An OpenBSD box has the ability to queue packets on a network that it services in such a way that it can prioritize certain traffic over others in the event that the network faces congestion. This can be done in two ways, either by user or by class. Doing such queuing by user allots each user a certain portion of the network bandwidth. Then from that the administrator can determine either a specific allotment for different protocols, or define a pool of bandwidth to be shared between protocols.

On a class based queue, certain types of traffic are given priority based on the administrator's wishes for example:

pass out on fxp0 from any to any port 22 queue(ssh_bulk, ssh_login)

This rule will pass packets out on the interface fxp0, from any source to any destination on port 22 to a dual queue of names ssh_bulk and ssh_login. This works because ssh login sessions have a type of service with low delay. This allows them to be specified as a second name to the queue keyword. This setup will send packets for ssh login sessions to the ssh_login queue because they have a low delay type, whereas packets from SCP and SFTP services would be sent to ssh_bulk. Then if the ssh_login queue has a higher priority than the ssh_bulk queue, those packets will be placed ahead of those from SCP and SFTP.

When defining these queues a network administrator has the power to specify their priority, how much bandwidth they are allotted by default and whether or not that queue is allowed to borrow bandwidth from other queues should it become bogged down. These rules can be placed in a file called pf.conf on the OpenBSD box with rules pertaining to interfaces like fxp0 in the example corresponding to the internet facing interface of the router.

1. Work out the network policy for the LAIR.
2. Write up the rules for the policy, make sure these rules:
   1. Enable queuing on the outbound interface.
   2. Set the queue type to be Priority Based Queuing
   3. Allot a portion of the network bandwidth to SSH login sessions and allow it to borrow from other queues.
   4. Set SSH login sessions to be a higher priority than other traffic
3. Implement these rules on the router

• OpenBSD Packet Filtering FAQ