Re: PF and prio keyword

Sun, 25 Mar 2012 23:05:57 -0700 

Hi,


________________________________
 > From: Henning Brauer
<lists-open...@bsws.de>
> To: misc@openbsd.org 
> Sent: Monday, March 26, 2012
3:26 AM
> Subject: Re: PF and prio keyword
 
* Theron ZORBAS
<theronzor...@yahoo.com> [2012-03-25 19:38]:
> My question is about using prio
keyword. Can anyone help me with this
> little pf.conf below. Is it
smart/advisable  config or just a time
> wasting expectation?

>it does make
sense.

>two gotchas:
>1) priority queueing really only has an effect when you
see a lot of
>traffic and/or your box is very loaded.

>2) please consider
prio experimental for now until I am done with the
>rest of the new queueing
subsystem. foremost, and this is the really
>big gotcha, "prio 5" will likely
match on packets with priority 5
>instead of setting it. yes, i know, sorry
guys, sometimes it takes a
>while to get a really clear picture on where we
want to head.

Thank you so much Henning, i've got the point.  
Also i'm very
excited about new queueing subsystem.  

> #Macros
> int_if="re1"

>one thing
i almost always do these days and recommend:
>  ifconfig re1 group int (aka
"group int" in hostname.re1)
>and then just use "int" whereever you have
$int_if now.

This is great! I had not seen this feature before. Now i can
have less rules with interface grouping which have same firewall policies.

>
#Tables
> table <Loosers> { 192.168.1.11 192.168.1.12 192.168.1.13
192.168.1.14 }
> table <Users> { 192.168.1.21 192.168.1.22 192.168.1.23
192.168.1.24 }
> table <Admins> { 192.168.1.100 192.168.1.101 }
> #NAT private
Networks
> match out on egress inet from $int_if:network to any nat-to
(egress)
> #Default FW policy
> block log all
> #Always pass from my house
>
pass log quick from 194.30.xxx.YYY prio 7
> #Loosers with very low priority
>
pass in log quick on $int_if from <Loosers> prio 0
> #Users with a standart
priority
> pass in log quick on $int_if from <Users> prio 3
> #Admins have the
highest priority
> pass in log quick on $int_if from <Admins> prio 7

>that
might be a bit excessive logging :)

I was only trying to express myself. I am
not too despot :)

> #pass out from "the" interfaces
> pass out from ($int_if)
> pass out from (egress)


>-- 
>Henning Brauer, h...@bsws.de,
henn...@openbsd.org
>BS Web Services, http://bsws.de, Full-Service ISP
>Secure
Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
>Henning Brauer Consulting, http://henningbrauer.com/

--
Theron ZORBAS

Reply via email to