk, ack)
 pass out log on $IntIf inet proto udp  from $IntIf to $IntIf:network $UdpState queue (bulk, ack)
 pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network $UdpState queue (bulk, ack)
```


----------



## wonslung (Oct 25, 2013)

I finally got it working. If anyone who understands PF well sees a problem in my rules, please let me know, but it SEEMS to be working now, here is the new configuration:


```
############### Macros ###################################

### Interfaces ###
 ExtIf ="em1"
 IntIf ="em0"

### Hosts ###
 rtor = "192.168.1.62"
 ssh_zone = "192.168.1.55"
 raidz = "{ 192.168.1.14, 192.168.1.15 }"

###networks
 lan_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
 priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

### ports
 rtor_ports = "{http, https }"
 bittorrent = 51001
 www  = "{ http, https }"
 ntop = 3000
 mail = "{ 25, 110, 143, 465, 587, 993, 995 }"
 irc = "{ 6667, 7000 }"

### Queues, States and Types ###
 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Stateful Tracking Options (STO) ###
 OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
 SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
 SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
 WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
 table <BLOCKTEMP> counters
 table <BLOCKPERM> counters file "/etc/block_permanent"
 table <spamd-white>

################ Options ######################################################
### Misc Options
 set skip on lo
 set debug urgent
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize=Throughput
scrub out log on $ExtIf      all random-id set-tos 0x1c fragment reassemble
scrub     log on $ExtIf inet all reassemble tcp fragment reassemble


################ Queueing ####################################################
#
### FIOS Upload = 55Mb/s (queue at 97%)
 altq on $ExtIf bandwidth 53.35Mb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd }
  queue ack        bandwidth 35% qlimit 500 hfsc (realtime   20%)
  queue dns        bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue ssh        bandwidth 20% qlimit 500 hfsc (realtime   20%) {ssh_login, ssh_bulk}
   queue ssh_login bandwidth 50% qlimit 500 hfsc
   queue ssh_bulk  bandwidth 50% qlimit 500 hfsc
  queue bulk       bandwidth 20% qlimit 500 hfsc (realtime   20% default, ecn)
  queue web        bandwidth  5% qlimit 500 hfsc (realtime  (10%, 10000, 5%))
  queue mail       bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue bittor     bandwidth  3% qlimit 500 hfsc (upperlimit 95%)
  queue spamd      bandwidth  1% qlimit 500 hfsc (upperlimit 1Kb)



################ Translation #################################################
### NAT and Redirection rules are first match

# NAT
 nat on $ExtIf from $IntIf:network to any -> ($ExtIf)



# Rtorrent
rdr on $ExtIf inet proto tcp from any to any port $bittorrent -> $rtor
rdr on $ExtIf inet proto udp from any to any port $bittorrent -> $rtor


# Openssh
 rdr on $ExtIf inet proto tcp from $IntIf:network to ($ExtIf) port ssh -> lo0
 rdr on $IntIf inet proto tcp from $IntIf:network to  $IntIf  port ssh -> lo0

#ntop
rdr on $IntIf inet proto tcp from $IntIf:network to $IntIf port $ntop -> lo0

# Apache or Nginx (internal webserver for the LAN to localhost?)
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port http  -> lo0
 rdr on $IntIf inet proto tcp from  !($IntIf) to ($IntIf) port https -> lo0

# Bind or Unbound DNS for LAN machines
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
 rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

rdr on $ExtIf inet proto tcp from any to ($ExtIf) port 50022 -> $ssh_zone port ssh

# Anchors
 rdr-anchor "games"

# Ftp ( secure ftp-proxy for the internal LAN )
 nat-anchor "ftp-proxy/*"
 rdr-anchor "ftp-proxy/*"
 rdr pass on $IntIf proto tcp from $IntIf:network to any port 21 -> 127.0.0.1 port 8021

# DENY rouge redirection
 no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Notice we optimized the rules so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and perm tables
 block drop in  log quick on $ExtIf           from <BLOCKPERM> to any
 block drop in  log quick on $ExtIf proto udp from <BLOCKTEMP> to any
# block drop in  log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh


### $ExtIf default block with drop
 block drop in log on $ExtIf



### $ExtIf inbound
pass in on $ExtIf inet proto tcp from any to $rtor port $bittorrent $TcpState $OpenSTO queue (bittor, ack)
pass in on $ExtIf inet proto udp from any to $rtor port $bittorrent $UdpState $OpenSTO queue (bittor, ack)


### $ExtIf outbound

 pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO queue (bulk, ack)
 pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO queue (bulk, ack)
 pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO queue (bulk, ack)
# pass out log on $ExtIf inet proto tcp  from $IntIf:network to any port $mail $TcpState $OpenSTO queue (mail, ack)
pass out log on $ExtIf inet proto tcp  from ($ExtIf) to any port > 1024 $TcpState $OpenSTO queue (bittor, ack)
pass out log on $ExtIf inet proto udp  from ($ExtIf) to any port > 1024 $UdpState $OpenSTO queue (bittor, ack)
### $IntIf default block with return (TCP reset)
 block return in log on $IntIf inet

### $IntIf inbound (restrict LAN clients to external machines here)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port $mail  $TcpState $OpenSTO queue (mail, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port https  $TcpState $OpenSTO queue (web, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port www    $TcpState $OpenSTO queue (web, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  lo0     port ssh    $TcpState $OpenSTO queue (ssh, ack)
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to  lo0     port $ntop    $TcpState $OpenSTO queue (web, ack)
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port domain $UdpState $OpenSTO queue (dns, ack)
 pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port ntp    $UdpState $OpenSTO queue (bulk, ack)
 pass in log on $IntIf inet proto icmp from  $IntIf:network to $IntIf  $IcmpPing   $UdpState $OpenSTO queue (bulk, ack)
 pass in log on $IntIf from $rtor to any $TcpState $OpenSTO queue (bittor, ack)
### $IntIf ftp secure secure proxy for LAN
 anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
 pass out log on $IntIf inet proto tcp  from $IntIf to $IntIf:network $TcpState queue (bulk, ack)
 pass out log on $IntIf inet proto udp  from $IntIf to $IntIf:network $UdpState queue (bulk, ack)
 pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network $UdpState queue (bulk, ack)

 anchor "games"
```


----------



## wonslung (Oct 26, 2013)

It seems that *I*'ve only got it halfway working. I'm able to download torrents but *I*'m still not connectable, I'm not sure where *I* went wrong with this; I need to forward incoming traffic to port 50001 at ip 192.168.1.62. I can't figure out where my rules are wrong.

edit:

I'm seeing a lot of these in pflog:


```
00:00:00.000007 rule 10..16777216/0(match): block in on em0: 192.168.1.62.51001 > 24.180.26.59.63402: Flags [.], ack 1, win 64436, length 0
```

so obviously something is wrong with rule 10, but *I*'m not sure which rule is number 10, or how to fix it.


----------



## SirDice (Oct 28, 2013)

Why are you redirecting a lot of stuff to lo0? Anything that's incoming on $IntIf can simply connect to the service on the $IntIf interface, there's no need to redirect that traffic. Redirection is only needed when services are "hidden" behind a NAT.


----------



## wonslung (Oct 29, 2013)

SirDice said:
			
		

> Why are you redirecting a lot of stuff to lo0? Anything that's incoming on $IntIf can simply connect to the service on the $IntIf interface, there's no need to redirect that traffic. Redirection is only needed when services are "hidden" behind a NAT.



The best answer *I* can give is that the configuration *I* based my rules on was doing this. I will try commenting it all out and seeing if everything works. I've got a slightly better understanding of PF, but it's still very limited at best.

Here is my most recent configuration which seems to be working. I'm still not getting the bittorrent traffic in the proper queue but that's really the only issue *I*'m having so far.

I would absolutely like to clean this configuration up and get rid of any redundancies. Some rules might not be needed, but sometimes it took me a while playing with rules to get everything working the way *I*'d like, so any suggestions would be helpful. I will attempt to remove the redirections to loopback now.


```
# define macros for each network interface
extif = "em1"
intif = "em0"
tcp_services = "{ 22, 443 }"

# define our networks
intnet  = "{ 10.0.0.0/24, 192.168.0.0/24 }"
rtor = "192.168.1.62"
ssh_zone = "192.168.1.55"

icmp_types = "echoreq"
allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bittorrent = "51001"


### Queues, States and Types ###
 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Stateful Tracking Options (STO) ###
 OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
 SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
 SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
 WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
################ Options ######################################################

table <spamd-white> persist


### Misc Options
 set skip on lo
 set debug urgent
 set block-policy drop
 set loginterface $extif
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize=Throughput
scrub out log on $extif      all random-id set-tos 0x1c fragment reassemble
scrub     log on $extif inet all reassemble tcp fragment reassemble


################ Queueing ####################################################
#
### FIOS Upload = 55Mb/s (queue at 97%)
 altq on $extif bandwidth 53.35Mb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd }
  queue ack        bandwidth 35% qlimit 500 hfsc (realtime   20%)
  queue dns        bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue ssh        bandwidth 20% qlimit 500 hfsc (realtime   20%) {ssh_login, ssh_bulk}
   queue ssh_login bandwidth 50% qlimit 500 hfsc
   queue ssh_bulk  bandwidth 50% qlimit 500 hfsc
  queue bulk       bandwidth 20% qlimit 500 hfsc (realtime   20% default, ecn)
  queue web        bandwidth  5% qlimit 500 hfsc (realtime  (10%, 10000, 5%))
  queue mail       bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue bittor     bandwidth  3% qlimit 500 hfsc (upperlimit 95%)
  queue spamd      bandwidth  1% qlimit 500 hfsc (upperlimit 1Kb)


#############
# NAT Rules #
#############
nat on $extif from   $intif:network 	to any -> ($extif)
nat on $extif from   10.0.0.0/24	to any -> ($extif)

#ntp
rdr on $intif inet proto { tcp, udp } from $intif:network to ($intif) port ntp -> lo0

#squid
rdr on $intif inet proto tcp from !$rtor to any port www -> 10.0.0.1 port 3128

# spamd
rdr on $extif inet proto tcp from !<spamd-white> to ($extif) port smtp -> lo0 port spamd
rdr on $extif inet proto tcp from  <spamd-white> to ($extif) port smtp -> lo0

# Rtorrent
rdr on $extif inet proto tcp from any to any port $bittorrent -> $rtor
rdr on $extif inet proto udp from any to any port $bittorrent -> $rtor

#SSH
rdr on $extif inet proto tcp from any to ($extif) port 50022 -> $ssh_zone port ssh

# DENY rouge redirection
no rdr

###########
# END NAT #
###########

block log


#"Block drop in quick" will kill the rdr rules above for the privnet
block drop in on $extif from $privnets to any
block drop in on $extif from any to $privnets

################################
# Begin Selective Port Opening #
################################
pass in log quick inet proto tcp from any to any port 3128 $TcpState $OpenSTO queue (web, ack)
pass out log quick inet proto tcp from any to any port 3128 $TcpState $OpenSTO queue (web, ack)
pass in log quick on $extif inet proto tcp from any to $rtor port $bittorrent $TcpState $OpenSTO queue bittor
pass in log quick on $extif inet proto udp from any to $rtor port $bittorrent $UdpState $OpenSTO queue bittor
pass out quick log on $extif proto tcp from $rtor to any port $bittorrent $TcpState $OpenSTO queue bittor
pass out quick log on $extif proto udp from $rtor to any port $bittorrent $UdpState $OpenSTO queue bittor
pass in log on $intif inet proto tcp from any to 10.0.0.1 port 3128 $TcpState $OpenSTO queue (web, ack)
pass in quick log on $extif inet proto tcp from  <spamd-white> to lo0 port smtp $TcpState $OpenSTO queue (mail)
pass in quick log on $extif inet proto tcp from !<spamd-white> to lo0 port spamd $TcpState $OpenSTO queue (spamd)
pass in log quick on $intif proto udp from port 68 to port 67 queue dns
pass out log quick on $intif proto udp from port 67 to port 68 queue dns

###############

pass in log inet proto icmp all $IcmpPing   $UdpState $OpenSTO

pass in  log on $intif from $intif:network to any keep state
pass out log on $intif from any to $intif:network keep state

#

pass out on $extif all keep state queue (bulk, ack)
```


----------

