Hi
Since 3.6 all queue must have bandwidth assign to
them.I assign 25% from parent queue to dowms_ext_http
and allow to borrow from him.
Customize other queue and assign bandwidth to them.
Bye
##EXTERNAL QUEUE##
altq on $EXTIF cbq bandwidth 6Mb queue { std_ext,
dorms_ext, pri_ext }
queue std_ext cbq(default)
queue dorms_ext bandwidth 2Mb { dorms_ext_http,
dorms_ext_misc }
queue dorms_ext_http bandwidth 25% priority 3
cbq(boorow)
queue dorms_ext_misc bandwidth 75% priority 1
queue pri_ext priority 3
--- florian mosleh <[EMAIL PROTECTED]>
wrote:
> Hi,
>
> i'm currently completely reqriting the pf.conf on an
> OpenBSD 3.6 firewall. When
> I do a "pfctl -nf pf.conf" everything see,s to check
> out fine with the file
> except i get the following errors:
>
> pfctl: the sum of the child bandwidth higher than
> parent "root_xl2"
> pfctl: the sum of the child bandwidth higher than
> parent "dorms_ext"
> pfctl: the sum of the child bandwidth higher than
> parent "root_xl2"
> pfctl: the sum of the child bandwidth higher than
> parent "main_int"
> pfctl: the sum of the child bandwidth higher than
> parent "main_int"
> pfctl: the sum of the child bandwidth higher than
> parent "root_xl0"
>
> i've added the few defined bandwidth values i have
> up. i'm not really sure
> what's going on with it.
>
> Here's the pf.conf (sorry it's sort of long):
>
>
>
> ## INTERFACES##
> EXTIF="xl2"
> DMZIF="xl1"
> INTIF="xl0"
>
> ## HOST IPS##
> EXTIP="xxx.xxx.xxx.xxx"
> DORMS="xxx.xxx.xxx.xxx"
> DORMSEXT="xxx.xxx.xxx.xxx"
> DAVINCI="xxx.xxx.xxx.xxx"
> DAVINCIEXT="xxx.xxx.xxx.xxx"
> COOLIDGE="xxx.xxx.xxx.xxx"
> COOLIDGEEXT="xxx.xxx.xxx.xxx"
> SARNOFF="xxx.xxx.xxx.xxx"
> SARNOFFEXT="xxx.xxx.xxx.xxx"
> BLACKLISTED="{ 216.18.127.194/32, 69.90.183.164/32
> }"
> GRACEHOPPER="xxx.xxx.xxx.xxx"
>
> ## PORTS##
> HTTP_PORTS="{ 80, 443 }"
> MAIL_PORTS="{ 25, 143, 220, 109, 110, 993, 995 }"
>
>
>
> ## RUNTIME OPTIONS##
> set block-policy return
> set loginterface $EXTIF
>
>
>
> ##NORMALIZATION##
> scrub in all
> scrub out all
>
>
>
> ##QUEUES##
>
> ##EXTERNAL QUEUE##
> altq on $EXTIF cbq bandwidth 6Mb queue { std_ext,
> dorms_ext, pri_ext }
> queue std_ext cbq(default)
> queue dorms_ext bandwidth 2Mb { dorms_ext_http,
> dorms_ext_misc }
> queue dorms_ext_http priority 3
> queue dorms_ext_misc priority 1
> queue pri_ext priority 3
>
> ##INTERNAL QUEUE##
> altq on $INTIF cbq bandwidth 6Mb queue { main_int,
> aux_int }
> queue main_int bandwidth 3Mb { main_int_http,
> main_int_ssh, main_int_misc }
> queue main_int_ssh priority 4
> queue main_int_http bandwidth 1.5Mb cbq(borrow)
> queue main_int_misc priority 1 cbq(default)
> queue aux_int
>
>
>
> ##NAT AND REDIRECTION##
>
> #EXTERNAL INTERFACE#
> nat on $EXTIF from $INTIF:network to any -> $EXTIP
> binat on $EXTIF from $DORMS to any -> $DORMSEXT
> binat on $EXTIF from $DAVINCI to any -> $DAVINCIEXT
> binat on $EXTIF from $SARNOFF to any -> $SARNOFFEXT
> rdr on $EXTIF proto tcp from any to $COOLIDGEEXT
> port 80 -> $COOLIDGE port 8888
> rdr on $EXTIF proto tcp from any to $COOLIDGEEXT
> port 3306 -> $COOLIDGE
> rdr pass on $EXTIF proto tcp from any to $EXTIP port
> 5555 -> $GRACEHOPPER
>
> #INTERNAL INTERFACE#
> binat pass on $INTIF from $COOLIDGE to any ->
> $COOLIDGEEXT
> binat pass on $INTIF from $SARNOFF to any ->
> $SARNOFFEXT
> rdr on $INTIF proto tcp from any to $DAVINCIEXT ->
> $DAVINCI
> rdr pass on $INTIF proto tcp from $INTIF:network to
> $COOLIDGEEXT port 80 ->
> 127.0.0.1 port 8888
> rdr pass on $INTIF proto tcp from $INTIF:network to
> $COOLIDGEEXT port 3306 ->
> 127.0.0.1 port 3306
> rdr pass on $INTIF proto tcp from $INTIF:network to
> $SARNOFFEXT port 80 ->
> 127.0.0.1 port 8013
> rdr on $INTIF proto tcp from any to any port 21 ->
> 127.0.0.1 port 8021
>
> #DMZ INTERFACE#
> binat pass on $DMZIF from $DORMS to 66.240.4.1 ->
> $GRACEHOPPER
>
>
>
> ##FILTER RULES##
> antispoof for xl2
>
> block log all
> pass quick on lo0 all
> pass in inet proto icmp all icmp-type echoreq keep
> state
>
> #EXTERNAL INTERFACE INBOUND#
> pass in quick on $EXTIF proto tcp from any to $EXTIF
> flags S/SA keep state queue
> pri_ext
> pass in on $EXTIF inet proto tcp from any to $DORMS
> port 22 keep state
> pass in on $EXTIF inet proto tcp from any to
> $DAVINCI port 22 keep state
> pass in on $EXTIF inet proto tcp from any to
> $GRACEHOPPER port 22 keep state
> pass in on $EXTIF proto tcp from any to $COOLIDGE
> port 8888 keep state
> pass in on $EXTIF proto tcp from any to $COOLIDGE
> port 3306 keep state
> pass in on $EXTIF proto icmp from any to $COOLIDGE
> keep state
> pass in on $EXTIF proto tcp from any to $SARNOFF
> port 22 keep state
> pass in on $EXTIF proto tcp from any to $SARNOFF
> port 80 keep state
> pass in on $EXTIF inet proto tcp from port 20 to
> ($EXTIF) user proxy flags S/SA
> keep state
>
> #EXTERNAL INTERFACE OUTBOUD#
> pass out quick on $EXTIF proto tcp from $EXTIF to
> any flags S/SA keep state
> queue pri_q
> pass out on $EXTIF from $INTIF:network to any keep
> state
> pass out on $EXTIF from $DMZIF:network to any keep
> state
> pass out on $EXTIF from $DORMS to any keep state
> queue dorms_ext_misc
> pass out on $EXTIF proto tcp from $DORMS to any port
> $HTTP_PORTS keep state
> queue dorms_ext_http
> pass out on $EXTIF inet proto { udp, icmp } all keep
> state
>
>
> #INTERNAL INTERFACE INBOUND#
> pass in on $INTIF from $INTIF:network to any keep
> state
> pass in on $INTIF proto tcp from $INTIF:network to
> any port $HTTP_PORTS keep
> state queue main_int_http
> pass in on $INTIF proto tcp from $INTIF:network to
> any port 22 keep state queue
> main_int_ssh
>
> #INTERNAL INTERFACE OUTBOUND#
> pass out on $INTIF from any to $INTIF:network
>
> #DMZ INTERFACE INBOUND#
> pass in on $DMZIF from $DMZIF:network to any keep
> state
>
> #DMZ INTERFACE OUTBOUND#
> pass out on $DMZIF from any to $DMZIF:network keep
> state
>
>
>
>
=== message truncated ===
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
