Hi,
Is there any way to disable/flush (like with ALTQ) pf queues?
I tryed with `pfctl -d; pfctl -e; pfctl -f /etc/pf.conf' but I got an
error:
pfctl: DIOCXCOMMIT: Invalid argument
The only reference I could find was this:
http://marc.info/?l=openbsd-tech&m=140421855720135&w=2
Is this a known behavior?
After this error the only way to load my rulesets was with reboot.
I still trying to figure out why my queues don't limit the max
bandwidth.
Thanks for your time.
----------------------
pf.conf
----------------------
### Interfaces ###
ExtIf ="em0"
IntIf ="vlan41"
Free ="vlan81"
lo0 ="127.0.0.1"
### Hosts ###
vl="192.168.1.2"
jl="192.168.1.3"
ve="192.168.1.4"
ntp="192.168.1.5"
rpi="192.168.1.7"
dpc11="192.168.1.11"
sam="192.168.1.16"
cs_serv="10.10.10.254"
mc_serv="10.10.10.253"
mc_serv1="10.10.10.252"
r2_serv="10.10.10.240"
w7_rdc ="10.10.10.241"
dpc21="192.168.1.21"
### Ports ###
low_ports = "0:1023"
hi_ports = "1024:65535"
web = "{20, 21, 22, 25, 80, 443, 2222, 3389, 5900, 6000, 7777,
8080 }"
ssh_extif = "2222"
rdc = "3389"
rdc_extif = "4910"
rdc_r2 = "5511"
rdc_w7 = "5522"
squid = "8080"
squid_extif = "8080"
vl_skype = "30001"
jl_skype = "30002"
ve_skype = "30003"
vl_torrent= "30004"
jl_torrent= "30005"
ve_torrent= "30006"
vl_hfs = "8081"
ftp_proxy = "8021"
symux = "2100"
ftp = "21"
vnc_ext = "59001"
vnc_int = "5900"
sftp = "22222"
l2tp = "{ 500, 1701, 4500 }"
mine = "25565"
mine1 = "25566"
trace = "33434:33498"
cs16 = "27000:27018"
q3 = "27960:27963"
ventrilo = "3784"
### Queues, States and Types ###
IcmpType ="icmp-type 8 code 0"
SynState ="flags S/SAFR synproxy state"
### Tables ###
table <bgnets> file "/etc/bgnets"
table <spamd-white> persist
table <bgp-spamd-bypass> persist
table <proxy-users> file "/etc/proxy_users"
table <BLOCK> persist #{ 82.119.88.70 }
################ Options
######################################################
### Misc Options
# set block-policy drop
set loginterface $ExtIf
set skip on { lo, enc0 }
# set optimization aggressive
set limit table-entries 400000 # Full list is 200k entries as of March
1
# set state-defaults pflow
################ Queueing
####################################################
queue rootq on $ExtIf bandwidth 98M, max 99M
queue inter parent rootq bandwidth 2M, max 3M
queue i_ack parent inter bandwidth 1M, min 900K
queue i_dns parent inter bandwidth 500K, min 400K
queue i_ntp parent inter bandwidth 300K, min 200K
queue i_web parent inter bandwidth 500K burst 2M for 10000ms
queue i_bulk parent inter bandwidth 170K
queue i_bittor parent inter bandwidth 30K, max 1400K default
queue bg parent rootq bandwidth 39M, max 40M
queue b_ack parent bg bandwidth 15M, min 10M
queue b_dns parent bg bandwidth 1M, min 900K
queue b_ntp parent bg bandwidth 4M, min 3900K
queue b_rdc parent bg bandwidth 4M, min 3900K
queue b_web parent bg bandwidth 10M, min 9M burst 40M for 5000ms,
max 37M
queue b_bulk parent bg bandwidth 5M, min 4M
queue b_bittor parent bg bandwidth 1M, max 2M
################ Translation and Filtering
###################################
### BLOCK all in/out on all interfaces by default and log
block return log on $ExtIf
block return log on $IntIf
block return log on $Free
block quick log on $ExtIf from <BLOCK>
### Network Address Translation (NAT with outgoing source port
randomization)
match out log on egress from $IntIf:network \
to any nat-to ($ExtIf:0)
match out log on egress from $Free:network \
to any nat-to ($ExtIf:0)
match out log on egress from 192.168.3.0/24 \
to any nat-to ($ExtIf:0)
### NAT from IntIf to FreeWifi
match out log on $Free from $IntIf:network \
to $Free:network nat-to ($Free:0)
### Packet normalization ( "scrubbing" )
match log on $ExtIf all scrub (random-id max-mss 1440)
### Ftp ( secure ftp proxy for LAN )
anchor "ftp-proxy/*"
anchor vpn
### pppx
pass log on pppx
pass log proto esp set queue b_ack
# pass log proto gre set queue b_ack
### $ExtIf inbound ################
# npppd
pass in log on $ExtIf proto {tcp, udp} from <bgnets> \
to ($ExtIf) port $l2tp set queue b_dns
# dns nsd
pass in log on $ExtIf inet proto {tcp, udp} from any \
to ($ExtIf) port domain set queue i_dns
pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
to ($ExtIf) port domain set queue b_dns
# OpenSSH
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port $ssh_extif set queue b_ack rdr-to $lo0 port ssh
# OpenSMTPD
pass in log quick on $ExtIf inet proto tcp from <bgp-spamd-bypass> \
to ($ExtIf) port smtp set queue (i_web, i_ack) rdr-to lo0
pass in log on $ExtIf inet proto tcp from any \
to ($ExtIf) port smtp rdr-to lo0 port spamd
pass in log on $ExtIf inet proto tcp from <spamd-white> \
to ($ExtIf) port smtp set queue (i_web, i_ack) rdr-to lo0
# IMAPS/SMTPS
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port {smtps, imaps} set queue (b_web, b_ack)
# Nginx
pass in log on $ExtIf inet proto tcp from any \
to ($ExtIf) port {www, https} set queue (i_web, i_ack) rdr-to $lo0
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port {www, https} set queue (b_web, b_ack) rdr-to $lo0
# Ntpd ( time server )
pass in log on $ExtIf inet proto udp from any \
to ($ExtIf) port ntp set queue i_ntp
pass in log on $ExtIf inet proto udp from <bgnets> \
to ($ExtIf) port ntp set queue b_ntp
# RDC_BG
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port $rdc_extif set queue b_rdc rdr-to $vl port $rdc
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port $rdc_w7 set queue b_rdc rdr-to $w7_rdc port $rdc
# Counter Strike
# pass in log on $ExtIf inet proto udp from <bgnets> \
# to ($ExtIf) port $cs16 set queue b_ack rdr-to $cs_serv
# MineCraft
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port $mine set queue b_ack rdr-to $mc_serv
# pass in log on $ExtIf inet proto tcp from <bgnets> \
# to ($ExtIf) port $mine1 set queue b_ack rdr-to $mc_serv1 port $mine
# Squid
pass in log on $ExtIf inet proto tcp from <proxy-users> \
to ($ExtIf) port $squid_extif set queue b_bulk rdr-to $lo0 port $squid
# Skype (queue INTER)
pass in log on $ExtIf inet proto {tcp, udp} from any \
to ($ExtIf) port $vl_skype set queue i_bulk rdr-to $vl
pass in log on $ExtIf inet proto {tcp, udp} from any \
to ($ExtIf) port $ve_skype set queue i_bulk rdr-to $ve
# Skype (queue BG)
pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
to ($ExtIf) port $vl_skype set queue b_bulk rdr-to $vl
pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
to ($ExtIf) port $ve_skype set queue b_bulk rdr-to $ve
# uTorrent (queue INTER)
pass in log on $ExtIf inet proto {tcp, udp} from any \
to ($ExtIf) port $vl_torrent set queue i_bittor rdr-to $vl
pass in log on $ExtIf inet proto {tcp, udp} from any \
to ($ExtIf) port $ve_torrent set queue i_bittor rdr-to $ve
# uTorrent (queue BG)
pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
to ($ExtIf) port $vl_torrent set queue b_bittor rdr-to $vl
pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
to ($ExtIf) port $ve_torrent set queue b_bittor rdr-to $ve
# HFS
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port $vl_hfs set queue (b_web, b_ack) rdr-to $vl
# Ping
pass in log on $ExtIf inet proto icmp from any \
to ($ExtIf) $IcmpType set queue i_bulk
pass in log on $ExtIf inet proto icmp from <bgnets> \
to ($ExtIf) $IcmpType set queue b_bulk
### End $ExtIf inbound ###########
### $IntIf outbound ###########
# ntp.bsdbg.net
# pass out log on $IntIf inet proto udp from any \
# to $ntp port ntp
# RDC
pass out log on $IntIf inet proto tcp from any \
to $vl port $rdc
# Counter Strike
pass out log on $IntIf inet proto udp from any \
to $cs_serv
# Skype
pass out log on $IntIf inet proto {tcp, udp} from any \
to $vl port $vl_skype
pass out log on $IntIf inet proto {tcp, udp} from any \
to $ve port $ve_skype
# uTorrent
pass out log on $IntIf inet proto {tcp, udp} from any \
to $vl port $vl_torrent
pass out log on $IntIf inet proto {tcp, udp} from any \
to $ve port $ve_torrent
# HFS
pass out log on $IntIf inet proto tcp from <bgnets> \
to $vl port $vl_hfs
# Allow self to reach Lan
pass out log on $IntIf inet proto {tcp, udp, icmp} from (self) \
to $IntIf:network
### End $IntIf outbound ###
### $Free outbound ###
# Allow self to reach FreeWifi
pass out log on $Free inet proto {tcp, udp, icmp} from (self) \
to $Free:network
### End $Free outbound ###
### $Free inbound ###
# Allow FreeWifi to access port www and https
pass in log on $Free inet proto tcp from $Free:network \
to !$IntIf:network port {www, https}
# Local DNS access for FreeWifi
pass in log on $Free inet proto {tcp, udp} from $Free:network \
to $Free port domain
### End $Free inbound ###
### $IntIf inbound ###############
# Allow all out
pass in log on $IntIf inet proto {tcp, udp, icmp} from $IntIf:network
\
to any
# Ftp-proxy
pass in log on $IntIf inet proto tcp from $IntIf:network \
to !$IntIf port $ftp divert-to $lo0 port $ftp_proxy
# Symux
pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \
to $IntIf port $symux
# Symux from mc
pass in log on $IntIf inet proto {tcp, udp} from $mc_serv \
to $IntIf port $symux
# RDC SSH
pass in log on $IntIf inet proto tcp from $IntIf:network \
to $IntIf port $rdc rdr-to $lo0
# Allow SamKnows to run it's tests
pass in log on $IntIf inet proto {tcp, udp, icmp} from $sam \
to any tag SAM
### End $IntIf inbound ###
### $ExtIf outbound ###
## TCP ##
# Queue default (i_bittor & b_bittor )
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to any port $hi_ports set queue(i_bittor, i_ack)
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to <bgnets> port $hi_ports set queue(b_bittor, b_ack)
# Queue bulk (i_bulk $ b_bulk )
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to any port $low_ports set queue(i_bulk, i_ack)
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to <bgnets> port $low_ports set queue (b_bulk, b_ack)
# Queue web (i_web $ b_web )
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to any port $web set queue(i_web, i_ack)
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to <bgnets> port $web set queue(b_web, b_ack)
# Queue ftp (i_web $ b_web )
pass out log on $ExtIf inet proto tcp from (self) \
to any tagged FTP set queue(i_web, i_ack)
pass out log on $ExtIf inet proto tcp from (self) \
to <bgnets> tagged FTP set queue(b_web, b_ack)
# Queue dns (i_dns & b_dns)
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to any port domain set queue(i_dns, i_ack)
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to <bgnets> port domain set queue(b_dns, b_ack)
## UDP ##
# Queue default (i_bittor & b_bittor)
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port $hi_ports set queue i_bittor
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port $hi_ports set queue b_bittor
# Queue bulk (i_bulk & b_bulk)
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port $low_ports set queue i_bulk
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port $low_ports set queue b_bulk
# Queue dns (i_dns & b_dns)
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port domain set queue i_dns
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port domain set queue b_dns
# Queue ntp (i_ntp & b_ntp)
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port ntp set queue i_ntp
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port ntp set queue b_ntp
# ICMP
pass out log on $ExtIf inet proto icmp from ($ExtIf) \
to any $IcmpType set queue i_web
pass out log on $ExtIf inet proto icmp from ($ExtIf) \
to <bgnets> $IcmpType set queue b_web
# Traceroute
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port $trace set queue i_ntp
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port $trace set queue b_ntp
# CS
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port $cs16 set queue i_ntp
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port $cs16 set queue b_ntp
# VPN isakmpd
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port $l2tp set queue i_ntp
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port $l2tp set queue b_ntp
# SamKnows
pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
to any set queue i_ack tagged SAM
pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
to <bgnets> set queue b_ack tagged SAM
### End $ExtIf outbound ###########