cnc_if="xl0"
telcom_if="xl1"
telcom_gw="219.149.167.*"
cnc_gw="60.220.248.*"
game_if="192.168.0.254"
sanhuan_if="xl2"
lo_if="lo0"
icmp_types="echoreq"
table  {127.0.0.0/8,172.16.0.0/12,10.0.0.0/8,224.0.0.0/4}
table  file "/etc/chinanet"
table   {60.220.248.*/32,219.149.167.*/32,192.168.0.1/32}

# Options: tune the behavior of pf, default values are given.
set timeout {interval 5,frag 10}
set timeout {tcp.first 20,tcp.opening 10,tcp.established 600}
set timeout {tcp.closing 10,tcp.finwait 10,tcp.closed 10}
set timeout {udp.first 10,udp.single 10,udp.multiple 120}
set timeout {icmp.first 3,icmp.error 2}
set timeout {other.first 10,other.single 10,other.multiple 30}
set timeout {adaptive.start 8000,adaptive.end 12000}
set limit {src-nodes 80000,states 50000,frags 20000,tables 50000,table-entries 300000}
set loginterface $sanhuan_if
set optimization aggressive
#set optimization conservative
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on $lo_if

# scrub
scrub in all

# set altq
altq on $cnc_if bandwidth 9Mb cbq queue {ssh,ftp,ping,ctcp,cdef}
queue ftp bandwidth 5% priority 7 cbq(red,ecn)
queue ssh bandwidth 3% priority 7 cbq(red,ecn)
queue ping bandwidth 1% priority 3
queue ctcp bandwidth 50% priority 5 cbq(red,ecn,borrow)
queue cdef bandwidth 41% priority 5 cbq(default,borrow)

altq on $telcom_if bandwidth 9Mb cbq queue {ssh_,ftp_,ping_,ttcp,tdef}
queue ftp_ bandwidth 5% priority 7 cbq(red,ecn)
queue ssh_ bandwidth 3% priority 7 cbq(red,ecn)
queue ping_ bandwidth 1% priority 4
queue ttcp bandwidth 50% priority 5 cbq(red,ecn,borrow)
queue tdef bandwidth 41% priority 5 cbq(default,borrow)

altq on $sanhuan_if bandwidth 30Mb hfsc queue {lser,ltcp,ludp,sanhuan}
queue lser bandwidth 1Mb priority 3 hfsc(upperlimit 5%)
queue ltcp bandwidth 8Mb priority 7 hfsc(realtime 7Mb,upperlimit 8Mb,red,ecn)
queue ludp bandwidth 6Mb priority 5 hfsc(realtime 5Mb,upperlimit 6Mb)
queue sanhuan bandwidth 15Mb priority 5 hfsc(default,realtime 10Mb,upperlimit 15Mb)

# nat
rdr on $cnc_if proto tcp from ! to $cnc_if port {3389,9912,9909,9917} -> $game_if
rdr on $telcom_if proto tcp from ! to $telcom_if port {3389,9909,9909,9917} -> $game_if

nat on $telcom_if from $sanhuan_if:network to ! -> ($telcom_if) port 1024:65500
nat on $cnc_if from $sanhuan_if:network to ! -> ($cnc_if) port 1024:65500

# default block
block all
block in quick on {$cnc_if,$telcom_if,$sanhuan_if} from  to any
block out quick on {$cnc_if,$telcom_if,$sanhuan_if} from any to 
antispoof quick for {$cnc_if,$telcom_if,$sanhuan_if}
pass out quick all keep state

# LAN to LOCAL
pass in quick on $sanhuan_if proto tcp from $sanhuan_if:network to $telcom_if port 80 flags S/SA synproxy state tag local queue sanhuan
pass in quick on $sanhuan_if proto tcp from $sanhuan_if:network to $cnc_if port {21,20,2222,443,65500 >< 65535} flags S/SA synproxy state tag local queue sanhuan
pass in quick on $sanhuan_if inet proto icmp from $sanhuan_if:network to  icmp-type $icmp_types keep state tag local queue sanhuan
pass in quick on $sanhuan_if proto {tcp,udp} from $sanhuan_if:network to $sanhuan_if port 53 keep state tag local queue sanhuan
pass out quick on $sanhuan_if keep state tagged local queue sanhuan

#LAN
pass in quick on $sanhuan_if route-to ($telcom_if $telcom_gw) from {$game_if,192.168.0.240,192.168.0.230} to  flags S/SA keep state tag tag01 queue lser
pass out quick on $telcom_if keep state tagged tag01 queue ftp_

pass in quick on $sanhuan_if route-to ($telcom_if $telcom_gw) proto tcp from $sanhuan_if:network to  flags S/SA keep state (source-track rule, max-src-states 256) tag tag02 queue ltcp
pass out quick on $telcom_if keep state tagged tag02 queue ttcp
pass in quick on $sanhuan_if route-to ($telcom_if $telcom_gw) from $sanhuan_if:network to  keep state tag tag03 queue ludp
pass out quick on $telcom_if keep state tagged tag03 queue tdef

pass in quick on $sanhuan_if from {$game_if,192.168.0.240,192.168.0.230} to ! flags S/SA keep state tag tag04 queue lser
pass out quick on $cnc_if keep state tagged tag04 queue ftp

pass in quick on $sanhuan_if proto tcp from $sanhuan_if:network to ! flags S/SA keep state (source-track rule, max-src-states 256) tag tag05 queue ltcp
pass out quick on $cnc_if keep state tagged tag05 queue ctcp
pass in quick on $sanhuan_if from $sanhuan_if:network to ! keep state tag tag06 queue ludp
pass out quick on $cnc_if keep state tagged tag06 queue cdef


#game server
pass in log quick on $cnc_if proto tcp from ! to $game_if port {9909,3389} flags S/SA keep state tag tag07 queue ssh 
pass in log quick on $telcom_if reply-to ( $telcom_if $telcom_gw ) proto tcp from ! to $game_if port {9909,3389} flags S/SA keep state tag tag10 queue ssh_
pass in quick on $cnc_if proto tcp from ! to $game_if port {9917,9912} flags S/SA keep state tag tag08 queue ftp
pass in quick on $telcom_if reply-to ( $telcom_if $telcom_gw ) proto tcp from ! to $game_if port {9917,9912} flags S/SA keep state tag tag11 queue ftp_

#cnc_if
pass in log quick on $cnc_if reply-to ($cnc_if $cnc_gw) proto tcp from ! to $cnc_if port 2222 flags S/SA synproxy state (max 10, source-track rule, max-src-nodes 8,max-src-states 5,max-src-conn-rate 5/1) tag tag07 queue ssh
pass in quick on $cnc_if reply-to ($cnc_if $cnc_gw) proto tcp from ! to $cnc_if port 443 flags S/SA synproxy state (source-track rule, max-src-states 120, max-src-conn-rate 50/1) tag tag08 queue ftp
pass in quick on $cnc_if reply-to ($cnc_if $cnc_gw) proto tcp from ! to $cnc_if port {20,21,65500 >< 65535} flags S/SA keep state tag tag08 queue ftp
pass in quick on $cnc_if reply-to ($cnc_if $cnc_gw) inet proto icmp from ! to $cnc_if icmp-type $icmp_types keep state tag tag09 queue ping
pass out quick on $cnc_if keep state tagged tag07 queue ssh
pass out quick on $cnc_if keep state tagged tag08 queue ftp
pass out quick on $cnc_if keep state tagged tag09 queue ping

#telcom_if
pass in log quick on $telcom_if reply-to ($telcom_if $telcom_gw) proto tcp from ! to $telcom_if port 2222 flags S/SA keep state (max 10, source-track rule, max-src-nodes 8, max-src-states 5, tcp.closing 5,max-src-conn-rate 5/1) tag tag10 queue ssh_
pass in quick on $telcom_if reply-to ($telcom_if $telcom_gw) proto tcp from ! to $telcom_if port 80 flags S/SA keep state (source-track rule, max-src-states 120, max-src-conn-rate 80/1) tag tag11 queue ftp_
pass in quick on $telcom_if reply-to ($telcom_if $telcom_gw) proto tcp from ! to $telcom_if port 3128 flags S/SA keep state (source-track rule, max-src-states 60, max-src-conn-rate 30/1) tag tag11 queue ftp_
pass in quick on $telcom_if reply-to ($telcom_if $telcom_gw) proto tcp from ! to $telcom_if port {20,21,65500 >< 65535} flags S/SA keep state tag tag11  queue ftp_
pass in quick on $telcom_if reply-to ($telcom_if $telcom_gw) inet proto icmp from ! to $telcom_if icmp-type $icmp_types keep state tag tag12 queue ping_
pass out quick on $telcom_if keep state tagged tag10 queue ssh_
pass out quick on $telcom_if keep state tagged tag11 queue ftp_
pass out quick on $telcom_if keep state tagged tag12 queue ping_