Re: FUP implementation in PF
> My guess is that if you explained to us what was confusing about > the documentation (http://www.openbsd.org/faq/pf/queueing.html) > we might be able to improve it to the point where you find it > helpful. > > FYI, when I read your post I had no idea what FUP stood for. > The industry term is seems to be "quality of service", borrowed > from the telcom industry. FUP = Fair User Policy. It's pretty used/general term here. Sorry for being cunfusing. When I will check documentation, there are basically only 'static' QOS. I found hfsc references, but no documentation around :( It seems hfsc altq queue could be the right one, to do FUP I explained. That's why I asked if anyone having experimence with setting FUP (which is generally type of QOS, you are right here). And yes, PF FAQ doesn't reference hfsc at all. Some hfsc references could be foudn @ man pages (man 5 pf.conf), but without any further explaining. I would be happy to have chapter related in PF FAQ (which is well written in my opinion, it answers all my question in 90% :) related to "FUP". -- Best regards, Lada 'Ray' Lostak Unreal64 Develop group http://www.unreal64.net http://www.orcave.com -- In the 1960s you needed the power of two C64s to get a rocket to the moon. Now you need a machine which is a vast number of times more powerful just to run the most popular GUI. Imagination is more important than knowledge...
FUP implementation in PF
Hello, please, could someone point me, where to find resources how to implement some fair FUP with PF ? I tried to google, but I didn't found anything :( Or if there exists project, who do something I need... I have network - LAN/WAN. WAN is connected to net, say 5mbps. I have ~~20 clients in LAN. I would like to setup pg configuration/scripts, which will give 256kbit to every1 and it will allow to borrow from main - but 1mbit max (it's wireless connection). Both ways (u/d) should be shaped. Additionaly, when someone will start mass downloading/uploading, speed will go down. For example, if just one will be connected, he will get speed 1mbps. But within our hour (let's say), when traffic will be high (transmitting more MB/time than allowed), speed will go slow down to declared 256. If possible, this should be also 'on fly'. Eg. I would like to keep 30% of total bandwidth for leechers. I hope it this is understable :) This shceme should allow keeping any1 happy. Leechers, which will get contant speed without limits and non-leechers, which want fast surfing. I have some experimence with pf, but mainly as firewall/routers. I don't know "where to start" to implement above thing. PF FAQ and others doesn't help much. And: Is it possible to implement it at all without some hacks ? Or is there some 'add-in' for pf - some more advaced traffic limiter ? Thank you ! -- Best regards, Lada 'Ray' Lostak Unreal64 Develop group http://www.unreal64.net http://www.orcave.com -- In the 1960s you needed the power of two C64s to get a rocket to the moon. Now you need a machine which is a vast number of times more powerful just to run the most popular GUI. Imagination is more important than knowledge...
Re: citrix though the firewall...
On Mon, 22 Nov 2004 17:17:18 +1300, you wrote: >HI Folks, >has anyone written a helper application like ftpsesame that will allow >citrix metaframe to work through a pf firewall? Citrix did... ;-) It is called Citrix Secure Gateway(CSG) or their new name of Citrix Secure Access Manager(CSAM). Basically the server sits in the DMZ and only communicates on 443 with SSL for external users and it communicates from the CSG back to the Citrix servers a number of ways including SSL. http://www.citrix.com/site/PS/products/product.asp?familyID=%2019&productID=184 >Citrix first talks on port 1494 and negotiates a high numbered port >which the client then connects back to. You are correct, it depends on how you are setup and what servers need to communicate with external resources. If you require the use of an "alternate address" configuration you could end up having an inane range of ports which must be opened. What versions of Citrix are you using? Is this strictly for external users to access the internal applications? >I am going to be encouraging users to move to RDP but I need a short >term solution. There are a number of options depending on what the requirements are. Links: _HUGE_ resource on Citrix with links, white papers, etc Original web page http://www.dabcc.com/ThinSol/ New web page (click on Citrix Systems on the left) http://www.dabcc.com/DABCC/ CSG document http://support.citrix.com/servlet/KbServlet/download/134-102-7736/Windows_Secure_Gateway_Guide.pdf Mike
Re: CARP question
On Sun, Apr 11, 2004 at 04:45:40PM +0100, Greg Hennessy wrote: > On 11 Apr 2004 07:16:03 -0700, [EMAIL PROTECTED] (Role Account for > SysAdmin) wrote: > > > >4) $air /30 (a nic to a wireless router, part of my wireless gateway). > >inet 10.1.1.1 255.255.255.252 NONE > > > >Will CARP work with my routable /30 address, which connects me to my ISP, > > It wont, you dont have a spare address for the failover system, letalone a > virtual IP. What's wrong with 10.2.0.0/24?
Re: PF/spamd oddity
On Wed, Mar 17, 2004 at 10:58:21PM -0500, Jason Dixon wrote: > Perhaps I simply need some sleep, but I'm confused as to why my test > isn't working as expected. I'm trying to test a connection from a > entry (my other box, 192.168.0.58) to my new mailserver > (192.168.0.53). I have the requisite spamd table, rdr to localhost, > and pass on loopback entries in pf.conf. I've rebooted to make > _absolutely_ certain that everything is kosher. Nevertheless, the > connection is simply being blocked/reset by my generic block rule, > rather than being allowed to pass through to spamd on 127.0.0.1:8025. > ### Translation ### > rdr on $ext_if inet proto tcp from to ($ext_if) port smtp -> > 127.0.0.1 port 8025 Try: rdr pass on $ext_if inet proto tcp from to ($ext_if) port smtp -> 127.0.0.1 port 8025
Re: Trouble getting ALTQ to prioritize ACKs
On Fri, Mar 05, 2004 at 09:01:14PM -0700, jared r r spiegel wrote: > 'bittorrent queue' is effective search for misc@ archive, > with respect to this. Will do. Thanks. > hopefully i will make sense. i notice you have no rdr on > ext to LAN machine ports:bittorrent ? is that because of > it being handled in PPP/tun0 land? That's because I use public IPs. -Ray-
Re: Trouble getting ALTQ to prioritize ACKs
On Fri, Mar 05, 2004 at 07:58:01PM +0100, Daniel Hartmeier wrote: > altq didn't work for tun(4) with 3.3-release, and support was added to > 3.3-current with sys/net/if_tun.c 1.48 on Jun 12 2003. So, first thing > is to check whether your 3.3-current includes that change. If it was > built before Jun 12 2003, it certainly doesn't, and trying altq with > tun0 will be futile. If you're going to update, go to 3.4-stable. Sorry, I mis-reported that: OpenBSD 3.4-current (GENERIC) #45: Thu Oct 16 13:00:46 MDT 2003 -Ray-
Re: Trouble getting ALTQ to prioritize ACKs
On Fri, Mar 05, 2004 at 10:07:23AM +, Greg Hennessy wrote: > You dont need to use synproxy on tcp traffic initiated from your LAN. This is just me trying to obfuscate the outgoing traffic as much as possible. > Also I've found that using synproxy on incoming p2p connections will dump > the traffic into the default queue rather than one I want. This methinks is > due to the firewall doing the 3 way handshake rather than the actual > endpoint. I used to use modulate state, but then switched to synproxy for the above reason. I'll try using modulate state again to see if it gets any better, but this problem has been present before I recently switched to synproxy. -Ray-
Re: Trouble getting ALTQ to prioritize ACKs
On Fri, Mar 05, 2004 at 12:41:07AM -0500, Ray wrote: > My connection is a 1500Kbps/768Kbps ADSL connection using PPPoE, > running on a 3.3-current machine. Of course I meant 128Kbps down, as my pf.conf showed. -Ray-
Trouble getting ALTQ to prioritize ACKs
Hi,
I've tried for many months (ever since http://www.benzedrine.cx/ackpri.html
was published) to speed up my downloads when uploading but nothing
seems to work. My cousins use BitTorrent and I've attempted to
limit their uploads to ~5kbps but downloads often max out at 200kbps.
I switched from priq to cbq because someone had mentioned that priq
isn't as good as cbq when shaping p2p bandwidth but the results are
still bad. Even putting web traffic on a separate queue doesn't
help speed up web surfing responsiveness. Any ideas?
My connection is a 1500Kbps/768Kbps ADSL connection using PPPoE, running on a
3.3-current machine.
pf.conf:
ext_if="tun0"
int_if="sis0"
aim_image="4443"
aim_default="5190"
aim_ports="{" $aim_image $aim_default "}"
cyth="168.100.177.129"
# Log $ext_if for pfstat.
set loginterface $ext_if
# Scrub everything.
scrub on $ext_if random-id no-df reassemble tcp fragment reassemble
altq on $ext_if cbq bandwidth 100Kb queue {bt_ext std_ext web_ext cs_ext ssh_aim_ext
dns_ext tcp_ack_ext ntp_ext}
queue bt_ext bandwidth 6Kb priority 0 cbq #BitTorrent
queue std_ext bandwidth 20% cbq(default red ecn)#Regular crap
queue web_ext bandwidth 60% priority 3 cbq(borrow red ecn) #Web Traffic
queue ssh_aim_ext bandwidth 20% priority 4 cbq(borrow red) #AIM and SSH
queue dns_ext bandwidth 10% priority 5 cbq(borrow) #DNS
queue tcp_ack_ext bandwidth 10% priority 6 cbq(borrow) #TCP ACKs
queue ntp_ext bandwidth 10% priority 6 cbq(borrow) #NTP
altq on $int_if cbq bandwidth 100% queue {net_int local_int}
#Internet traffic
queue net_int bandwidth 1.3Mb {bt_int std_int web_int cs_int ssh_aim_int dns_int
ntp_int}
queue bt_int bandwidth 5% priority 0 cbq#BitTorrent
queue std_int bandwidth 10% cbq(default)#Regular crap
queue web_int bandwidth 65% priority 3 cbq(borrow) #Web Traffic
queue ssh_aim_int bandwidth 10% priority 4 cbq(borrow red) #AIM/SSH
queue dns_int bandwidth 5% priority 5 cbq(borrow) #DNS
queue ntp_int bandwidth 5% priority 6 cbq(borrow) #NTP
queue local_int #Local network
# Block ipv6 traffic.
block log quick inet6
# Block spoofed traffic.
antispoof for { lo0 $ext_if $int_if } inet
block in log quick on $ext_if from $int_if:network
block in log quick on $int_if from ! $int_if:network
# Block all by default.
block in log on {$ext_if $int_if} inet
# Allow local network to access Internet.
pass in on $int_if inet from $int_if:network
# Allow pinging of all computers.
pass in quick on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
# Allow AIM direct connects and file transfers, hopefully.
pass in on $ext_if proto tcp to port $aim_ports synproxy state queue (std_ext,
tcp_ack_ext)
# Speed up NTP.
pass out on $ext_if inet proto udp to port ntp keep state queue (ntp_ext)
pass out on $int_if inet proto udp from port ntp keep state queue (ntp_int)
# Prioritize ACKs.
pass out on $ext_if synproxy state queue (std_ext, tcp_ack_ext)
# Speed up DNS.
pass out on $ext_if inet proto tcp to port domain synproxy state queue (dns_ext)
pass out on $ext_if inet proto udp to port domain keep state queue (dns_ext)
pass out on $int_if inet proto tcp from port domain synproxy state queue (dns_int)
pass out on $int_if inet proto udp from port domain keep state queue (dns_int)
# Speed up AIM.
pass out on $ext_if proto tcp to port 5190 synproxy state queue (ssh_aim_ext,
tcp_ack_ext)
pass out on $int_if proto tcp from port 5190 synproxy state queue (ssh_aim_int)
# Speed up SSH.
pass out on $ext_if proto tcp to port ssh synproxy state queue (web_ext, ssh_aim_ext)
pass out on $int_if proto tcp from port ssh synproxy state queue (web_int, ssh_aim_int)
# Speed up web traffic.
pass out on $ext_if proto tcp to port {www ftp ftp-data https} synproxy state queue
(web_ext, tcp_ack_ext)
pass out on $int_if proto tcp from port {www ftp ftp-data https} synproxy state queue
(web_int)
# Speed up Counter-Strike.
#pass out on $ext_if proto tcp to port 27015 synproxy state queue (cs_ext, tcp_ack_ext)
#pass out on $int_if proto tcp from port 27015 synproxy state queue (cs_int)
# Unlimited access to firewall.
pass out on $int_if from {$int_if $ext_if} to $int_if:network keep state queue
(local_int)
# Certain people are not cooperating willingly. We shall try force now.
pass out on $ext_if proto tcp to port {6879><6890 8879><8890} synproxy state queue
(bt_ext)
pass out on $int_if proto tcp from port {6879><6890 8879><8890} synproxy state queue
(bt_int)
# Allow certain connections to cyth.net.
pass in on $ext_if proto tcp to $cyth synproxy state queue (web_ext)
pass in on $ext_if proto tcp to $cyth port ssh synproxy state queue (web_ext,
ssh_aim_ext)
# Don't allow SMTP connections from any servers other than cyth.net.
block in log on $int_if proto tcp from !$cyth to port smtp
Re: os log?
On Wed, Feb 04, 2004 at 10:46:47AM -0500, Mike Frantzen wrote: > > Is it possible to log the OS of a passed/blocked packet, instead > > of just using the OS for filtering? I am trying to do an analysis > > of what OSes are typically used for, say, spamming. > > tcpdump -netttor /var/log/pflog 'tcp[13] == 2 and port 25' pfctl(8), pf.conf(5), pflog(4), pflogd(8)...damn it, I knew I forgot one. Thanks. -Ray-
os log?
Hi, Is it possible to log the OS of a passed/blocked packet, instead of just using the OS for filtering? I am trying to do an analysis of what OSes are typically used for, say, spamming. -Ray-
Re: interface improvements - help needed!
On Mon, Jan 05, 2004 at 11:13:13PM +0200, Alexey E. Suslikov wrote: > that's why we always do > block log all > pass on $int > pass out on $ext from ($ext) to any keep state Wouldn't this pass all packets, rendering the ``block log all'' useless? -Ray-
Re: pf and smtp
On Mon, Dec 22, 2003 at 12:53:55AM +0100, Predrag Micakovic wrote: > When i try to telnet public.ip.add.ress from outside, I connect > just fine to my pop3 and imap ports, but I get no reply from smtp > whatsoever. When I try to telnet to the private address from the > DMZ or lan subnet, it works just fine. I figure, if my pop3 and > imap work, why the hell is port 25 so problematic, and it ought > to work as well. Perhaps your ISP filters port 25 due to fear of worm propogation. However... > The mistery goes further. When I tried to send mails from my mail > server located in DMZ, I failed, the connection timed out and the > message goes to the deferred queue. However, when I try to send > an email to , for example, [EMAIL PROTECTED] I get it just > fine. What a misery. Since you can receive mail from others, I guess this rules out the first theory. Have you tried removing all the pf rules and just using redirection? Also, try running tcpdump on the mail server and the firewall while telnetting from the outside to your mail server's smtp port to see how far the connection goes. -Ray-
Re: Prioritizing TCP ACKs on Bridge
*sigh* It turns out that my four port ethernet card was the source of my problems. Doing bridging through it yielded no more than 89Kbps. After replacing it with two separate NICs, everything went smoothly. Thanks for all the help, I really appreciate it. -Ray-
Re: Prioritizing TCP ACKs on Bridge
On Wed, Jul 02, 2003 at 12:05:03PM +0200, Daniel Hartmeier wrote: > On Wed, Jul 02, 2003 at 05:37:35AM -0400, Ray wrote: > > Running pfctl -vsq several times (with bandwidth at 100Kb) usually > > yields a qlength of 0, sometimes 1 or 2 or 3. There are never > > dropped packets. > > Note that you'd get similar output if you'd queue on the internal > interface, so make really sure you're queuing on the external one (like, > unplug the external cable, check ifconfig -a for link status, or > similar). Done. > Also, for this to work, all traffic to the uplink must pass through the > pf box. If any box can use the uplink without going through pf, it can > saturate it without pf being able to prioritize. So make sure that the > pf box is the only one connected to the uplink. The Internet connection comes from a DSL modem, which is connected to an old (3.1) firewall, which is connected to the PF bridge, which is connected to a hub, which connects all other computers. > Then check the bandwidth setting, I suppose you read the instructions > about how to pick the right number. Maybe you haven't found the right > value yet. Try lowering it. You should at least notice that the value is > limiting your upload speed. If that's not visible, something is wrong. I've tried lowering it all the way to 50Kb, but still no dropped packets. The upload speed is definitely limited, though. I also flushed all states and started new downloads and uploads after loading the ruleset. No packets seem to go to the priority queue: queue q_pri priority 7 [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue q_def priq( default ) [ pkts: 3648 bytes: 466638 dropped pkts: 0 bytes: 0 ] [ qlength: 23/ 50 ] [ measured: 7.6 packets/s, 52.23Kb/s ] -Ray-
Re: Prioritizing TCP ACKs on Bridge
On Wed, Jul 02, 2003 at 10:40:16AM +0200, Daniel Hartmeier wrote: > Once fixed, run pfctl -vsq, you should see packets assigned to both > q_pri and q_def. And once you saturate the uplink, you should see > dropped packets in q_def. queue q_pri priority 7 [ pkts:458 bytes: 30248 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue q_def priq( default ) [ pkts: 2826 bytes:1099428 dropped pkts: 0 bytes: 0 ] [ qlength: 1/ 50 ] I then tried setting the bandwidth to 50Kb just to see if I had set the bandwidth too high: queue q_pri priority 7 [ pkts: 7 bytes:474 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue q_def priq( default ) [ pkts: 1046 bytes: 715471 dropped pkts: 0 bytes: 0 ] [ qlength: 25/ 50 ] Running pfctl -vsq several times (with bandwidth at 100Kb) usually yields a qlength of 0, sometimes 1 or 2 or 3. There are never dropped packets. Any ideas? -Ray-
Prioritizing TCP ACKs on Bridge
Hi,
I set up a bridge between my existing firewall and my hub in order to avoid
that whole tun mess (I use ADSL, PPPoE). I was hoping to improve my DSL
performance by using the article at http://www.benzedrine.cx/ackpri.html,
but download speeds still suffer whenever there are uploads.
I'm not sure which device I'm supposed to queue, but since I'm using a bridge,
it shouldn't matter, right?
Here's my pf.conf:
ext_if="de1"
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
pass out on $ext_if proto tcp from any to any flags S/SAFR keep state \
queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to any flags S/SAFR keep state \
queue (q_def, q_pri)
Thanks a lot.
-Ray-
Re: RFC 3514
On Thu, Apr 03, 2003 at 09:06:49PM +0200, Emmanuel Fleury wrote: > Wayne Freeman wrote: > >This was an April Fool's joke...there is no such RFC :o) > > Well, in matter of fact there is one. :o) > > http://www.ietf.org/rfc/rfc3514.txt I can't tell if you're being serious. Have you actually _read_ it? -Ray-
Re: RFC 3514
On Thu, Apr 03, 2003 at 02:21:36PM +0800, Hisham Ismail wrote: > Just curious whether 3.3 will include RFC 3514 (The Security Flag in > the IPv4 Header). ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt A little late for April Fools' Day, no? -Ray-
Re: another pf question
On Fri, Mar 28, 2003 at 01:14:41AM -0500, [EMAIL PROTECTED] wrote: > Is pf a true 'silent' firewall, not touching the ttl of a packet and > thereby not giving out that the packet has gone through an extra layer > to get to the destination? If it isn't, is there a way to enable such > a feature, if it's yet implemented? I think a bridge(4) is what you want to do. -Ray-
Re: little question.
On Wed, Mar 05, 2003 at 12:52:50PM -0300, Alejandro G. Belluscio wrote:
> Hello pf,
>
> I've found two problems today on my 3.2 release machine. I've got an
> $ExtIF that connects to the Internet and an $IntIF that goes to a
> NATed private net.
> 1) I've got a cablemodem that asigns an IP throu DHCP. But the
> cablemodem itself has an 192.169.100.1 IP. So I have added an alias
> 192.168.100.128. Which leads to two subroblems.
> 1a) When I try to reach it from my NATed machine it gets translated
> and so it doesn't goes throu 192.168.100.128 but my CM assigned IP.
> I think that I have to add a:
Why not just use a different subnet for your NATed machines? You can
use 10.0.0.0/8.
> 1b) I want to make sure that if some machine gets compromised, it
> can't send spoofed IP. So I've put:
>
> block out quick on $ExtIF inet from ! $ExtIP to any
>
> But it doesn't allows my aliased IP. I've tried to use a list. But
> when I negate a list I get a sysntax error (which I expected
> anyway). I don't think it's logical to have a list of negated IPs
> since that should mean everything. How am I supposed to do this?
try:
block out on $ExtIF all
pass out on $ExtIF from $ExtIP to any
I find that people (ab)use the the `quick' keyword too much.
-Ray-
Re: ALTQ
On Tue, Feb 25, 2003 at 05:44:30PM -0500, David Chubb wrote: > Quick question: Is ALTQ implemented in the stable branch of 3.2? Or do I > have to update to -current? Hasn't ALTQ been in OpenBSD since 3.0? -Ray-
