Hi Since 3.6 all queue must have bandwidth assign to them.I assign 25% from parent queue to dowms_ext_http and allow to borrow from him. Customize other queue and assign bandwidth to them.
Bye ##EXTERNAL QUEUE## altq on $EXTIF cbq bandwidth 6Mb queue { std_ext, dorms_ext, pri_ext } queue std_ext cbq(default) queue dorms_ext bandwidth 2Mb { dorms_ext_http, dorms_ext_misc } queue dorms_ext_http bandwidth 25% priority 3 cbq(boorow) queue dorms_ext_misc bandwidth 75% priority 1 queue pri_ext priority 3 --- florian mosleh <[EMAIL PROTECTED]> wrote: > Hi, > > i'm currently completely reqriting the pf.conf on an > OpenBSD 3.6 firewall. When > I do a "pfctl -nf pf.conf" everything see,s to check > out fine with the file > except i get the following errors: > > pfctl: the sum of the child bandwidth higher than > parent "root_xl2" > pfctl: the sum of the child bandwidth higher than > parent "dorms_ext" > pfctl: the sum of the child bandwidth higher than > parent "root_xl2" > pfctl: the sum of the child bandwidth higher than > parent "main_int" > pfctl: the sum of the child bandwidth higher than > parent "main_int" > pfctl: the sum of the child bandwidth higher than > parent "root_xl0" > > i've added the few defined bandwidth values i have > up. i'm not really sure > what's going on with it. > > Here's the pf.conf (sorry it's sort of long): > > > > ## INTERFACES## > EXTIF="xl2" > DMZIF="xl1" > INTIF="xl0" > > ## HOST IPS## > EXTIP="xxx.xxx.xxx.xxx" > DORMS="xxx.xxx.xxx.xxx" > DORMSEXT="xxx.xxx.xxx.xxx" > DAVINCI="xxx.xxx.xxx.xxx" > DAVINCIEXT="xxx.xxx.xxx.xxx" > COOLIDGE="xxx.xxx.xxx.xxx" > COOLIDGEEXT="xxx.xxx.xxx.xxx" > SARNOFF="xxx.xxx.xxx.xxx" > SARNOFFEXT="xxx.xxx.xxx.xxx" > BLACKLISTED="{ 216.18.127.194/32, 69.90.183.164/32 > }" > GRACEHOPPER="xxx.xxx.xxx.xxx" > > ## PORTS## > HTTP_PORTS="{ 80, 443 }" > MAIL_PORTS="{ 25, 143, 220, 109, 110, 993, 995 }" > > > > ## RUNTIME OPTIONS## > set block-policy return > set loginterface $EXTIF > > > > ##NORMALIZATION## > scrub in all > scrub out all > > > > ##QUEUES## > > ##EXTERNAL QUEUE## > altq on $EXTIF cbq bandwidth 6Mb queue { std_ext, > dorms_ext, pri_ext } > queue std_ext cbq(default) > queue dorms_ext bandwidth 2Mb { dorms_ext_http, > dorms_ext_misc } > queue dorms_ext_http priority 3 > queue dorms_ext_misc priority 1 > queue pri_ext priority 3 > > ##INTERNAL QUEUE## > altq on $INTIF cbq bandwidth 6Mb queue { main_int, > aux_int } > queue main_int bandwidth 3Mb { main_int_http, > main_int_ssh, main_int_misc } > queue main_int_ssh priority 4 > queue main_int_http bandwidth 1.5Mb cbq(borrow) > queue main_int_misc priority 1 cbq(default) > queue aux_int > > > > ##NAT AND REDIRECTION## > > #EXTERNAL INTERFACE# > nat on $EXTIF from $INTIF:network to any -> $EXTIP > binat on $EXTIF from $DORMS to any -> $DORMSEXT > binat on $EXTIF from $DAVINCI to any -> $DAVINCIEXT > binat on $EXTIF from $SARNOFF to any -> $SARNOFFEXT > rdr on $EXTIF proto tcp from any to $COOLIDGEEXT > port 80 -> $COOLIDGE port 8888 > rdr on $EXTIF proto tcp from any to $COOLIDGEEXT > port 3306 -> $COOLIDGE > rdr pass on $EXTIF proto tcp from any to $EXTIP port > 5555 -> $GRACEHOPPER > > #INTERNAL INTERFACE# > binat pass on $INTIF from $COOLIDGE to any -> > $COOLIDGEEXT > binat pass on $INTIF from $SARNOFF to any -> > $SARNOFFEXT > rdr on $INTIF proto tcp from any to $DAVINCIEXT -> > $DAVINCI > rdr pass on $INTIF proto tcp from $INTIF:network to > $COOLIDGEEXT port 80 -> > 127.0.0.1 port 8888 > rdr pass on $INTIF proto tcp from $INTIF:network to > $COOLIDGEEXT port 3306 -> > 127.0.0.1 port 3306 > rdr pass on $INTIF proto tcp from $INTIF:network to > $SARNOFFEXT port 80 -> > 127.0.0.1 port 8013 > rdr on $INTIF proto tcp from any to any port 21 -> > 127.0.0.1 port 8021 > > #DMZ INTERFACE# > binat pass on $DMZIF from $DORMS to 66.240.4.1 -> > $GRACEHOPPER > > > > ##FILTER RULES## > antispoof for xl2 > > block log all > pass quick on lo0 all > pass in inet proto icmp all icmp-type echoreq keep > state > > #EXTERNAL INTERFACE INBOUND# > pass in quick on $EXTIF proto tcp from any to $EXTIF > flags S/SA keep state queue > pri_ext > pass in on $EXTIF inet proto tcp from any to $DORMS > port 22 keep state > pass in on $EXTIF inet proto tcp from any to > $DAVINCI port 22 keep state > pass in on $EXTIF inet proto tcp from any to > $GRACEHOPPER port 22 keep state > pass in on $EXTIF proto tcp from any to $COOLIDGE > port 8888 keep state > pass in on $EXTIF proto tcp from any to $COOLIDGE > port 3306 keep state > pass in on $EXTIF proto icmp from any to $COOLIDGE > keep state > pass in on $EXTIF proto tcp from any to $SARNOFF > port 22 keep state > pass in on $EXTIF proto tcp from any to $SARNOFF > port 80 keep state > pass in on $EXTIF inet proto tcp from port 20 to > ($EXTIF) user proxy flags S/SA > keep state > > #EXTERNAL INTERFACE OUTBOUD# > pass out quick on $EXTIF proto tcp from $EXTIF to > any flags S/SA keep state > queue pri_q > pass out on $EXTIF from $INTIF:network to any keep > state > pass out on $EXTIF from $DMZIF:network to any keep > state > pass out on $EXTIF from $DORMS to any keep state > queue dorms_ext_misc > pass out on $EXTIF proto tcp from $DORMS to any port > $HTTP_PORTS keep state > queue dorms_ext_http > pass out on $EXTIF inet proto { udp, icmp } all keep > state > > > #INTERNAL INTERFACE INBOUND# > pass in on $INTIF from $INTIF:network to any keep > state > pass in on $INTIF proto tcp from $INTIF:network to > any port $HTTP_PORTS keep > state queue main_int_http > pass in on $INTIF proto tcp from $INTIF:network to > any port 22 keep state queue > main_int_ssh > > #INTERNAL INTERFACE OUTBOUND# > pass out on $INTIF from any to $INTIF:network > > #DMZ INTERFACE INBOUND# > pass in on $DMZIF from $DMZIF:network to any keep > state > > #DMZ INTERFACE OUTBOUND# > pass out on $DMZIF from any to $DMZIF:network keep > state > > > > === message truncated === Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/