bandwidth limits supposedly exceeded

2005-04-15 Thread florian mosleh 
Hi,

i'm currently completely reqriting the pf.conf on an OpenBSD 3.6 firewall. When
I do a pfctl -nf pf.conf everything see,s to check out fine with the file
except i get the following errors:

pfctl: the sum of the child bandwidth higher than parent root_xl2
pfctl: the sum of the child bandwidth higher than parent dorms_ext
pfctl: the sum of the child bandwidth higher than parent root_xl2
pfctl: the sum of the child bandwidth higher than parent main_int
pfctl: the sum of the child bandwidth higher than parent main_int
pfctl: the sum of the child bandwidth higher than parent root_xl0

i've added the few defined bandwidth values i have up. i'm not really sure
what's going on with it.

Here's the pf.conf (sorry it's sort of long):



## INTERFACES##
EXTIF=xl2
DMZIF=xl1
INTIF=xl0

## HOST IPS##
EXTIP=xxx.xxx.xxx.xxx
DORMS=xxx.xxx.xxx.xxx
DORMSEXT=xxx.xxx.xxx.xxx
DAVINCI=xxx.xxx.xxx.xxx
DAVINCIEXT=xxx.xxx.xxx.xxx
COOLIDGE=xxx.xxx.xxx.xxx
COOLIDGEEXT=xxx.xxx.xxx.xxx
SARNOFF=xxx.xxx.xxx.xxx
SARNOFFEXT=xxx.xxx.xxx.xxx
BLACKLISTED={ 216.18.127.194/32, 69.90.183.164/32 }
GRACEHOPPER=xxx.xxx.xxx.xxx

## PORTS##
HTTP_PORTS={ 80, 443 }
MAIL_PORTS={ 25, 143, 220, 109, 110, 993, 995 }



## RUNTIME OPTIONS##
set block-policy return
set loginterface $EXTIF



##NORMALIZATION##
scrub in all
scrub out all



##QUEUES##

##EXTERNAL QUEUE##
altq on $EXTIF cbq bandwidth 6Mb queue { std_ext, dorms_ext, pri_ext }
queue std_ext   cbq(default)
queue dorms_ext bandwidth 2Mb { dorms_ext_http, dorms_ext_misc }
queue dorms_ext_httppriority 3
queue dorms_ext_miscpriority 1
queue pri_ext   priority 3

##INTERNAL QUEUE##
altq on $INTIF cbq bandwidth 6Mb queue { main_int, aux_int }
queue main_int  bandwidth 3Mb { main_int_http,  main_int_ssh, main_int_misc }
queue main_int_ssh  priority 4
queue main_int_http bandwidth 1.5Mb cbq(borrow)
queue main_int_misc priority 1 cbq(default)
queue aux_int



##NAT AND REDIRECTION##

#EXTERNAL INTERFACE#
nat on $EXTIF from $INTIF:network to any - $EXTIP
binat on $EXTIF from $DORMS to any - $DORMSEXT
binat on $EXTIF from $DAVINCI to any - $DAVINCIEXT
binat on $EXTIF from $SARNOFF to any - $SARNOFFEXT
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 - $COOLIDGE port 
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 - $COOLIDGE
rdr pass on $EXTIF proto tcp from any to $EXTIP port  - $GRACEHOPPER

#INTERNAL INTERFACE#
binat pass on $INTIF from $COOLIDGE to any - $COOLIDGEEXT
binat pass on $INTIF from $SARNOFF to any - $SARNOFFEXT
rdr on $INTIF proto tcp from any to $DAVINCIEXT - $DAVINCI
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 -
127.0.0.1 port 
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306 -
127.0.0.1 port 3306
rdr pass on $INTIF proto tcp from $INTIF:network to $SARNOFFEXT port 80 -
127.0.0.1 port 8013
rdr on $INTIF proto tcp from any to any port 21 - 127.0.0.1 port 8021

#DMZ INTERFACE#
binat pass on $DMZIF from $DORMS to 66.240.4.1 - $GRACEHOPPER  



##FILTER RULES##
antispoof for xl2

block log all
pass quick on lo0 all
pass in inet proto icmp all icmp-type echoreq keep state

#EXTERNAL INTERFACE INBOUND#
pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state queue
pri_ext
pass in on $EXTIF inet proto tcp from any to $DORMS port 22 keep state
pass in on $EXTIF inet proto tcp from any to $DAVINCI port 22 keep state 
pass in on $EXTIF inet proto tcp from any to $GRACEHOPPER port 22 keep state
pass in on $EXTIF proto tcp from any to $COOLIDGE port  keep state
pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state
pass in on $EXTIF proto icmp from any to $COOLIDGE keep state
pass in on $EXTIF proto tcp from any to $SARNOFF port 22 keep state
pass in on $EXTIF proto tcp from any to $SARNOFF port 80 keep state
pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags S/SA
keep state 

#EXTERNAL INTERFACE OUTBOUD#
pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state
queue pri_q
pass out on $EXTIF from $INTIF:network to any keep state
pass out on $EXTIF from $DMZIF:network to any keep state
pass out on $EXTIF from $DORMS to any keep state queue dorms_ext_misc
pass out on $EXTIF proto tcp from $DORMS to any port $HTTP_PORTS keep state
queue dorms_ext_http
pass out on $EXTIF inet proto { udp, icmp } all keep state


#INTERNAL INTERFACE INBOUND#
pass in on $INTIF from $INTIF:network to any keep state
pass in on $INTIF proto tcp from $INTIF:network to any port $HTTP_PORTS keep
state queue main_int_http 
pass in on $INTIF proto tcp from $INTIF:network to any port 22 keep state queue
main_int_ssh

#INTERNAL INTERFACE OUTBOUND#
pass out on $INTIF from any to $INTIF:network

#DMZ INTERFACE INBOUND#
pass in on $DMZIF from $DMZIF:network to any keep state

#DMZ INTERFACE OUTBOUND#
pass out on $DMZIF from any to $DMZIF:network keep state

 

#end pf.conf


thanks!



-- 
Florian Mosleh

Re: AIM connection issues

2005-03-28 Thread florian mosleh 
fixed.

the issue was that i had additional addresses aliased onto the external
interface and did not have an address explicitly defined for NAT between the lan
and the internet:

nat pass on $EXTIF from $INTIF:network to any - ($EXTIF)

it would seem that pf doesn't always pick the primary interface address in cases
like these. changing it to

nat pass on $EXTIF from $INTIF:network to any - xxx.xxx.xxx.xxx

has resolved the issue. thanks for your help!

-- 
Florian Mosleh
Network  Admin. Support Manager
Capitol College

301.369.2800 ext.2040
800.950.1992 ext.2040


Quoting florian mosleh [EMAIL PROTECTED]:

 I am interested in Brian Kerr's suggestion, but I guess I'll have to wait
 until
 Monday. Thank you.
 
 In response to M Raju, here's my pf.conf. 
 
 njoy.
 
 
 
 ---begin pf.conf
 
 
 ## here are my macros
 EXTIF=xl2
 DMZIF=xl1
 INTIF=xl0
 
 #DMZ
 DORMS=10.0.0.11
 DORMSEXT=x.x.x.12
 DAVINCI=10.0.0.13
 DAVINCIEXT=x.x.x.13
 COOLIDGE=192.168.28.65
 COOLIDGEEXT=x.x.x.14
 
 
 HTTP_PORTS={ 80, 443 }
 MAIL_PORTS={ 25, 143, 220, 109, 110, 993, 995 }
 
 
 ##these are runtime options for pf to make it fit our needs better
 set block-policy return
 set loginterface $EXTIF
 
 
 ##scrub adds an extra layer of packet defragmentation to the good 'ol
 native
 tcp
  one
 scrub in all
 scrub out all
 
 
 ##queuing. let's give qos a shot
 altq on xl2 cbq bandwidth 100% queue { main, dorms, misc }
 queue main bandwidth 50% cbq(borrow) { pri_q, def_q }
 queue pri_q bandwidth 10% priority 7
 queue def_q bandwidth 90% priority 1 cbq(borrow)
 queue dorms bandwidth 35% { dorms_http_q, dorms_pri_q, dorms_mail_q }
 queue dorms_http_q bandwidth 70% priority 4 cbq(borrow)
 queue dorms_pri_q bandwidth 10% priority 6
 queue dorms_mail_q bandwidth 20% priority 5
 queue misc bandwidth 15% priority 2 cbq(default)
 
 ##nat and redirection (i love this part)
 nat pass on $EXTIF from $INTIF:network to any - ($EXTIF)
 
 binat on $EXTIF from $DORMS to any - $DORMSEXT
 
 binat on $EXTIF from $DAVINCI to any - $DAVINCIEXT
 rdr on $INTIF proto tcp from any to $DAVINCIEXT - $DAVINCI
 
 binat on $EXTIF from $COOLIDGE to any - $COOLIDGEEXT
 binat pass on $INTIF from $COOLIDGE to any - $COOLIDGEEXT
 rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 - $COOLIDGE port
 
 rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 - $COOLIDGE
 rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 -
 127.
 0.0.1 port 
 rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306
 -
 12
 7.0.0.1 port 3306
 
 rdr on $INTIF proto tcp from any to any port 21 - 127.0.0.1 port 8021
 
 rdr pass on $EXTIF proto tcp from any to ($EXTIF) port  -
 192.168.28.80
 
 
 ##filter rules
 antispoof for xl2
 
 
 block log all
 
 
 
 pass on lo0 all
 
 
 pass in inet proto icmp all icmp-type echoreq keep state
 
 
 pass in on $INTIF from $INTIF:network to any keep state queue def_q
 pass out on $INTIF from any to $INTIF:network keep state
 
 pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state
 queue
  pri_q
 pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state
 queu
 e pri_q
 
 
 pass in on $DMZIF from $DORMS to any keep state
 pass out on $DMZIF from any to $DORMS keep state queue dorms_ssh_q
 pass in on $DMZIF proto tcp from $DORMS to any port $HTTP_PORTS keep state
 pass out on $DMZIF proto tcp from any to $DORMS port $HTTP_PORTS keep state
 queu
 e dorms_http_q
 pass in on $DMZIF proto tcp from $DORMS to any port $MAIL_PORTS keep state
 pass out on $DMZIF proto tcp from any to $DORMS port $MAIL_PORTS keep state
 queu
 e dorms_mail_q
 pass in on $DMZIF proto tcp from $DORMS to any port 22 keep state
 pass out on $DMZIF proto tcp from any to $DORMS port 22 keep state queue
 dorms_p
 ri_q
 pass in on $EXTIF inet proto tcp from any to $DORMSEXT keep state queue
 dorms
 pass in on $EXTIF inet proto tcp from port 22 to ($DORMSEXT) keep state
 
 pass in on $DMZIF from $DAVINCI to any keep state
 pass out on $DMZIF from any to $DAVINCI keep state queue misc
 pass in on $EXTIF inet proto tcp from port 22 to ($DAVINCIEXT) keep state
 
 pass in on $EXTIF proto tcp from any to $COOLIDGE port  keep state
 pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state
 pass in on $EXTIF proto icmp from any to $COOLIDGE keep state
 #pass in on $INTIF proto tcp from any to $COOLIDGE port  keep state
 #pass in on $INTIF proto tcp from any to $COOLIDGE port 3306 keep state
 pass out on $INTIF from $COOLIDGE to any keep state
 
 pass out on $EXTIF proto tcp all modulate state flags S/SA
 pass out on $EXTIF proto { udp, icmp } all keep state
 
 
 pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags
 S/SA
 keep state
 pass out on $EXTIF inet proto { udp, icmp } all keep state queue misc
 
 ---end pf.conf
 
 -- 
 Florian Mosleh
 Network  Admin. Support Manager
 Capitol College
 
 301.369.2800 ext.2040

AIM connection issues

2005-03-26 Thread florian mosleh 
Hello,

I have a new firewall in development for the college i work at. I have tried
extensively googling this issue in various ways and have not managed to find
anything that seems pertinent.

Essentially, the problem I'm having is that a client that connects to the
internet through the new firewall (pf on openbsd 3.6) has problems establishing
a connection to AIM (login.oscar.aol.com). I have performed severl ethereal
packet sniffing sessions and can confirm that there is a successful connection
established between the server and the client and then it just drops. Usually
after about an hour or two of stubborn retrying and waiting it eventually
works.

Are there any possible pf configuration snafus that could be at fault? 

The only other factor that I see as possibly contributing to the problem (i'm
not sure how) is that the internet connection is a set of 4 bonded t1s, but I've
been given the impression that this shouldn't make a difference. 

Thanks.

-- 
Florian Mosleh
Network  Admin. Support Manager
Capitol College

301.369.2800 ext.2040
800.950.1992 ext.2040






This message was sent using IMP, the Internet Messaging Program.

Re: AIM connection issues

2005-03-26 Thread florian mosleh 
I am interested in Brian Kerr's suggestion, but I guess I'll have to wait until
Monday. Thank you.

In response to M Raju, here's my pf.conf. 

njoy.



---begin pf.conf


## here are my macros
EXTIF=xl2
DMZIF=xl1
INTIF=xl0

#DMZ
DORMS=10.0.0.11
DORMSEXT=x.x.x.12
DAVINCI=10.0.0.13
DAVINCIEXT=x.x.x.13
COOLIDGE=192.168.28.65
COOLIDGEEXT=x.x.x.14


HTTP_PORTS={ 80, 443 }
MAIL_PORTS={ 25, 143, 220, 109, 110, 993, 995 }


##these are runtime options for pf to make it fit our needs better
set block-policy return
set loginterface $EXTIF


##scrub adds an extra layer of packet defragmentation to the good 'ol native
tcp
 one
scrub in all
scrub out all


##queuing. let's give qos a shot
altq on xl2 cbq bandwidth 100% queue { main, dorms, misc }
queue main bandwidth 50% cbq(borrow) { pri_q, def_q }
queue pri_q bandwidth 10% priority 7
queue def_q bandwidth 90% priority 1 cbq(borrow)
queue dorms bandwidth 35% { dorms_http_q, dorms_pri_q, dorms_mail_q }
queue dorms_http_q bandwidth 70% priority 4 cbq(borrow)
queue dorms_pri_q bandwidth 10% priority 6
queue dorms_mail_q bandwidth 20% priority 5
queue misc bandwidth 15% priority 2 cbq(default)

##nat and redirection (i love this part)
nat pass on $EXTIF from $INTIF:network to any - ($EXTIF)

binat on $EXTIF from $DORMS to any - $DORMSEXT

binat on $EXTIF from $DAVINCI to any - $DAVINCIEXT
rdr on $INTIF proto tcp from any to $DAVINCIEXT - $DAVINCI

binat on $EXTIF from $COOLIDGE to any - $COOLIDGEEXT
binat pass on $INTIF from $COOLIDGE to any - $COOLIDGEEXT
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 - $COOLIDGE port 
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 - $COOLIDGE
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 -
127.
0.0.1 port 
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306 -
12
7.0.0.1 port 3306

rdr on $INTIF proto tcp from any to any port 21 - 127.0.0.1 port 8021

rdr pass on $EXTIF proto tcp from any to ($EXTIF) port  - 192.168.28.80


##filter rules
antispoof for xl2


block log all



pass on lo0 all


pass in inet proto icmp all icmp-type echoreq keep state


pass in on $INTIF from $INTIF:network to any keep state queue def_q
pass out on $INTIF from any to $INTIF:network keep state

pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state
queue
 pri_q
pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state
queu
e pri_q


pass in on $DMZIF from $DORMS to any keep state
pass out on $DMZIF from any to $DORMS keep state queue dorms_ssh_q
pass in on $DMZIF proto tcp from $DORMS to any port $HTTP_PORTS keep state
pass out on $DMZIF proto tcp from any to $DORMS port $HTTP_PORTS keep state
queu
e dorms_http_q
pass in on $DMZIF proto tcp from $DORMS to any port $MAIL_PORTS keep state
pass out on $DMZIF proto tcp from any to $DORMS port $MAIL_PORTS keep state
queu
e dorms_mail_q
pass in on $DMZIF proto tcp from $DORMS to any port 22 keep state
pass out on $DMZIF proto tcp from any to $DORMS port 22 keep state queue
dorms_p
ri_q
pass in on $EXTIF inet proto tcp from any to $DORMSEXT keep state queue dorms
pass in on $EXTIF inet proto tcp from port 22 to ($DORMSEXT) keep state

pass in on $DMZIF from $DAVINCI to any keep state
pass out on $DMZIF from any to $DAVINCI keep state queue misc
pass in on $EXTIF inet proto tcp from port 22 to ($DAVINCIEXT) keep state

pass in on $EXTIF proto tcp from any to $COOLIDGE port  keep state
pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state
pass in on $EXTIF proto icmp from any to $COOLIDGE keep state
#pass in on $INTIF proto tcp from any to $COOLIDGE port  keep state
#pass in on $INTIF proto tcp from any to $COOLIDGE port 3306 keep state
pass out on $INTIF from $COOLIDGE to any keep state

pass out on $EXTIF proto tcp all modulate state flags S/SA
pass out on $EXTIF proto { udp, icmp } all keep state


pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags S/SA
keep state
pass out on $EXTIF inet proto { udp, icmp } all keep state queue misc

---end pf.conf

-- 
Florian Mosleh
Network  Admin. Support Manager
Capitol College

301.369.2800 ext.2040
800.950.1992 ext.2040


Quoting M Raju [EMAIL PROTECTED]:

 No pf.conf == No Answer.  Sanitize and post your pf.conf. 
 
 _Raju
 
 
 On Fri, 25 Mar 2005 13:03:38 -0500, florian mosleh
 [EMAIL PROTECTED] wrote:
  Hello,
  
  I have a new firewall in development for the college i work at. I have
 tried
  extensively googling this issue in various ways and have not managed to
 find
  anything that seems pertinent.
  
  Essentially, the problem I'm having is that a client that connects to the
  internet through the new firewall (pf on openbsd 3.6) has problems
 establishing
  a connection to AIM (login.oscar.aol.com). I have performed severl
 ethereal
  packet sniffing sessions and can confirm that there is a successful
 connection
  established between the server