Hello misc,
I have an openbsd 5.1 firewall running with PF and four interfaces.
One is not active but I have on ext, one int and one dmz. I'm trying to get
qos working and I'm having issues.
My pf rules load fine but everything seems to be applied to only one queue
despite the traffic.
Now, because I have three interfaces, soon to be four (VOIP on the other
interface), I'm trying to get it running on just the inside part before I
shape the other interfaces.
Here is my pf.conf for the most part (I used the packet tagging guide in the
FAQ. I've remarked out the pass out rules on the ext interface at the bottom
because they're not working as intended. Everything get's applied to the bulk
queue despite the traffic type
###### MACROS ###############################################
int = "re0"
dmz = "fxp0"
ext = "re1"
int_net = "192.168.200.0/24"
dmz_net = "192.168.100.0/24"
RFC1918="{ 10/8 172.16/12 192.168/16 }"
####outbound services from internal network
int_tcp_services = "{ 443, 22, 53, 21, 143, 110, 25, 587, 993, 465, 995 }"
int_udp_services = "{ 53 }"
###outbound services from dmz - control outbound dmz -
http/smptp/dns/https/dns/smtp-ssl/github
dmz_services = "{ 20, 21, 80, 25, 53, 443, 587, 9418, 4242, 11371, 17662, 3690
}"
#### service hosts
webserver = "192.168.100.x"
sharepoint = "192.168.200.10"
####inbound services
web_services = "{ 22, 80, 3000 }"
sp_services = "{ 443, 52164 }"
openvpn = "{xxx}"
################### END MACROS ###############################
################## QOS #####################################
altq on $ext bandwidth 30Mb hfsc queue { ack, dns, ssh, web, mail, bulk,
bittor, spamd }
queue ack bandwidth 30% qlimit 500 hfsc (realtime 20%)
queue dns bandwidth 5% qlimit 500 hfsc (realtime 5%)
queue ssh bandwidth 20% qlimit 500 hfsc (realtime 20%) {ssh_login,
ssh_bulk}
queue ssh_login bandwidth 50% qlimit 500 hfsc
queue ssh_bulk bandwidth 50% qlimit 500 hfsc
queue bulk bandwidth 20% qlimit 500 hfsc (realtime 20% default,
ecn)
queue web bandwidth 5% qlimit 500 hfsc (realtime (10%, 10000, 5%))
queue mail bandwidth 5% qlimit 500 hfsc (realtime 5%)
queue bittor bandwidth 1% qlimit 500 hfsc (upperlimit 95%)
queue spamd bandwidth 1% qlimit 500 hfsc (upperlimit 1Kb)
######TABLES
table <spamd> persist file "/etc/spammers"
table <bastards> persist file "/etc/pf.tables/bastards"
table <emerging_threats_blocklist> persist file "/etc/pf.tables/etblocklist"
######OPTIONS
set skip on { lo0, enc0 }
set block-policy drop
set loginterface re1
######NORMALIZE TRAFFIC
match in all scrub ( no-df max-mss 1440 )
##### NAT RULES
match out on $ext tag LAN_TO_INET tagged LAN nat-to ($ext)
match out on $ext tag DMZ_TO_INET tagged DMZ nat-to ($ext)
match out on $ext tag FTP_PROXY nat-to ($ext)
####### BLOCKING AND PACKET TAGGING
block log all
antispoof for { lo0 re0 re1 em0 }
block in quick on $ext from $RFC1918 to any
block out quick on $ext from any to $RFC1918
block in log quick on $ext from <bastards>
block in log quick on $ext from <emerging_threats_blocklist>
#LAN OUT
pass in quick on $int from $int_net to $dmz_net tag LAN_TO_DMZ label
"LAN_TO_DMZ"
pass in quick on $int from $int_net tag LAN label "LAN_TO_INET"
#OPENVPN
pass in quick on tun0 from any tag VPN_TRAFFIC label "VPN_Traffic"
#DMZ OUT
pass in log on $dmz proto tcp from $dmz_net to any port $dmz_services tag DMZ
label "DMZ_OUT:$proto:$dstport"
pass in log on $dmz proto udp from $dmz_net to any port domain keep state tag
DMZ label "DMZ_OUT:$proto:$dstport"
#SPAMD and FTP-PROXY
anchor "ftp-proxy/*"
pass in log quick on $dmz proto tcp from $dmz_net to any port 21 divert-to
127.0.0.1 port 8021 tag FTP_PROXY
#pass in log quick on $int proto tcp from $int_net to any port 21 divert-to
127.0.0.1 port 8021 tag FTP_PROXY
pass in on $ext proto tcp from <spamd> to port smtp tag SPAMD rdr-to 127.0.0.1
port 8025 tag SPAMD
#INBOUND TRAFFIC
#OPENVPN TO FIREWALL
pass in on $ext proto udp from any to $ext port $openvpn keep state
#NAT INBOUND TO DMZ
pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver
tag INET_TO_DMZ label "DMZ_INBOUND_WEBSERVER:$proto:$dstport"
#NAT INBOUND TO Sharepoint
pass in log on $ext proto tcp from any to any port $sp_services rdr-to
$sharepoint tag INET_TO_Sharepoint label "SHAREPOINT_INBOUND:$proto:$dstport"
#POLICY ENFORCEMENT
pass in quick on $ext tagged SPAMD
pass out quick on $ext tagged FTP_PROXY
#pass out on $ext inet proto tcp from $ext to any modulate state queue ( bulk,
ack )tagged LAN_TO_INET
#pass out on $ext inet proto tcp from $ext to any modulate state queue ( web
)tagged LAN_TO_INET
#pass out on $ext inet proto { tcp, udp } from $ext to any port 53 queue (dns)
tagged LAN_TO_INET
pass out on $ext tagged LAN_TO_INET
pass out on $ext tagged DMZ_TO_INET
pass out quick on $dmz tagged LAN_TO_DMZ
pass out quick on $dmz tagged INET_TO_DMZ
pass out quick on $int tagged INET_TO_Sharepoint
pass out quick on $int tagged VPN_TRAFFIC
