On 2006/11/08 21:56, Reza Muhammad wrote:
> My rule set still not working, as i'm expected to
> limit outgoing and incoming traffic pass to my pf
> machine act as an bridge .
...
> pass out log on xl1 from 172.16.0.228 to 202.57.14.1
> keep state flags S/SA queue (int_out)
this creates a state for traffic from 172.16.0.228 and it's
responses. traffic matching the state is tagged with the queue
name int_out. only traffic sent out of xl1 is queued, there is
no matching queue for xl2 so it's unrestricted on xl2.
> pass out log on xl2 from 202.57.14.1 to 172.16.0.228
> keep state flags S/SA queue (int_in)
this creates a state for traffic from 202.57.14.1 and it's
responses. traffic matching the state is tagged with the queue
name int_in. only traffic sent out of xl2 is queued, there is
no matching queue for xl1 so it's unrestricted on xl2.
I think you want this instead: (not tested beyond checking
that the syntax is valid, but I think it should work).
-- -- -- -- -- -- --
altq on xl1 bandwidth 100% cbq queue {int,dflt}
queue int on xl1 bandwidth 3Mb
queue dflt on xl1 bandwidth 16Kb cbq (default)
altq on xl2 bandwidth 100% cbq queue {int,dflt}
queue int on xl2 bandwidth 3Mb
queue dflt on xl2 bandwidth 16Kb cbq (default)
pass out log on xl1 from 172.16.0.228 to 202.57.14.1 \
keep state flags S/SA queue (int)
pass out log on xl2 from 202.57.14.1 to 172.16.0.228 \
keep state flags S/SA queue (int)
-- -- -- -- -- -- --
"int on xl1" and "int on xl2" are different queues, but
just referred to by "int" when you assign traffic to them.
