I'm trying to prioritize certain traffic. One of the rules (from any to
domain.com) DOES work and takes up most of the pipe, as I would like.
However, when I say that a certain set of IP's on the LAN should get
priority for any ftp or www traffic the rule is rarely evaluated, and
packets never match. The rules I'm talking about are at the end of my
.conf file. If you have any ideas as to why the {80,20,21} rule isn't
getting matched (and it ought to be) I would be very grateful.
-jesse
SOMETHING and ANOTHERTHING are IP's in the actual config.
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.
## Macros ###################################################
#############################################################
ext_if="fxp1"
int_if="fxp0"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}"
mach_room = "{ 192.168.48.54, 192.168.48.68, 192.168.48.70 }"
the_lan = "192.168.48.0/24"
## Options ###################################################
##############################################################
set block-policy drop
scrub in all
#Queues
altq on $ext_if cbq bandwidth 1495Kb queue {std_q, hi_q}
queue std_q bandwidth 295Kb cbq (default borrow)
queue hi_q bandwidth 1200Kb cbq (borrow red)
## Translation and Redirection#######################
#####################################################
# Network Address Translation rule
# Doing 'inet' ipv4 only, maybe less rules?
nat on $ext_if inet from $int_if:network to any -> $ext_if
# Terminal services on John computer
rdr on $ext_if proto tcp from any \
to SOMETHING port 3389 -> \
ANOTHERTHING port 3389
## Filtering ########################################
#####################################################
# Default policy
block all
pass out keep state
pass on lo
antispoof quick for { lo $int_if }
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# Allow LAN traffic to enter the firewall
pass in on $int_if from $the_lan to any keep state
# Allow fw to initiate connections into lan
# (sounds bad, but is good)
pass out on $int_if from any to $the_lan keep state
# Allow icmp
pass in inet proto icmp all icmp-type echoreq keep state
## Incoming pass #####################################
######################################################
# Allow the redirected terminal services traffic
pass in on $ext_if proto tcp from any to SOMETHING \
port 3389 flags S/SA keep state
## Outgoing pass #####################################
######################################################
pass out on $ext_if proto tcp all flags S/SA keep state \
queue (std_q)
pass out on $ext_if proto tcp from any to DOMAIN.com \
flags S/SA keep state \
queue (hi_q)
pass out on $ext_if proto tcp from $mach_room to any \
port {80,20,21} flags keep state \
queue (hi_q)
pass out on $ext_if proto {udp,icmp} all keep state \
queue (std_q)
