On Wed, 17 Apr 2013 03:32:52 +1000
John Tate <j...@johntate.org> wrote:
> I am adding queueing to my pf based nat for my home network. Since
> there isn't a complete example involving nat and queuing I am not
> entirely sure where to put things. I've read the manual and I think I
> put things before the rdr-to rules. I also have a transparent ftp and
> http proxy. I am not entirely sure if I put it before or after the
> divert-to rules. I just need someone to show me where in the pf.conf
> I've already done I should put things.
>
> I need to add the lines like these...
> block out on $ext_if all
Before everything else. Last match wins!
> pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out,
> tcp_ack_out)
> (And so on, including for incoming traffic on $int_if)
I'm not sure whether queue rules are sticky, but later matching ones
will overwrite earlier ones I'd guess, so put them as late as possible.
I'd also put the nat rules as "match" rules at the very end, so you
don't "forget" the real source address/port too early.
Christopher
>
> My current pf.conf...
> # grep -v '^#' /etc/pf.conf
>
> int_if="fxp0"
> ext_if="pppoe0"
>
> murphy="10.0.0.2"
> fekete="10.0.0.3"
>
> murphy_ports = "{ 8333 }"
> fekete_ports = "{ 17001, 39191, 5938, 2222 }"
>
> tcp_services="{ 22 }"
> icmp_types="echoreq"
>
> set skip on lo
>
> pass in quick on $int_if inet proto tcp to port http divert-to
> 127.0.0.1 port 3128
>
> anchor "ftp-proxy/*"
> pass in quick on $int_if inet proto tcp to port ftp divert-to
> 127.0.0.1 port 8021
>
>
> match out on egress inet from !(egress:network) to any nat-to
> (egress:0)
>
> pass # to establish keep-state
>
>
>
>
> block in on ! lo0 proto tcp to port 6000:6010
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> pass in on $ext_if proto tcp to port 21
> pass in on $ext_if proto tcp to port > 49151
>
> pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
> $murphy
> pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
> $fekete
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> pass in on $int_if
>
>
> --
> www.johntate.org
