Em 25-10-2015 15:31, Michael S. Keller escreveu: > I want to set queues to limit bandwidth for the streaming media > devices on my home network. Unfortunately, the "pass out" rules on my > internal network (external is PPPoE) don't ever trip for replies > received from the world.
Are you aware that you'll need to have a queue on the internal interface and another on the egress one right? Queuing incoming packets is very tricky and not always have the desired effect. I suggest you start with prio and see where it leads you: http://quigon.bsws.de/papers/2012/eurobsdcon/mgp00010.html > What am I missing? > > OpenBSD version is 5.8 macppc. > > block drop in log on egress all > block return in on ! lo0 proto tcp from any to any port 6000:6010 > match on egress all scrub (no-df random-id reassemble tcp max-mss 1440) > pass out on egress from (self) to any flags S/SA nat-to (egress:0) > round-robin > pass out on egress inet from 192.168.1.0/24 to any received-on gem0 > flags S/SA nat-to (egress:0) round-robin > block drop in quick on ! lo inet6 from ::1 to any > block drop in quick on ! lo inet from 127.0.0.0/8 to any > block drop in quick inet from 127.0.0.1 to any > block drop in quick on ! gem0 inet from 192.168.1.0/24 to any > block drop in quick inet from 192.168.1.1 to any > block drop in quick on lo0 inet6 from fe80::1 to any > block drop in quick inet6 from ::1 to any > pass in on egress inet proto icmp from ! (egress) to (egress) > icmp-type echoreq code 0 > pass in on egress inet proto icmp from ! (egress) to (egress) > icmp-type unreach code needfrag > pass in log on egress inet proto tcp from ! (egress) to (egress) port > = 8022 flags S/SA modulate state rdr-to 127.0.0.1 port 8022 > pass in on egress inet proto udp from ! (egress) to (egress) port = > 1194 rdr-to 127.0.0.1 > pass in on gem0 all flags S/SA > pass in on gem0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port > = 22 flags S/SA modulate state rdr-to 127.0.0.1 port 8022 > block drop out on gem0 all > match on gem0 inet from any to 192.168.1.64 # THESE THREE > match on gem0 inet from any to 192.168.1.57 # DO NOT > match on gem0 inet from any to 192.168.1.62 # TRIGGER > match on gem0 inet from 192.168.1.64 to any # these > match on gem0 inet from 192.168.1.57 to any # three > match on gem0 inet from 192.168.1.62 to any # trigger > pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA I suggest you move your match rules to the beginning of the ruleset and use log on them. So you can watch your pflog interface and see the packets being triggered. Also, you can (should) always use tags. Not only they make your ruleset "debugable", but any stray packet should hit a block rule (possibly logging it). I suspect your first three rules aren't matching because you're using the external interface. Try using the internal on them. Cheers, Giancarlo Razzolini
