Oh wait I've forgot to specify the interface.
On Thu, Apr 18, 2013 at 5:45 AM, John Tate <j...@johntate.org> wrote: > Well I had the bandwidth the wrong way around for my internet connection. > > I've been trying the other changes and now I have problems, I'm pretty > sure I need to put _out and _in on the end... > # pfctl -nf /etc/pf.conf > /etc/pf.conf:39: exactly one scheduler type per interface allowed > /etc/pf.conf:39: errors in queue definition > /etc/pf.conf:40: priq doesn't take bandwidth > /etc/pf.conf:40: errors in queue definition > /etc/pf.conf:41: priq doesn't take bandwidth > /etc/pf.conf:41: errors in queue definition > /etc/pf.conf:42: priq doesn't take bandwidth > /etc/pf.conf:42: errors in queue definition > > # cat /etc/pf.conf > # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ > # > # See pf.conf(5) for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or > net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > #interfaces > int_if="fxp0" > ext_if="pppoe0" > > #networks > local_net="10.0.0.0/8" > > #hosts > murphy="10.0.0.2" > fekete="10.0.0.3" > > #host port forwarding > murphy_ports = "{ 8333 }" > fekete_ports = "{ 17001, 39191, 5938, 2222 }" > > #other > tcp_services="{ 22 }" > icmp_types="echoreq" > > #queue ports > ssh_ports = "{ 22, 2222 }" > im_ports = "{ 1863, 5190, 5222 }" > > #queues > altq on $ext_if priq bandwidth 350Kb queue { std, ssh_im, dns, tcp_ack, > game } > queue std priq(default) > queue ssh_im priority 4 priq(red) > queue dns priority 5 > queue game priority 6 > queue tcp_ack priority 7 > > altq on $int_if cbq bandwidth 7500Kb queue { std, ssh_im, dns, fekete, > game } > queue std bandwidth 5000Kb cbq(default) > queue ssh_im bandwidth 200Kb priority 4 > queue dns bandwidth 200Kb priority 5 > queue game bandwidth 200Kb priority 6 > queue fekete bandwidth 1900Kb cbq(borrow) > > set skip on lo > > # this is the squid proxy line > pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 > port 3128 > > # filter rules and anchor for ftp-proxy(8) > anchor "ftp-proxy/*" > pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 > port 8021 > > # anchor for relayd(8) > #anchor "relayd/*" > > #nat rule for all interfaces > match out on egress inet from !(egress:network) to any nat-to (egress:0) > > pass # to establish keep-state > > # rules for spamd(8) > #table <spamd-white> persist > #table <nospamd> persist file "/etc/mail/nospamd" > #pass in on egress proto tcp from any to any port smtp \ > # rdr-to 127.0.0.1 port spamd > #pass in on egress proto tcp from <nospamd> to any port smtp > #pass in log on egress proto tcp from <spamd-white> to any port smtp > #pass out log on egress proto tcp to any port smtp > > #block in quick from urpf-failed to any # use with care > > # By default, do not permit remote connections to X11 > block in on ! lo0 proto tcp to port 6000:6010 > > block in log > pass out quick > > match inet proto tcp queue(std, tcp_ack) > match inet proto { tcp udp } to port domain queue dns > match inet proto tcp to port $ssh_ports queue(std, ssh_im) > match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack) > match inet proto tcp to port 27000:27050 queue game > match from $fekete queue fekete > match to $fekete queue fekete > > antispoof quick for { lo $int_if } > > pass in on egress inet proto tcp from any to (egress) \ > port $tcp_services > > #FTP > pass in on $ext_if proto tcp to port 21 > pass in on $ext_if proto tcp to port > 49151 > > #nat port redirects > #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3 > pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to > $murphy > pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to > $fekete > > pass in inet proto icmp all icmp-type $icmp_types > > pass in on $int_if > > > > On Wed, Apr 17, 2013 at 8:32 PM, Stuart Henderson <s...@spacehopper.org>wrote: > >> On 2013-04-17, John Tate <j...@johntate.org> wrote: >> > Well the ruleset loads, can anyone do a quick check of this in case I've >> > done something stupid. I've never used match rules before. I'm not >> really >> > sure how to test queueing to see if it works. >> >> see "systat queue"; run it as root. >> >> > #queues >> > altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out, >> dns_out, >> > tcp_ack_out } >> > queue std_out priq(default) >> > queue ssh_im_out priority 4 priq(red) >> > queue dns_out priority 5 >> > queue tcp_ack_out priority 6 >> > >> > altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in, >> > fekete_in } >> > queue std_in bandwidth 175Kb cbq(default) >> > queue ssh_im_in bandwidth 75Kb priority 4 >> > queue dns_in bandwidth 50Kb priority 5 >> > queue fekete_in bandwidth 50Kb cbq(borrow) >> >> Using separate queue names for _in and _out is really awkward when you >> use stateful firewall rules; try something along these lines instead: >> >> altq on $ext_if priq bandwidth 7500Kb queue { std, ssh_im, dns, tcp_ack } >> queue std on $ext_if priq(default) >> queue ssh_im on $ext_if priority 4 priq(red) >> queue dns on $ext_if priority 5 >> queue tcp_ack on $ext_if priority 6 >> >> altq on $int_if cbq bandwidth 350Kb queue { std, ssh_im, dns, fekete } >> queue std on $int_if bandwidth 175Kb cbq(default) >> queue ssh_im on $int_if bandwidth 75Kb priority 4 >> queue dns on $int_if bandwidth 50Kb priority 5 >> queue fekete on $int_if bandwidth 50Kb cbq(borrow) >> >> match inet proto tcp queue(std, tcp_ack) >> match inet proto { tcp udp } to port domain queue dns >> match inet proto tcp to port $ssh_ports queue(std, ssh_im) >> match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack) >> match from $fekete queue fekete >> match to $fekete queue fekete >> >> ... although unless your internet connection is rather strange, >> the bandwidth figures are the wrong way round; this limits to 7500Kb >> for traffic sent out of $ext_if (to the internet, I presume) and >> 350Kb sent out of $int_if (traffic from the firewall or from the >> internet to local machines) >> >> > > > -- > www.johntate.org > -- www.johntate.org