Greetings,
I have been trying to shape my outgoing ssh traffic. I am not trying to
distinguish interactive and bulk traffic. The trouble is that after the initial
logon, even though the ssh rule passes packets(its packet count increases) the
ssh queue does nothing(packet count stays the same.
This is with the 2/24/03 snapshot. It was also failing in the same way with the
2/8 snapshot.
I also tested an http queue/rule combo and that works somewhat.
Shouldn't the packet counts for the rule and corresponding queue be the same?
Here are some examples of pfctl -vs rules and queue:
for ssh:
before logon:
pass out on xl0 inet proto tcp from any to any port = ssh keep state queue ssh
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
queue ssh bandwidth 76.40Kb priority 7 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
just after logon:
pass out on xl0 inet proto tcp from any to any port = ssh keep state queue ssh
[ Evaluations: 3 Packets: 46 Bytes: 7174 States: 1 ]
queue ssh bandwidth 76.40Kb priority 7 cbq( borrow )
[ pkts: 21 bytes: 2976 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
about 30 seconds later of activity:
pass out on xl0 inet proto tcp from any to any port = ssh keep state queue ssh
[ Evaluations: 5 Packets: 238 Bytes: 26502 States: 1 ]
queue ssh bandwidth 76.40Kb priority 7 cbq( borrow )
[ pkts: 21 bytes: 2976 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
http for contrast:
zeroed:
pass out on xl0 inet proto tcp from any to any port = www keep state queue http
[ Evaluations: 226 Packets: 0 Bytes: 0 States: 0 ]
queue http bandwidth 229.20Kb priority 0 cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
after some traffic:
pass out on xl0 inet proto tcp from any to any port = www keep state queue http
[ Evaluations: 245 Packets: 18 Bytes: 9444 States: 1 ]
queue http bandwidth 229.20Kb priority 0 cbq( borrow )
[ pkts: 10 bytes: 1203 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
after more traffic:
pass out on xl0 inet proto tcp from any to any port = www keep state queue http
[ Evaluations: 571 Packets: 409 Bytes: 160147 States: 22 ]
queue http bandwidth 229.20Kb priority 0 cbq( borrow )
[ pkts: 219 bytes: 29015 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
Even though I wonder why the http queue and rule have different packet counts,
I guess it is better that nothing.
My pf.conf:
int = "tx0"
ext = "xl0"
scrub in all
#altq QOS rules
altq on $ext cbq bandwidth 382Kb queue { deflt, ssh, http }
queue deflt bandwidth 95% priority 0 cbq(default ecn)
#an http queue for comparison (and it works)
queue http bandwidth 60% priority 0 cbq(borrow)
#ssh queue attempt without interactive v. bulk
queue ssh bandwidth 20% priority 7 cbq(borrow)
#nat
nat on $ext proto {tcp, udp, icmp} from 10.0.0.0/8 to any -> $ext
# rdr: packets coming in through ext0 with destination 192.168.1.1:1234 will
# be redirected to 10.1.1.1:5678. a state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
rdr on $ext proto {tcp, udp} from any to any port 33333 -> 10.0.0.2 port 22
rdr on $ext proto {tcp, udp} from any to any port 993 -> 10.0.0.2 port 993
rdr on $ext proto {tcp, udp} from any to any port 8000 -> 10.0.0.6 port 80
rdr on $ext proto {tcp, udp} from any to any port 11255 -> 10.0.0.6 port 11255
rdr on $ext proto {tcp, udp} from any to any port 33334 -> 10.0.0.8 port 22
rdr on $ext proto {tcp, udp} from any to any port 3560 -> 10.0.0.8 port 3560
rdr on $ext proto {tcp, udp} from any to any port 27005 -> 10.0.0.7 port 27005
rdr on $ext proto {tcp, udp} from any to any port 27015 -> 10.0.0.7 port 27015
rdr on $ext proto {tcp, udp} from any to any port 80 -> 10.0.0.7 port 80
rdr on $ext proto {tcp, udp} from any to any port 5050 -> 10.0.0.7 port 5050
rdr on $ext proto {tcp, udp} from any to any port 20000 -> 10.0.0.7 port 20000
rdr on $ext proto {tcp, udp} from any to any port 6881:6889 -> 10.0.0.7 port
6881
# pass all packets in and out (these are the implicit first two rules)
pass in all
pass out all
#http for comparison
pass out on $ext inet proto tcp from any to any port 80 keep state queue http
#ssh queue rule
pass out on $ext inet proto tcp from any to any port 22 keep state queue ssh
block in on $ext proto tcp from any to any port = 13
#block in on $ext proto tcp from any to any port = 22
block in on $ext proto tcp from any to any port = 37
block in on $ext proto tcp from any to any port = 53
block in on $ext proto tcp from any to any port = 111
#block in on $ext proto tcp from any to any port = 113
block in on $ext proto tcp from any to any port = 137
block in on $ext proto tcp from any to any port = 138
block in on $ext proto tcp from any to any port = 139
block in on $ext proto tcp from any to any port = 10000
--
Have a nice day,
Jeff Strunk
sigfree.utacm.org
siglinux.utacm.org
--
Maybe in order to understand mankind, we have to look at the word itself.
Mankind. Basically, it's made up of two separate words---"mank" and "ind".
What do these words mean? It's a mystery, and that's why so is mankind.
(Jack Handy)
