On 22.09.2014 22:50, Atanas Vladimirov wrote:
Hi,
I rewrote my rulesets with no luck:
QUEUE BW SCH PRIO PKTS BYTES DROP_P
DROP_B QLEN BORROW SUSPEN P/S B/S
rootq on em0 98M 0 0 0
0 0 0 0
inter 1M 179572 214136K 0
0 0 898 1232993
bg 10M 6360 727764 0
0 0 3 308
queue rootq on em0 bandwidth 98M, max 99M qlimit 50
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes:
0 ]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue inter parent rootq on em0 bandwidth 1M, max 2M default qlimit 50
[ pkts: 67209 bytes: 80035513 dropped pkts: 0 bytes:
0 ]
[ qlength: 0/ 50 ]
[ measured: 1172.0 packets/s, 11.13Mb/s ]
queue bg parent rootq on em0 bandwidth 10M, max 15M qlimit 50
[ pkts: 1858 bytes: 215486 dropped pkts: 0 bytes:
0 ]
[ qlength: 0/ 50 ]
[ measured: 32.5 packets/s, 30.58Kb/s ]
----------------------------------------
pf.conf
----------------------------------------
### Interfaces ###
ExtIf ="em0"
IntIf ="vlan41"
Free ="vlan81"
sam = "192.168.1.18"
### Tables ###
table <bgnets> file "/etc/bgnets"
table <spamd-white> persist
table <bgp-spamd-bypass> persist
### Misc Options
set loginterface $ExtIf
set skip on { lo, enc0 }
set limit table-entries 400000 # Full list is 200k entries as of
March 1
################ Queueing
####################################################
queue rootq on $ExtIf bandwidth 98M, max 99M
queue inter parent rootq bandwidth 1M, max 2M default
queue bg parent rootq bandwidth 10M, max 15M
################ Translation and Filtering
###################################
### BLOCK all in/out on all interfaces by default and log
block return log on $ExtIf
block return log on $IntIf
block return log on $Free
### Network Address Translation (NAT with outgoing source port
randomization)
match out log on egress from $IntIf:network \
to any nat-to ($ExtIf:0)
match out log on egress from $Free:network \
to any nat-to ($ExtIf:0)
### NAT from IntIf to FreeWifi
match out log on $Free from $IntIf:network \
to $Free:network nat-to ($Free:0)
### Packet normalization ( "scrubbing" )
match log on $ExtIf all scrub (random-id max-mss 1440)
### $ExtIf inbound ################
# dns nsd
pass in log on $ExtIf inet proto {tcp, udp} from any \
to ($ExtIf) port domain set queue inter
pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
to ($ExtIf) port domain set queue bg
# OpenSMTPD
pass in log quick on $ExtIf inet proto tcp from <bgp-spamd-bypass> \
to ($ExtIf) port smtp set queue inter rdr-to lo0
pass in log on $ExtIf inet proto tcp from any \
to ($ExtIf) port smtp rdr-to lo0 port spamd
pass in log on $ExtIf inet proto tcp from <spamd-white> \
to ($ExtIf) port smtp set queue inter rdr-to lo0
# Nginx
pass in log on $ExtIf inet proto tcp from any \
to ($ExtIf) port {www, https} set queue inter rdr-to lo0
pass in log on $ExtIf inet proto tcp from <bgnets> \
to ($ExtIf) port {www, https} set queue bg rdr-to lo0
# Ntpd ( time server )
pass in log on $ExtIf inet proto udp from any \
to ($ExtIf) port ntp set queue inter
pass in log on $ExtIf inet proto udp from <bgnets> \
to ($ExtIf) port ntp set queue bg
### End $ExtIf inbound ###########
### $IntIf outbound ###########
# Allow self to reach Lan
pass out log on $IntIf inet proto {tcp, udp, icmp} from (self) \
to $IntIf:network
### End $IntIf outbound ###
### $IntIf inbound ###############
# Allow all out
pass in log on $IntIf inet proto {tcp, udp, icmp} from $IntIf:network
\
to any
# Allow SamKnows to run it's tests
pass in log on $IntIf inet proto {tcp, udp, icmp} from $sam \
to any tag SAM
### End $IntIf inbound ###
### $ExtIf outbound ###
## TCP ##
# Queue default
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to any set queue inter
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to <bgnets> set queue bg
# Queue dns
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to any port domain set queue inter
pass out log on $ExtIf inet proto tcp from ($ExtIf) \
to <bgnets> port domain set queue bg
## UDP ##
# Queue default
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any set queue inter
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> set queue bg
# Queue dns
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port domain set queue inter
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port domain set queue bg
# Queue ntp
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to any port ntp set queue inter
pass out log on $ExtIf inet proto udp from ($ExtIf) \
to <bgnets> port ntp set queue bg
# ICMP
pass out log on $ExtIf inet proto icmp from ($ExtIf) \
to any set queue inter
pass out log on $ExtIf inet proto icmp from ($ExtIf) \
to <bgnets> set queue bg
# SamKnows
pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
to any set queue inter tagged SAM
pass out log on $ExtIf inet proto {tcp, udp, icmp} from ($ExtIf) \
to <bgnets> set queue bg tagged SAM
### End $ExtIf outbound ###########
OpenBSD 5.6-current (GENERIC.MP) #388: Mon Sep 22 02:23:15 MDT 2014
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 6416760832 (6119MB)
avail mem = 6237212672 (5948MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ac00 (37 entries)
bios0: vendor American Megatrends Inc. version "2.0b" date 11/07/2013
bios0: Supermicro X8ST3
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET DMAR SSDT EINJ BERT ERST
HEST
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4)
USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) GBE_(S4)
P0P4(S4) P0P5(S4) P0P6(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3067.15 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.0, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3066.67 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3066.67 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3066.67 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 8, remapped to apid 1
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 8 (P0P1)
acpiprt2 at acpi0: bus 6 (P0P4)
acpiprt3 at acpi0: bus 7 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
acpiprt5 at acpi0: bus -1 (P0P7)
acpiprt6 at acpi0: bus -1 (P0P8)
acpiprt7 at acpi0: bus -1 (P0P9)
acpiprt8 at acpi0: bus 1 (NPE1)
acpiprt9 at acpi0: bus -1 (NPE2)
acpiprt10 at acpi0: bus 2 (NPE3)
acpiprt11 at acpi0: bus -1 (NPE4)
acpiprt12 at acpi0: bus 3 (NPE5)
acpiprt13 at acpi0: bus -1 (NPE6)
acpiprt14 at acpi0: bus 4 (NPE7)
acpiprt15 at acpi0: bus -1 (NPE8)
acpiprt16 at acpi0: bus 5 (NPE9)
acpiprt17 at acpi0: bus -1 (NPEA)
acpicpu0 at acpi0: C3, C1, PSS
acpicpu1 at acpi0: C3, C1, PSS
acpicpu2 at acpi0: C3, C1, PSS
acpicpu3 at acpi0: C3, C1, PSS
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 3067 MHz: speeds: 3068, 3067, 2933, 2800, 2667,
2533, 2400, 2267, 2133, 2000, 1867, 1733, 1600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel X58 Host" rev 0x22
ppb0 at pci0 dev 1 function 0 "Intel X58 PCIE" rev 0x22: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 "Intel X58 PCIE" rev 0x22: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 5 function 0 "Intel X58 PCIE" rev 0x22: msi
pci3 at ppb2 bus 3
ppb3 at pci0 dev 7 function 0 "Intel X58 PCIE" rev 0x22: msi
pci4 at ppb3 bus 4
ppb4 at pci0 dev 9 function 0 "Intel X58 PCIE" rev 0x22: msi
pci5 at ppb4 bus 5
"Intel X58 Misc" rev 0x22 at pci0 dev 20 function 0 not configured
"Intel X58 GPIO" rev 0x22 at pci0 dev 20 function 1 not configured
"Intel X58 RAS" rev 0x22 at pci0 dev 20 function 2 not configured
"Intel X58 Throttle" rev 0x22 at pci0 dev 20 function 3 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 0 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 1 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 2 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 3 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 4 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 5 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 6 not configured
"Intel X58 QuickData" rev 0x22 at pci0 dev 22 function 7 not configured
uhci0 at pci0 dev 26 function 0 "Intel 82801JI USB" rev 0x00: apic 1 int
16
uhci1 at pci0 dev 26 function 1 "Intel 82801JI USB" rev 0x00: apic 1 int
21
uhci2 at pci0 dev 26 function 2 "Intel 82801JI USB" rev 0x00: apic 1 int
19
ehci0 at pci0 dev 26 function 7 "Intel 82801JI USB" rev 0x00: apic 1 int
18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb5 at pci0 dev 28 function 0 "Intel 82801JI PCIE" rev 0x00: msi
pci6 at ppb5 bus 6
em0 at pci6 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:25:90:14:43:54
ppb6 at pci0 dev 28 function 1 "Intel 82801JI PCIE" rev 0x00: msi
pci7 at ppb6 bus 7
em1 at pci7 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:25:90:14:43:55
uhci3 at pci0 dev 29 function 0 "Intel 82801JI USB" rev 0x00: apic 1 int
23
uhci4 at pci0 dev 29 function 1 "Intel 82801JI USB" rev 0x00: apic 1 int
19
uhci5 at pci0 dev 29 function 2 "Intel 82801JI USB" rev 0x00: apic 1 int
18
ehci1 at pci0 dev 29 function 7 "Intel 82801JI USB" rev 0x00: apic 1 int
23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb7 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x90
pci8 at ppb7 bus 8
vga1 at pci8 dev 4 function 0 "Matrox MGA G200eW" rev 0x0a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 31 function 0 "Intel 82801JIR LPC" rev 0x00
ahci0 at pci0 dev 31 function 2 "Intel 82801JI AHCI" rev 0x00: msi, AHCI
1.2
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, HITACHI HTS54168, SB2I> SCSI3
0/direct fixed naa.5000cca51cdb01e3
sd0: 76319MB, 512 bytes/sector, 156301488 sectors
sd1 at scsibus1 targ 2 lun 0: <ATA, SAMSUNG MZMPA016, AXM2> SCSI3
0/direct fixed t10.ATA_SAMSUNG_MZMPA016HMCD-000L1_S11BNEACB03878_
sd1: 15272MB, 512 bytes/sector, 31277232 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 82801JI SMBus" rev 0x00: apic 1
int 18
iic0 at ichiic0
nvt0 at iic0 addr 0x2e: W83795ADG
spdmem0 at iic0 addr 0x50: 1GB DDR3 SDRAM PC3-10600
spdmem1 at iic0 addr 0x51: 1GB DDR3 SDRAM PC3-10600
spdmem2 at iic0 addr 0x52: 1GB DDR3 SDRAM PC3-10600
spdmem3 at iic0 addr 0x53: 1GB DDR3 SDRAM PC3-10600
spdmem4 at iic0 addr 0x54: 1GB DDR3 SDRAM PC3-10600
spdmem5 at iic0 addr 0x55: 1GB DDR3 SDRAM PC3-10600
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73
lm1 at wbsio0 port 0xca0/8: W83627DHG
uplcom0 at uhub2 port 1 "Prolific Technology PL2303 Serial" rev
1.10/2.02 addr 2
ucom0 at uplcom0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd2 at scsibus3 targ 1 lun 0: <OPENBSD, SR RAID 1, 005> SCSI2 0/direct
fixed
sd2: 15264MB, 512 bytes/sector, 31261898 sectors
root on sd2a (84fdd34aaf0b5d78.a) swap on sd2b dump on sd2b
