bandwidth limits supposedly exceeded
Hi, i'm currently completely reqriting the pf.conf on an OpenBSD 3.6 firewall. When I do a pfctl -nf pf.conf everything see,s to check out fine with the file except i get the following errors: pfctl: the sum of the child bandwidth higher than parent root_xl2 pfctl: the sum of the child bandwidth higher than parent dorms_ext pfctl: the sum of the child bandwidth higher than parent root_xl2 pfctl: the sum of the child bandwidth higher than parent main_int pfctl: the sum of the child bandwidth higher than parent main_int pfctl: the sum of the child bandwidth higher than parent root_xl0 i've added the few defined bandwidth values i have up. i'm not really sure what's going on with it. Here's the pf.conf (sorry it's sort of long): ## INTERFACES## EXTIF=xl2 DMZIF=xl1 INTIF=xl0 ## HOST IPS## EXTIP=xxx.xxx.xxx.xxx DORMS=xxx.xxx.xxx.xxx DORMSEXT=xxx.xxx.xxx.xxx DAVINCI=xxx.xxx.xxx.xxx DAVINCIEXT=xxx.xxx.xxx.xxx COOLIDGE=xxx.xxx.xxx.xxx COOLIDGEEXT=xxx.xxx.xxx.xxx SARNOFF=xxx.xxx.xxx.xxx SARNOFFEXT=xxx.xxx.xxx.xxx BLACKLISTED={ 216.18.127.194/32, 69.90.183.164/32 } GRACEHOPPER=xxx.xxx.xxx.xxx ## PORTS## HTTP_PORTS={ 80, 443 } MAIL_PORTS={ 25, 143, 220, 109, 110, 993, 995 } ## RUNTIME OPTIONS## set block-policy return set loginterface $EXTIF ##NORMALIZATION## scrub in all scrub out all ##QUEUES## ##EXTERNAL QUEUE## altq on $EXTIF cbq bandwidth 6Mb queue { std_ext, dorms_ext, pri_ext } queue std_ext cbq(default) queue dorms_ext bandwidth 2Mb { dorms_ext_http, dorms_ext_misc } queue dorms_ext_httppriority 3 queue dorms_ext_miscpriority 1 queue pri_ext priority 3 ##INTERNAL QUEUE## altq on $INTIF cbq bandwidth 6Mb queue { main_int, aux_int } queue main_int bandwidth 3Mb { main_int_http, main_int_ssh, main_int_misc } queue main_int_ssh priority 4 queue main_int_http bandwidth 1.5Mb cbq(borrow) queue main_int_misc priority 1 cbq(default) queue aux_int ##NAT AND REDIRECTION## #EXTERNAL INTERFACE# nat on $EXTIF from $INTIF:network to any - $EXTIP binat on $EXTIF from $DORMS to any - $DORMSEXT binat on $EXTIF from $DAVINCI to any - $DAVINCIEXT binat on $EXTIF from $SARNOFF to any - $SARNOFFEXT rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 - $COOLIDGE port rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 - $COOLIDGE rdr pass on $EXTIF proto tcp from any to $EXTIP port - $GRACEHOPPER #INTERNAL INTERFACE# binat pass on $INTIF from $COOLIDGE to any - $COOLIDGEEXT binat pass on $INTIF from $SARNOFF to any - $SARNOFFEXT rdr on $INTIF proto tcp from any to $DAVINCIEXT - $DAVINCI rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 - 127.0.0.1 port rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306 - 127.0.0.1 port 3306 rdr pass on $INTIF proto tcp from $INTIF:network to $SARNOFFEXT port 80 - 127.0.0.1 port 8013 rdr on $INTIF proto tcp from any to any port 21 - 127.0.0.1 port 8021 #DMZ INTERFACE# binat pass on $DMZIF from $DORMS to 66.240.4.1 - $GRACEHOPPER ##FILTER RULES## antispoof for xl2 block log all pass quick on lo0 all pass in inet proto icmp all icmp-type echoreq keep state #EXTERNAL INTERFACE INBOUND# pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state queue pri_ext pass in on $EXTIF inet proto tcp from any to $DORMS port 22 keep state pass in on $EXTIF inet proto tcp from any to $DAVINCI port 22 keep state pass in on $EXTIF inet proto tcp from any to $GRACEHOPPER port 22 keep state pass in on $EXTIF proto tcp from any to $COOLIDGE port keep state pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state pass in on $EXTIF proto icmp from any to $COOLIDGE keep state pass in on $EXTIF proto tcp from any to $SARNOFF port 22 keep state pass in on $EXTIF proto tcp from any to $SARNOFF port 80 keep state pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags S/SA keep state #EXTERNAL INTERFACE OUTBOUD# pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state queue pri_q pass out on $EXTIF from $INTIF:network to any keep state pass out on $EXTIF from $DMZIF:network to any keep state pass out on $EXTIF from $DORMS to any keep state queue dorms_ext_misc pass out on $EXTIF proto tcp from $DORMS to any port $HTTP_PORTS keep state queue dorms_ext_http pass out on $EXTIF inet proto { udp, icmp } all keep state #INTERNAL INTERFACE INBOUND# pass in on $INTIF from $INTIF:network to any keep state pass in on $INTIF proto tcp from $INTIF:network to any port $HTTP_PORTS keep state queue main_int_http pass in on $INTIF proto tcp from $INTIF:network to any port 22 keep state queue main_int_ssh #INTERNAL INTERFACE OUTBOUND# pass out on $INTIF from any to $INTIF:network #DMZ INTERFACE INBOUND# pass in on $DMZIF from $DMZIF:network to any keep state #DMZ INTERFACE OUTBOUND# pass out on $DMZIF from any to $DMZIF:network keep state #end pf.conf thanks! -- Florian Mosleh
Re: AIM connection issues
fixed. the issue was that i had additional addresses aliased onto the external interface and did not have an address explicitly defined for NAT between the lan and the internet: nat pass on $EXTIF from $INTIF:network to any - ($EXTIF) it would seem that pf doesn't always pick the primary interface address in cases like these. changing it to nat pass on $EXTIF from $INTIF:network to any - xxx.xxx.xxx.xxx has resolved the issue. thanks for your help! -- Florian Mosleh Network Admin. Support Manager Capitol College 301.369.2800 ext.2040 800.950.1992 ext.2040 Quoting florian mosleh [EMAIL PROTECTED]: I am interested in Brian Kerr's suggestion, but I guess I'll have to wait until Monday. Thank you. In response to M Raju, here's my pf.conf. njoy. ---begin pf.conf ## here are my macros EXTIF=xl2 DMZIF=xl1 INTIF=xl0 #DMZ DORMS=10.0.0.11 DORMSEXT=x.x.x.12 DAVINCI=10.0.0.13 DAVINCIEXT=x.x.x.13 COOLIDGE=192.168.28.65 COOLIDGEEXT=x.x.x.14 HTTP_PORTS={ 80, 443 } MAIL_PORTS={ 25, 143, 220, 109, 110, 993, 995 } ##these are runtime options for pf to make it fit our needs better set block-policy return set loginterface $EXTIF ##scrub adds an extra layer of packet defragmentation to the good 'ol native tcp one scrub in all scrub out all ##queuing. let's give qos a shot altq on xl2 cbq bandwidth 100% queue { main, dorms, misc } queue main bandwidth 50% cbq(borrow) { pri_q, def_q } queue pri_q bandwidth 10% priority 7 queue def_q bandwidth 90% priority 1 cbq(borrow) queue dorms bandwidth 35% { dorms_http_q, dorms_pri_q, dorms_mail_q } queue dorms_http_q bandwidth 70% priority 4 cbq(borrow) queue dorms_pri_q bandwidth 10% priority 6 queue dorms_mail_q bandwidth 20% priority 5 queue misc bandwidth 15% priority 2 cbq(default) ##nat and redirection (i love this part) nat pass on $EXTIF from $INTIF:network to any - ($EXTIF) binat on $EXTIF from $DORMS to any - $DORMSEXT binat on $EXTIF from $DAVINCI to any - $DAVINCIEXT rdr on $INTIF proto tcp from any to $DAVINCIEXT - $DAVINCI binat on $EXTIF from $COOLIDGE to any - $COOLIDGEEXT binat pass on $INTIF from $COOLIDGE to any - $COOLIDGEEXT rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 - $COOLIDGE port rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 - $COOLIDGE rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 - 127. 0.0.1 port rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306 - 12 7.0.0.1 port 3306 rdr on $INTIF proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr pass on $EXTIF proto tcp from any to ($EXTIF) port - 192.168.28.80 ##filter rules antispoof for xl2 block log all pass on lo0 all pass in inet proto icmp all icmp-type echoreq keep state pass in on $INTIF from $INTIF:network to any keep state queue def_q pass out on $INTIF from any to $INTIF:network keep state pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state queue pri_q pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state queu e pri_q pass in on $DMZIF from $DORMS to any keep state pass out on $DMZIF from any to $DORMS keep state queue dorms_ssh_q pass in on $DMZIF proto tcp from $DORMS to any port $HTTP_PORTS keep state pass out on $DMZIF proto tcp from any to $DORMS port $HTTP_PORTS keep state queu e dorms_http_q pass in on $DMZIF proto tcp from $DORMS to any port $MAIL_PORTS keep state pass out on $DMZIF proto tcp from any to $DORMS port $MAIL_PORTS keep state queu e dorms_mail_q pass in on $DMZIF proto tcp from $DORMS to any port 22 keep state pass out on $DMZIF proto tcp from any to $DORMS port 22 keep state queue dorms_p ri_q pass in on $EXTIF inet proto tcp from any to $DORMSEXT keep state queue dorms pass in on $EXTIF inet proto tcp from port 22 to ($DORMSEXT) keep state pass in on $DMZIF from $DAVINCI to any keep state pass out on $DMZIF from any to $DAVINCI keep state queue misc pass in on $EXTIF inet proto tcp from port 22 to ($DAVINCIEXT) keep state pass in on $EXTIF proto tcp from any to $COOLIDGE port keep state pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state pass in on $EXTIF proto icmp from any to $COOLIDGE keep state #pass in on $INTIF proto tcp from any to $COOLIDGE port keep state #pass in on $INTIF proto tcp from any to $COOLIDGE port 3306 keep state pass out on $INTIF from $COOLIDGE to any keep state pass out on $EXTIF proto tcp all modulate state flags S/SA pass out on $EXTIF proto { udp, icmp } all keep state pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags S/SA keep state pass out on $EXTIF inet proto { udp, icmp } all keep state queue misc ---end pf.conf -- Florian Mosleh Network Admin. Support Manager Capitol College 301.369.2800 ext.2040
AIM connection issues
Hello, I have a new firewall in development for the college i work at. I have tried extensively googling this issue in various ways and have not managed to find anything that seems pertinent. Essentially, the problem I'm having is that a client that connects to the internet through the new firewall (pf on openbsd 3.6) has problems establishing a connection to AIM (login.oscar.aol.com). I have performed severl ethereal packet sniffing sessions and can confirm that there is a successful connection established between the server and the client and then it just drops. Usually after about an hour or two of stubborn retrying and waiting it eventually works. Are there any possible pf configuration snafus that could be at fault? The only other factor that I see as possibly contributing to the problem (i'm not sure how) is that the internet connection is a set of 4 bonded t1s, but I've been given the impression that this shouldn't make a difference. Thanks. -- Florian Mosleh Network Admin. Support Manager Capitol College 301.369.2800 ext.2040 800.950.1992 ext.2040 This message was sent using IMP, the Internet Messaging Program.
Re: AIM connection issues
I am interested in Brian Kerr's suggestion, but I guess I'll have to wait until Monday. Thank you. In response to M Raju, here's my pf.conf. njoy. ---begin pf.conf ## here are my macros EXTIF=xl2 DMZIF=xl1 INTIF=xl0 #DMZ DORMS=10.0.0.11 DORMSEXT=x.x.x.12 DAVINCI=10.0.0.13 DAVINCIEXT=x.x.x.13 COOLIDGE=192.168.28.65 COOLIDGEEXT=x.x.x.14 HTTP_PORTS={ 80, 443 } MAIL_PORTS={ 25, 143, 220, 109, 110, 993, 995 } ##these are runtime options for pf to make it fit our needs better set block-policy return set loginterface $EXTIF ##scrub adds an extra layer of packet defragmentation to the good 'ol native tcp one scrub in all scrub out all ##queuing. let's give qos a shot altq on xl2 cbq bandwidth 100% queue { main, dorms, misc } queue main bandwidth 50% cbq(borrow) { pri_q, def_q } queue pri_q bandwidth 10% priority 7 queue def_q bandwidth 90% priority 1 cbq(borrow) queue dorms bandwidth 35% { dorms_http_q, dorms_pri_q, dorms_mail_q } queue dorms_http_q bandwidth 70% priority 4 cbq(borrow) queue dorms_pri_q bandwidth 10% priority 6 queue dorms_mail_q bandwidth 20% priority 5 queue misc bandwidth 15% priority 2 cbq(default) ##nat and redirection (i love this part) nat pass on $EXTIF from $INTIF:network to any - ($EXTIF) binat on $EXTIF from $DORMS to any - $DORMSEXT binat on $EXTIF from $DAVINCI to any - $DAVINCIEXT rdr on $INTIF proto tcp from any to $DAVINCIEXT - $DAVINCI binat on $EXTIF from $COOLIDGE to any - $COOLIDGEEXT binat pass on $INTIF from $COOLIDGE to any - $COOLIDGEEXT rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 - $COOLIDGE port rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 - $COOLIDGE rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 - 127. 0.0.1 port rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306 - 12 7.0.0.1 port 3306 rdr on $INTIF proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr pass on $EXTIF proto tcp from any to ($EXTIF) port - 192.168.28.80 ##filter rules antispoof for xl2 block log all pass on lo0 all pass in inet proto icmp all icmp-type echoreq keep state pass in on $INTIF from $INTIF:network to any keep state queue def_q pass out on $INTIF from any to $INTIF:network keep state pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state queue pri_q pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state queu e pri_q pass in on $DMZIF from $DORMS to any keep state pass out on $DMZIF from any to $DORMS keep state queue dorms_ssh_q pass in on $DMZIF proto tcp from $DORMS to any port $HTTP_PORTS keep state pass out on $DMZIF proto tcp from any to $DORMS port $HTTP_PORTS keep state queu e dorms_http_q pass in on $DMZIF proto tcp from $DORMS to any port $MAIL_PORTS keep state pass out on $DMZIF proto tcp from any to $DORMS port $MAIL_PORTS keep state queu e dorms_mail_q pass in on $DMZIF proto tcp from $DORMS to any port 22 keep state pass out on $DMZIF proto tcp from any to $DORMS port 22 keep state queue dorms_p ri_q pass in on $EXTIF inet proto tcp from any to $DORMSEXT keep state queue dorms pass in on $EXTIF inet proto tcp from port 22 to ($DORMSEXT) keep state pass in on $DMZIF from $DAVINCI to any keep state pass out on $DMZIF from any to $DAVINCI keep state queue misc pass in on $EXTIF inet proto tcp from port 22 to ($DAVINCIEXT) keep state pass in on $EXTIF proto tcp from any to $COOLIDGE port keep state pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state pass in on $EXTIF proto icmp from any to $COOLIDGE keep state #pass in on $INTIF proto tcp from any to $COOLIDGE port keep state #pass in on $INTIF proto tcp from any to $COOLIDGE port 3306 keep state pass out on $INTIF from $COOLIDGE to any keep state pass out on $EXTIF proto tcp all modulate state flags S/SA pass out on $EXTIF proto { udp, icmp } all keep state pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags S/SA keep state pass out on $EXTIF inet proto { udp, icmp } all keep state queue misc ---end pf.conf -- Florian Mosleh Network Admin. Support Manager Capitol College 301.369.2800 ext.2040 800.950.1992 ext.2040 Quoting M Raju [EMAIL PROTECTED]: No pf.conf == No Answer. Sanitize and post your pf.conf. _Raju On Fri, 25 Mar 2005 13:03:38 -0500, florian mosleh [EMAIL PROTECTED] wrote: Hello, I have a new firewall in development for the college i work at. I have tried extensively googling this issue in various ways and have not managed to find anything that seems pertinent. Essentially, the problem I'm having is that a client that connects to the internet through the new firewall (pf on openbsd 3.6) has problems establishing a connection to AIM (login.oscar.aol.com). I have performed severl ethereal packet sniffing sessions and can confirm that there is a successful connection established between the server