ALTQ ack prioritization

[Jason Dixon]

Hi all:

I'm trying to implement Daniel's pri/ack configuration, but something's
not working properly.  I can see that my download dropped as expected
during uploads, even though I have the optimizations enabled.  I checked
my pfctl -vvss output to ensure that my upload state was hitting the
correct rule (it was).  Anyone have any ideas what I'm missing here?

TIA,
-J.

-bash-2.05b# pfctl -vsq
queue q_pri priority 7
[ pkts:  0  bytes:  0  dropped pkts:  0 bytes: 
0 ]
[ qlength:   0/ 50 ]
queue q_def priq( default )
[ pkts: 736613  bytes:   86078294  dropped pkts: 73 bytes: 
61258 ]
[ qlength:  30/ 50 ]

# Relevant state entry for upload
tcp 192.168.0.42:38006 - xxx.xxx.xxx.xxx:31486 -
yyy.yyy.yyy.yyy:22   ESTABLISHED:ESTABLISHED
   [4238399744 + 46336] wscale 0  [3625931648 + 10304] wscale 0
   age 00:00:44, expires in 05:00:00, 625 pkts, 559407 bytes, rule 68

# Rule affecting upload
@68 pass out on dc0 proto tcp all keep state queue(q_def, q_pri)

# pf.conf
### Variables ###
ext_if=dc0
int_if=dc1
int_net=dc1/24
webserver=192.168.0.10
fw_services={ ssh, smtp, 444, 5001 }
web_services={ http, ssh }
out_services={ http, https, ssh, pop3, pop3s, smtp, ftp, domain,
bootps, ntp, 444, 465, 5190 }
bad_blocks={ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }

### Set Options ###
set limit { frags 32000, states 65000 }
set loginterface $ext_if
set optimization aggressive

### Packet Normalization ###
scrub in all
scrub out all random-id

### ALTQ ###
altq on $ext_if priq bandwidth 120Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

### Start NAT rules ###
# Normal Rules
nat on $ext_if from $int_net to any - ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port 4275 - $webserver
port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 4272 - $webserver
port 22
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021

# Bounceback - TCP Reflection
rdr on $int_if proto tcp from $int_net to ($ext_if) port 4275 -
$webserver port 80
no nat on $int_if proto tcp from ($int_if) to $int_net
nat on $int_if proto tcp from $int_net to $webserver port 80 -
($int_if)

### Start Filter Rules
# basic block-all
block out log on $ext_if all
block in log on $ext_if all
block return-rst  out log on $ext_if proto tcp all
block return-rst  in  log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in  log on $ext_if proto udp all
block in quick on $ext_if proto igmp all

# block various noisy traffic without logging
block in quick on $ext_if from 255.255.255.255/32 to any
block in quick on $ext_if from any to 255.255.255.255/32
block in quick proto { tcp, udp } from any to any port { 135, 137, 138,
139, 445 }

# block any incoming spoofed
block in quick on $ext_if from any to 224.0.0.1 # Adelphia igmp query
block in log quick on $ext_if from $bad_blocks to any
block in log quick on $ext_if from any to $bad_blocks
block in log on $ext_if from any to 192.168.0.0/24

# allow certain icmp connections
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $int_if proto icmp all keep state
pass in on $int_if proto icmp all keep state

# allow certain udp connections
pass out on $ext_if proto udp all keep state
pass out on $int_if proto udp all user root keep state
pass in on $int_if proto udp from any to any port $out_services keep
state

# allow certain tcp connections
#pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto tcp all keep state queue (q_def, q_pri)
#pass in on $ext_if inet proto tcp from any to ($ext_if) port
$fw_services flags S/SA keep state
pass in  on $ext_if inet proto tcp from any to ($ext_if) port
$fw_services flags S/SA keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $webserver port $web_services
flags S/SA keep state
pass out on $int_if proto tcp all user root keep state
pass in on $int_if proto tcp from any to any port $out_services modulate
state queue (q_def, q_pri)
# END of pf.rules

Re: ALTQ ack prioritization

[Jason Dixon]

On Thu, 2003-03-06 at 16:23, Jolan Luff wrote:
  pass in on $int_if proto tcp from any to any port $out_services modulate
  state queue (q_def, q_pri)
  # END of pf.rules
 
 i'm not sure how relevant this is to your problem, but you have no
 queue defined on $int_if, so you shouldn't be queuing on it.  try
 making that a vanilla pass rule, reload, and see if it's fixed..?

Nope.

-J.

Re: ALTQ ack prioritization

[Daniel Hartmeier]

Try with just the altq, queue and pass rules from the example. Reload
the ruleset and flush all existing state entries (pfctl -Fs), as only
newly established connections will be queued according to the new
ruleset. Then try a single download and upload over TCP (ftp, http,
etc.) concurrently.

If that works, you can try the same with your real ruleset, I'd only add
the queue (q_def, q_pri) to the pass rules on the external interface,
and make sure you're adding it to all of them that create the TCP
connections.

Daniel

Re: ALTQ ack prioritization

[Henning Brauer]

On Thu, Mar 06, 2003 at 03:23:18PM -0600, Jolan Luff wrote:
 On Thu, Mar 06, 2003 at 10:38:59AM -0500, Jason Dixon wrote:
 i'm not sure how relevant this is to your problem, but you have no
 queue defined on $int_if, so you shouldn't be queuing on it.  try
 making that a vanilla pass rule, reload, and see if it's fixed..?

this is irrelevant; if no queues are defined the otherwise existing fifo
queue is used.

jason, there were two nasty bugs in pfctl wrt this; one may affect you. make
sure you have a very -current pfctl ...

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: ALTQ ack prioritization

[Jason Dixon]

On Thu, 2003-03-06 at 16:37, Daniel Hartmeier wrote:
 Try with just the altq, queue and pass rules from the example. Reload
 the ruleset and flush all existing state entries (pfctl -Fs), as only
 newly established connections will be queued according to the new
 ruleset. Then try a single download and upload over TCP (ftp, http,
 etc.) concurrently.
 
 If that works, you can try the same with your real ruleset, I'd only add
 the queue (q_def, q_pri) to the pass rules on the external interface,
 and make sure you're adding it to all of them that create the TCP
 connections.

I wish I could figure out what happened.  I did what you suggested, it
worked.  I added back my other rules, it worked.  So far as I can tell,
it was simply a matter of clearing the state table.  Odd.

I forgot to mention, I'm running -snapshot from 3/2/03.  It doesn't look
like what happened to me was caused by any bugs (that Henning has
mentioned in the meantime), but I'm curious... were any of those bugs
fixed after my snapshot?

Thanks,
-J.

P.S.  Here are my stats:

(250Kb)
queue q_pri priority 7
[ pkts:  38789  bytes:2594742  dropped pkts:  0 bytes: 
0 ]
[ qlength:   0/ 50 ]
queue q_def priq( default )
[ pkts:  20680  bytes:   27243052  dropped pkts:  0 bytes: 
0 ]
[ qlength:   0/ 50 ]

RE: CheckPoint SecureRemote Client through pf

[siivv]

problem resolved, thank you everyone for your help..
especially jolan for his openbsd vpn how-to
http://www.cryptonomicon.org/notes/vpn_nat.html

oddly enough, my first problem was on the vpn server, whoever setup my
account was a poor typer and screwed something up... stupid simple mistakes that i
cannot control... (a waste of 3 days of my time for a stupid mistake on
their part, shoulda hit up the firewall team at the get-go)

also, i found that i had to open up port 2746 - checkpoint udp encap port
to allow connections (in addition to the rules found in jolan's how-to)


thanks again to all

piez,
scott


On Tue, 4 Mar 2003, siivv wrote:


 I am trying to work with a few others to figure out the solution to this
 problem, though their time is hard to come by...
 since I do not have access to the vpn firewall, I cannot check it's logs,
 and can only deal with what is on my end

 I thank you all for your time and help, hopefully this is something simple
 that I am forgetting to configure, but we shall see...



 scott