Hi,
i'm currently completely reqriting the pf.conf on an OpenBSD 3.6 firewall. When
I do a "pfctl -nf pf.conf" everything see,s to check out fine with the file
except i get the following errors:
pfctl: the sum of the child bandwidth higher than parent "root_xl2"
pfctl: the sum of the child bandwidth higher than parent "dorms_ext"
pfctl: the sum of the child bandwidth higher than parent "root_xl2"
pfctl: the sum of the child bandwidth higher than parent "main_int"
pfctl: the sum of the child bandwidth higher than parent "main_int"
pfctl: the sum of the child bandwidth higher than parent "root_xl0"
i've added the few defined bandwidth values i have up. i'm not really sure
what's going on with it.
Here's the pf.conf (sorry it's sort of long):
## INTERFACES##
EXTIF="xl2"
DMZIF="xl1"
INTIF="xl0"
## HOST IPS##
EXTIP="xxx.xxx.xxx.xxx"
DORMS="xxx.xxx.xxx.xxx"
DORMSEXT="xxx.xxx.xxx.xxx"
DAVINCI="xxx.xxx.xxx.xxx"
DAVINCIEXT="xxx.xxx.xxx.xxx"
COOLIDGE="xxx.xxx.xxx.xxx"
COOLIDGEEXT="xxx.xxx.xxx.xxx"
SARNOFF="xxx.xxx.xxx.xxx"
SARNOFFEXT="xxx.xxx.xxx.xxx"
BLACKLISTED="{ 216.18.127.194/32, 69.90.183.164/32 }"
GRACEHOPPER="xxx.xxx.xxx.xxx"
## PORTS##
HTTP_PORTS="{ 80, 443 }"
MAIL_PORTS="{ 25, 143, 220, 109, 110, 993, 995 }"
## RUNTIME OPTIONS##
set block-policy return
set loginterface $EXTIF
##NORMALIZATION##
scrub in all
scrub out all
##QUEUES##
##EXTERNAL QUEUE##
altq on $EXTIF cbq bandwidth 6Mb queue { std_ext, dorms_ext, pri_ext }
queue std_ext cbq(default)
queue dorms_ext bandwidth 2Mb { dorms_ext_http, dorms_ext_misc }
queue dorms_ext_http priority 3
queue dorms_ext_misc priority 1
queue pri_ext priority 3
##INTERNAL QUEUE##
altq on $INTIF cbq bandwidth 6Mb queue { main_int, aux_int }
queue main_int bandwidth 3Mb { main_int_http, main_int_ssh, main_int_misc }
queue main_int_ssh priority 4
queue main_int_http bandwidth 1.5Mb cbq(borrow)
queue main_int_misc priority 1 cbq(default)
queue aux_int
##NAT AND REDIRECTION##
#EXTERNAL INTERFACE#
nat on $EXTIF from $INTIF:network to any -> $EXTIP
binat on $EXTIF from $DORMS to any -> $DORMSEXT
binat on $EXTIF from $DAVINCI to any -> $DAVINCIEXT
binat on $EXTIF from $SARNOFF to any -> $SARNOFFEXT
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 -> $COOLIDGE port 8888
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 -> $COOLIDGE
rdr pass on $EXTIF proto tcp from any to $EXTIP port 5555 -> $GRACEHOPPER
#INTERNAL INTERFACE#
binat pass on $INTIF from $COOLIDGE to any -> $COOLIDGEEXT
binat pass on $INTIF from $SARNOFF to any -> $SARNOFFEXT
rdr on $INTIF proto tcp from any to $DAVINCIEXT -> $DAVINCI
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 ->
127.0.0.1 port 8888
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306 ->
127.0.0.1 port 3306
rdr pass on $INTIF proto tcp from $INTIF:network to $SARNOFFEXT port 80 ->
127.0.0.1 port 8013
rdr on $INTIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#DMZ INTERFACE#
binat pass on $DMZIF from $DORMS to 66.240.4.1 -> $GRACEHOPPER
##FILTER RULES##
antispoof for xl2
block log all
pass quick on lo0 all
pass in inet proto icmp all icmp-type echoreq keep state
#EXTERNAL INTERFACE INBOUND#
pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state queue
pri_ext
pass in on $EXTIF inet proto tcp from any to $DORMS port 22 keep state
pass in on $EXTIF inet proto tcp from any to $DAVINCI port 22 keep state
pass in on $EXTIF inet proto tcp from any to $GRACEHOPPER port 22 keep state
pass in on $EXTIF proto tcp from any to $COOLIDGE port 8888 keep state
pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state
pass in on $EXTIF proto icmp from any to $COOLIDGE keep state
pass in on $EXTIF proto tcp from any to $SARNOFF port 22 keep state
pass in on $EXTIF proto tcp from any to $SARNOFF port 80 keep state
pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags S/SA
keep state
#EXTERNAL INTERFACE OUTBOUD#
pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state
queue pri_q
pass out on $EXTIF from $INTIF:network to any keep state
pass out on $EXTIF from $DMZIF:network to any keep state
pass out on $EXTIF from $DORMS to any keep state queue dorms_ext_misc
pass out on $EXTIF proto tcp from $DORMS to any port $HTTP_PORTS keep state
queue dorms_ext_http
pass out on $EXTIF inet proto { udp, icmp } all keep state
#INTERNAL INTERFACE INBOUND#
pass in on $INTIF from $INTIF:network to any keep state
pass in on $INTIF proto tcp from $INTIF:network to any port $HTTP_PORTS keep
state queue main_int_http
pass in on $INTIF proto tcp from $INTIF:network to any port 22 keep state queue
main_int_ssh
#INTERNAL INTERFACE OUTBOUND#
pass out on $INTIF from any to $INTIF:network
#DMZ INTERFACE INBOUND#
pass in on $DMZIF from $DMZIF:network to any keep state
#DMZ INTERFACE OUTBOUND#
pass out on $DMZIF from any to $DMZIF:network keep state
#end pf.conf
thanks!
--
Florian Mosleh
Network & Admin. Support Manager
Capitol College
301.369.2800 ext.2040
800.950.1992 ext.2040
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
