Oh wait I've forgot to specify the interface.
On Thu, Apr 18, 2013 at 5:45 AM, John Tate <j...@johntate.org> wrote:
> Well I had the bandwidth the wrong way around for my internet connection.
>
> I've been trying the other changes and now I have problems, I'm pretty
> sure I need to put _out and _in on the end...
> # pfctl -nf /etc/pf.conf
> /etc/pf.conf:39: exactly one scheduler type per interface allowed
> /etc/pf.conf:39: errors in queue definition
> /etc/pf.conf:40: priq doesn't take bandwidth
> /etc/pf.conf:40: errors in queue definition
> /etc/pf.conf:41: priq doesn't take bandwidth
> /etc/pf.conf:41: errors in queue definition
> /etc/pf.conf:42: priq doesn't take bandwidth
> /etc/pf.conf:42: errors in queue definition
>
> # cat /etc/pf.conf
> # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
> #
> # See pf.conf(5) for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> #interfaces
> int_if="fxp0"
> ext_if="pppoe0"
>
> #networks
> local_net="10.0.0.0/8"
>
> #hosts
> murphy="10.0.0.2"
> fekete="10.0.0.3"
>
> #host port forwarding
> murphy_ports = "{ 8333 }"
> fekete_ports = "{ 17001, 39191, 5938, 2222 }"
>
> #other
> tcp_services="{ 22 }"
> icmp_types="echoreq"
>
> #queue ports
> ssh_ports = "{ 22, 2222 }"
> im_ports = "{ 1863, 5190, 5222 }"
>
> #queues
> altq on $ext_if priq bandwidth 350Kb queue { std, ssh_im, dns, tcp_ack,
> game }
> queue std priq(default)
> queue ssh_im priority 4 priq(red)
> queue dns priority 5
> queue game priority 6
> queue tcp_ack priority 7
>
> altq on $int_if cbq bandwidth 7500Kb queue { std, ssh_im, dns, fekete,
> game }
> queue std bandwidth 5000Kb cbq(default)
> queue ssh_im bandwidth 200Kb priority 4
> queue dns bandwidth 200Kb priority 5
> queue game bandwidth 200Kb priority 6
> queue fekete bandwidth 1900Kb cbq(borrow)
>
> set skip on lo
>
> # this is the squid proxy line
> pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
> port 3128
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
> port 8021
>
> # anchor for relayd(8)
> #anchor "relayd/*"
>
> #nat rule for all interfaces
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> pass # to establish keep-state
>
> # rules for spamd(8)
> #table <spamd-white> persist
> #table <nospamd> persist file "/etc/mail/nospamd"
> #pass in on egress proto tcp from any to any port smtp \
> # rdr-to 127.0.0.1 port spamd
> #pass in on egress proto tcp from <nospamd> to any port smtp
> #pass in log on egress proto tcp from <spamd-white> to any port smtp
> #pass out log on egress proto tcp to any port smtp
>
> #block in quick from urpf-failed to any # use with care
>
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010
>
> block in log
> pass out quick
>
> match inet proto tcp queue(std, tcp_ack)
> match inet proto { tcp udp } to port domain queue dns
> match inet proto tcp to port $ssh_ports queue(std, ssh_im)
> match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack)
> match inet proto tcp to port 27000:27050 queue game
> match from $fekete queue fekete
> match to $fekete queue fekete
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> #FTP
> pass in on $ext_if proto tcp to port 21
> pass in on $ext_if proto tcp to port > 49151
>
> #nat port redirects
> #pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
> pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
> $murphy
> pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
> $fekete
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> pass in on $int_if
>
>
>
> On Wed, Apr 17, 2013 at 8:32 PM, Stuart Henderson <s...@spacehopper.org>wrote:
>
>> On 2013-04-17, John Tate <j...@johntate.org> wrote:
>> > Well the ruleset loads, can anyone do a quick check of this in case I've
>> > done something stupid. I've never used match rules before. I'm not
>> really
>> > sure how to test queueing to see if it works.
>>
>> see "systat queue"; run it as root.
>>
>> > #queues
>> > altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out,
>> dns_out,
>> > tcp_ack_out }
>> > queue std_out priq(default)
>> > queue ssh_im_out priority 4 priq(red)
>> > queue dns_out priority 5
>> > queue tcp_ack_out priority 6
>> >
>> > altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in,
>> > fekete_in }
>> > queue std_in bandwidth 175Kb cbq(default)
>> > queue ssh_im_in bandwidth 75Kb priority 4
>> > queue dns_in bandwidth 50Kb priority 5
>> > queue fekete_in bandwidth 50Kb cbq(borrow)
>>
>> Using separate queue names for _in and _out is really awkward when you
>> use stateful firewall rules; try something along these lines instead:
>>
>> altq on $ext_if priq bandwidth 7500Kb queue { std, ssh_im, dns, tcp_ack }
>> queue std on $ext_if priq(default)
>> queue ssh_im on $ext_if priority 4 priq(red)
>> queue dns on $ext_if priority 5
>> queue tcp_ack on $ext_if priority 6
>>
>> altq on $int_if cbq bandwidth 350Kb queue { std, ssh_im, dns, fekete }
>> queue std on $int_if bandwidth 175Kb cbq(default)
>> queue ssh_im on $int_if bandwidth 75Kb priority 4
>> queue dns on $int_if bandwidth 50Kb priority 5
>> queue fekete on $int_if bandwidth 50Kb cbq(borrow)
>>
>> match inet proto tcp queue(std, tcp_ack)
>> match inet proto { tcp udp } to port domain queue dns
>> match inet proto tcp to port $ssh_ports queue(std, ssh_im)
>> match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack)
>> match from $fekete queue fekete
>> match to $fekete queue fekete
>>
>> ... although unless your internet connection is rather strange,
>> the bandwidth figures are the wrong way round; this limits to 7500Kb
>> for traffic sent out of $ext_if (to the internet, I presume) and
>> 350Kb sent out of $int_if (traffic from the firewall or from the
>> internet to local machines)
>>
>>
>
>
> --
> www.johntate.org
>
--
www.johntate.org
