i have two questions actually...
i need to block certain ports with openbsd and PF in a large lan, the firewall is supposed to be a router between the internet and the first lan switch.
first of all, would this work at all in theory?
second, i tried doing this a few days ago at a huge lan but i just couldn't do it and still i was following all the OpenBSD.org instructions in their PF user guide, i did get internet working on the bsd box with a DNS server to connect to and two ethernet cards that worked only i could only connect to one of them not the other even though i had set an ip on both so i never got that firewall working so i was wonderig if anyone could help me.
second question is, would it be possible to in this lan mentioned above cap the bandwidth on most of the lan but not on the crews computers, and if this is possible could anyone point me to a nice tutorial about it or tell me how.
Given your description it would be difficult to help you. Give a more detailed description of your network, what kind of switch are you using? how many hosts are there? what kind of connection have you got to the internet? Is pf enabled in /etc/rc.conf? Something as serious as a firewall, on large network could end up giving you an ulcer! I am currently configuring a OpenBSD firewall in a similar senario, prior to deploying the firewall on a production network I've been testing it in a lab.
To answer your second question on 'capping' yes is the answer, the pf man page refers to it as 'queueing'.
well standard 10/100 switches and around 100 clients in the networkwith static ips and internet is connecting to a DNS server on the outside via a small hub that goes onto a dish and a radio link but thats not important.
we are working on getting a few routers in this network and we might get more clients soon.