Hi all:
I'm trying to implement Daniel's pri/ack configuration, but something's
not working properly. I can see that my download dropped as expected
during uploads, even though I have the optimizations enabled. I checked
my pfctl -vvss output to ensure that my upload state was hitting the
correct rule (it was). Anyone have any ideas what I'm missing here?
TIA,
-J.
-bash-2.05b# pfctl -vsq
queue q_pri priority 7
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes:
0 ]
[ qlength: 0/ 50 ]
queue q_def priq( default )
[ pkts: 736613 bytes: 86078294 dropped pkts: 73 bytes:
61258 ]
[ qlength: 30/ 50 ]
# Relevant state entry for upload
tcp 192.168.0.42:38006 - xxx.xxx.xxx.xxx:31486 -
yyy.yyy.yyy.yyy:22 ESTABLISHED:ESTABLISHED
[4238399744 + 46336] wscale 0 [3625931648 + 10304] wscale 0
age 00:00:44, expires in 05:00:00, 625 pkts, 559407 bytes, rule 68
# Rule affecting upload
@68 pass out on dc0 proto tcp all keep state queue(q_def, q_pri)
# pf.conf
### Variables ###
ext_if=dc0
int_if=dc1
int_net=dc1/24
webserver=192.168.0.10
fw_services={ ssh, smtp, 444, 5001 }
web_services={ http, ssh }
out_services={ http, https, ssh, pop3, pop3s, smtp, ftp, domain,
bootps, ntp, 444, 465, 5190 }
bad_blocks={ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }
### Set Options ###
set limit { frags 32000, states 65000 }
set loginterface $ext_if
set optimization aggressive
### Packet Normalization ###
scrub in all
scrub out all random-id
### ALTQ ###
altq on $ext_if priq bandwidth 120Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
### Start NAT rules ###
# Normal Rules
nat on $ext_if from $int_net to any - ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port 4275 - $webserver
port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 4272 - $webserver
port 22
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
# Bounceback - TCP Reflection
rdr on $int_if proto tcp from $int_net to ($ext_if) port 4275 -
$webserver port 80
no nat on $int_if proto tcp from ($int_if) to $int_net
nat on $int_if proto tcp from $int_net to $webserver port 80 -
($int_if)
### Start Filter Rules
# basic block-all
block out log on $ext_if all
block in log on $ext_if all
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
block in quick on $ext_if proto igmp all
# block various noisy traffic without logging
block in quick on $ext_if from 255.255.255.255/32 to any
block in quick on $ext_if from any to 255.255.255.255/32
block in quick proto { tcp, udp } from any to any port { 135, 137, 138,
139, 445 }
# block any incoming spoofed
block in quick on $ext_if from any to 224.0.0.1 # Adelphia igmp query
block in log quick on $ext_if from $bad_blocks to any
block in log quick on $ext_if from any to $bad_blocks
block in log on $ext_if from any to 192.168.0.0/24
# allow certain icmp connections
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $int_if proto icmp all keep state
pass in on $int_if proto icmp all keep state
# allow certain udp connections
pass out on $ext_if proto udp all keep state
pass out on $int_if proto udp all user root keep state
pass in on $int_if proto udp from any to any port $out_services keep
state
# allow certain tcp connections
#pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto tcp all keep state queue (q_def, q_pri)
#pass in on $ext_if inet proto tcp from any to ($ext_if) port
$fw_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$fw_services flags S/SA keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $webserver port $web_services
flags S/SA keep state
pass out on $int_if proto tcp all user root keep state
pass in on $int_if proto tcp from any to any port $out_services modulate
state queue (q_def, q_pri)
# END of pf.rules