Assigning Traffic to Queues

Assign particular sets of traffic to a queue in the packet filtering rules with the "queue" keyword. The queue comes at the very end of the rule. For example, to allow all SSH traffic and assign it to the queue named "ssh," you would use a rule like this:

 pass in proto tcp from 1 any to 2 any port 22 keep state queue ssh 

By setting both the 1 source and 2 destination to "any," we set incoming and outgoing SSH traffic into this queue. If we wanted to break up traffic over one port into two separate queues, we would need to write a separate rule for each. Here, we establish separate queues for incoming and outgoing HTTP traffic:

 pass 1 in proto tcp from any to fxp1 port {80, 443} keep state queue 2 http-in pass 3 out proto tcp from fxp1 to any port {80,443} keep state queue 4 http-out 

The first rule only covers traffic coming into the firewall, assigning all that traffic to the queue http-in. The second rule only matches outgoing traffic and assigns everything to the queue http-out.

In our CBQ example we created two queues, "local" and "t1." Don't forget to set up a rule to direct traffic on the local Ethernet through the local queue, so it isn't captured by one of the other rules. Put this near the end, so it will be caught by all matching packets. Assuming that the network outside our firewall was 209.69.178.16/28, we would have a rule like this:

 pass out from fxp1 to 209.69.178.16/28 queue local 

Any traffic through the firewall to a local IP address will go through the local queue, giving almost unlimited bandwidth.

You can repeat this setup for any rules that you want. We give a detailed example in Appendix B.