Well I had the bandwidth the wrong way around for my internet connection.
I've been trying the other changes and now I have problems, I'm pretty sure
I need to put _out and _in on the end...
# pfctl -nf /etc/pf.conf
/etc/pf.conf:39: exactly one scheduler type per interface allowed
/etc/pf.conf:39: errors in queue definition
/etc/pf.conf:40: priq doesn't take bandwidth
/etc/pf.conf:40: errors in queue definition
/etc/pf.conf:41: priq doesn't take bandwidth
/etc/pf.conf:41: errors in queue definition
/etc/pf.conf:42: priq doesn't take bandwidth
/etc/pf.conf:42: errors in queue definition
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#interfaces
int_if="fxp0"
ext_if="pppoe0"
#networks
local_net="10.0.0.0/8"
#hosts
murphy="10.0.0.2"
fekete="10.0.0.3"
#host port forwarding
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, 2222 }"
#other
tcp_services="{ 22 }"
icmp_types="echoreq"
#queue ports
ssh_ports = "{ 22, 2222 }"
im_ports = "{ 1863, 5190, 5222 }"
#queues
altq on $ext_if priq bandwidth 350Kb queue { std, ssh_im, dns, tcp_ack,
game }
queue std priq(default)
queue ssh_im priority 4 priq(red)
queue dns priority 5
queue game priority 6
queue tcp_ack priority 7
altq on $int_if cbq bandwidth 7500Kb queue { std, ssh_im, dns, fekete, game
}
queue std bandwidth 5000Kb cbq(default)
queue ssh_im bandwidth 200Kb priority 4
queue dns bandwidth 200Kb priority 5
queue game bandwidth 200Kb priority 6
queue fekete bandwidth 1900Kb cbq(borrow)
set skip on lo
# this is the squid proxy line
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
# anchor for relayd(8)
#anchor "relayd/*"
#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass # to establish keep-state
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
match inet proto tcp queue(std, tcp_ack)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack)
match inet proto tcp to port 27000:27050 queue game
match from $fekete queue fekete
match to $fekete queue fekete
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
#nat port redirects
#pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
$murphy
pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
$fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
On Wed, Apr 17, 2013 at 8:32 PM, Stuart Henderson <s...@spacehopper.org>wrote:
> On 2013-04-17, John Tate <j...@johntate.org> wrote:
> > Well the ruleset loads, can anyone do a quick check of this in case I've
> > done something stupid. I've never used match rules before. I'm not really
> > sure how to test queueing to see if it works.
>
> see "systat queue"; run it as root.
>
> > #queues
> > altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out,
> dns_out,
> > tcp_ack_out }
> > queue std_out priq(default)
> > queue ssh_im_out priority 4 priq(red)
> > queue dns_out priority 5
> > queue tcp_ack_out priority 6
> >
> > altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in,
> > fekete_in }
> > queue std_in bandwidth 175Kb cbq(default)
> > queue ssh_im_in bandwidth 75Kb priority 4
> > queue dns_in bandwidth 50Kb priority 5
> > queue fekete_in bandwidth 50Kb cbq(borrow)
>
> Using separate queue names for _in and _out is really awkward when you
> use stateful firewall rules; try something along these lines instead:
>
> altq on $ext_if priq bandwidth 7500Kb queue { std, ssh_im, dns, tcp_ack }
> queue std on $ext_if priq(default)
> queue ssh_im on $ext_if priority 4 priq(red)
> queue dns on $ext_if priority 5
> queue tcp_ack on $ext_if priority 6
>
> altq on $int_if cbq bandwidth 350Kb queue { std, ssh_im, dns, fekete }
> queue std on $int_if bandwidth 175Kb cbq(default)
> queue ssh_im on $int_if bandwidth 75Kb priority 4
> queue dns on $int_if bandwidth 50Kb priority 5
> queue fekete on $int_if bandwidth 50Kb cbq(borrow)
>
> match inet proto tcp queue(std, tcp_ack)
> match inet proto { tcp udp } to port domain queue dns
> match inet proto tcp to port $ssh_ports queue(std, ssh_im)
> match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack)
> match from $fekete queue fekete
> match to $fekete queue fekete
>
> ... although unless your internet connection is rather strange,
> the bandwidth figures are the wrong way round; this limits to 7500Kb
> for traffic sent out of $ext_if (to the internet, I presume) and
> 350Kb sent out of $int_if (traffic from the firewall or from the
> internet to local machines)
>
>
--
www.johntate.org
