Investigated further... using the pf.conf frag # -----v----- pass in log quick on em0 inet proto tcp \ from !<ssh_pests> to (em0:0) port 443 \ tag VSSHQ flags S/SA keep state \ (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ queue(QSSH,QLOWLAT) # pass in log quick on tun inet \ from (tun:peer) to any \ tag TUNPKTS keep state label SSHVPNGRP # pass out log quick on inside inet \ tagged TUNPKTS keep state label SSHVPNGRP # -----^-----
The QSSH stats show 9 packets and about 3,100 bytes of traffic EACH TIME THE SSH -W is initiated into the gateway. Once the ssh->sshd handshake completes, there's no further use of the QSSH queue. So the queue is working, just not for the -w 0:3 tunnel traffic after the tunnel is up. This handshake-only via the queue appears to be true for regular (non -w) ssh client as well. How is sshd "replying?" Is the control channel traffic being queued but not the session channel? How does one queue the tunnel session traffic? Any help greatly appreciated! Thanks,
