On Wed, Jul 30, 2008 at 1:23 AM, Rudi Kramer - MWEB <[EMAIL PROTECTED]> wrote:
> I am running FreeBSD 7 and I wanted to play around with ALTQ and PRIQ
> queuing. My goal was to have TCP ACKs that have no payload having the highest
> priority and then cod, dns, ssh in their own queues and everything else
> falling in to the default queue.
>
> Here is the config I came up with:
>
> ##################################################
>
> #Macros
>
> ext_if = "tun0"
> cod_ports = "{28960:29000}"
>
> ##Tables
>
> table <priv_net> { 192.168.0.0/24 }
>
> ##Options
>
> ##Scrub
>
> scrub in all
>
> ##Queueing
>
> altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def, q_cod, q_domain,
> q_ssh }
>
> queue q_pri priority 10
> queue q_cod priority 9
> queue q_domain priority 8
> queue q_ssh priority 7
> queue q_def priority 1 priq(default)
>
> ##Translation
> nat on $ext_if from <priv_net> to any -> ($ext_if)
>
> ##Filter Rules
>
> #default to deny
> block in log all
>
> #allow loopback
> pass quick on lo0 all
>
> #Setup PRIQ Rules
> pass out on $ext_if proto tcp from ($ext_if) to any queue (q_pri, q_def) pass
> in on $ext_if proto tcp from any to ($ext_if) queue (q_pri, q_def)
I believe the ordering of the queues here is wrong. I believe you'll
want this instead:
pass out on $ext_if proto tcp from ($ext_if) to any queue (q_def, q_pri)
And you'll want the same for the identical pass in rule, but since you
are really not allowing connections to come in (state is being kept on
connections that are initiated outbound so pf is tracking the related
inbound packets too) this rule is not needed.
> pass out quick on $ext_if proto udp from ($ext_if) to any port $cod_ports
> queue q_cod pass in quick on $ext_if proto udp from any to ($ext_if) port
> $cod_ports queue q_cod
>
> pass out quick on $ext_if proto udp from ($ext_if) to any port domain queue
> q_domain pass in quick on $ext_if proto udp from any to ($ext_if) port
> domain queue q_domain
>
> pass out quick on $ext_if proto tcp from ($ext_if) to any port ssh queue
> q_ssh pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh
> queue q_ssh
>
> #allow from fw to ext
> pass out quick log on $ext_if proto tcp all pass out quick log on $ext_if
> proto { udp, icmp } all
Because your first rule for tcp, the one I commented on, does not have
quick applied, it is likely this tcp rule is catching all the tcp
traffic instead and queueing is not being applied the way you want it
to. Unless you know what you are doing, I do not recommend using
regular and quick rules in the same ruleset and recommend you focus on
the proper ordering of your rules instead. For now, you might want to
consider omitting these two rules. However, in seeing that you are
using this rule in an attempt to treat the firewall's own traffic
differently from NATted traffic, I'm not sure this is possible without
tagging of some sort--which you'll probably need to read up on.
> #allow from internal network out
> pass quick log on $int_if proto tcp from <priv_net> to any pass quick log on
> $int_if proto {udp, icmp } from <priv_net> to any
>
> #########################################
>
> As far as I can see it is working but I was hoping to get some input from the
> list.
Use pfctl -vvs q to help verify the proper operation of your queues.
Hope this helps.
