Re: altq/pf not working

2003-07-08 Thread Trevor Talbot 
On Monday, Jul 7, 2003, at 03:58 US/Pacific, Pawel S wrote:

I have 512/512 kbit adsl connection to Internet and 100Mbit
on internal side of the firewall. I want to prioritize shoutcast/mp3,
windows media services, icq messages and udp traffic higher than ftp
and http bulk downloads and other tcp traffic. Additionally, I want
ssh and tcp ack packets to have highest priority. Kernel is patched
with Trevor Talbot's patch.
The rules look fine.

I basically have 3 levels of priority. I split 100 Mbit on internal
interface in to 488 kbits for internet traffic and the rest for 
internal
traffic. I don't want ftp and http traffic to use more then 100 kbits
when there is shoutcast or wma traffic present, but do get full 488
otherwise.

The problem is that the bulk traffic never gets more then 100kbits when
there is no other traffic, despite "borrow" word.
You may be running into a limitation of CBQ.  Check out section 2.8 in
http://www.csl.sony.co.jp/person/kjc/kjc/software/TIPS.txt
You can use pfctl -vsq to make sure the class is actually borrowing when
it should be.  Watching the throughput of a UDP stream might be useful,
as it won't self-throttle like TCP will.
If this is the case, removing the 100Kb limit and just relying on the
priorities may work better.  Note that inbound traffic handling is
going to behave a little differently than outbound, since the queueing
is basically only adding latency.  Using cbq(red) or small qlimit values
on the low priority queues may be helpful, since they will increase
drops.
I haven't run any tests myself, so I don't have any hard information
to offer.

Re: altq/pf not working

2003-07-08 Thread Volker Kindermann 
> My pf/altq rules do not seem to work and I can't find any errors.
> Here is the background.

are you running 3.3 release or current? If you're running release, you
probably have to patch the tun0 interface. Look here for some
information I've collected:

http://secspace.de/altq_on_tun.hmtl

 -volker

altq/pf not working

2003-07-07 Thread Pawel S 
Hi All!

My pf/altq rules do not seem to work and I can't find any errors.
Here is the background.

I have 512/512 kbit adsl connection to Internet and 100Mbit
on internal side of the firewall. I want to prioritize shoutcast/mp3,
windows media services, icq messages and udp traffic higher than ftp
and http bulk downloads and other tcp traffic. Additionally, I want
ssh and tcp ack packets to have highest priority. Kernel is patched
with Trevor Talbot's patch.

Here are my rules.

# /etc/pf.conf

lo_if="lo0"
ext_if="tun0"
int_if="rl1"
int_ip="192.168.240.254"
int_net="192.168.240.0/24"
int_server21_ip="192.168.240.21"

##

table  persist file "/etc/reserved_ips"

##

set loginterface rl0
set optimization aggressive
set block-policy drop

##

scrub in all

##

altq on $ext_if cbq bandwidth 488Kb queue { ext_def, ext_med, ext_hi }
 queue ext_def bandwidth 100Kb priority 1 cbq(default,borrow)
 queue ext_med priority 4
 queue ext_hi  priority 5

altq on $int_if cbq bandwidth 100Mb queue { int_lan, int_inet }
queue int_lan priority 1 { int_lan_def, int_lan_med, int_lan_hi }
queue int_lan_def  priority 1
queue int_lan_med  priority 4
queue int_lan_hi   priority 7
queue int_inet priority 3 bandwidth 488Kb { int_inet_hi, \
int_inet_med, int_inet_def }
queue int_inet_hi  priority 7
queue int_inet_med priority 4
queue int_inet_def bandwidth 100Kb priority 1 \
cbq(default,borrow)

##

# translate outgoing internal ips to external ip
nat on $ext_if from $int_net to any -> ($ext_if) static-port

##

# block reserved address ranges
block quick on $ext_if from  to any
block quick on $ext_if from any   to 

# by default block and log any packet on external interface
block log on $ext_if all

# by default block and log any packet on internal interface
block return log on $int_if all

# block and log outgoing packets that do not have our address as source
block out log quick on $ext_if inet from ! ($ext_if) to any

# block destination unreachable outward
block out quick on $ext_if inet proto icmp all icmp-type 3

# allow dhcp requests from this host to external dhcp server
pass in  quick on $ext_if inet proto udp from $ext_dhcpserver_ip \
port 67 to ($ext_if) port 68 keep state
pass out quick on $ext_if proto udp from ($ext_if) port 68 to \
$ext_dhcpserver_ip port 67 keep state

# allow ping requests outward
pass in  quick on $int_if proto icmp from $int_net  to any icmp-type 8 \
keep state queue int_lan_med
pass out quick on $ext_if inet proto icmp from ($ext_if) to any \
icmp-type 8 keep state queue ext_med

# allow ssh from internal hosts to internal ip
pass in  quick on $int_if proto tcp from $int_net port >1023 \
to $int_ip port 22 flags S/SA modulate state \
queue (int_lan_med, int_lan_hi)

# allow ftp trafic outward
pass in  quick on $int_if proto tcp from $int_net port >1023 to any \
port 21 flags S/SA modulate state queue (int_inet_med, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
to any port 21 flags S/SA modulate state queue (ext_med, ext_hi)

# allow dns queries from this host to server21
pass out quick on $int_if inet proto udp from $int_ip port >1023 \
to $int_server21_ip port 53 keep state queue int_lan_med

# allow dns queries from server21 to external dns servers
pass in  quick on $int_if proto udp from $int_server21_ip port >1023 \
to any port 53 keep state queue int_inet_med
pass out quick on $ext_if inet proto udp from ($ext_if) port >1023 \
to any port 53 keep state queue ext_med

# allow ntp outward
pass in  quick on $int_if proto udp from $int_server21_ip port 123 \
to any port 123 keep state queue int_inet_med
pass out quick on $ext_if inet proto udp from ($ext_if) port 123 \
to any port 123 keep state queue ext_med

# allow web outward
pass in  quick on $int_if proto tcp from $int_net  port >1023 to any \
port { 80, 443 } flags S/SA modulate state \
queue (int_inet_def, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
to any port { 80, 443 } flags S/SA modulate state \
queue (ext_def, ext_hi)

# allow news outward
pass in  quick on $int_if proto tcp from $int_net  port >1023 to \
any port 119 flags S/SA modulate state \
queue (int_inet_def, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
to any port 119 flags S/SA modulate state queue (ext_def, ext_hi)

# allow pop3 and smtp outward
pass in  quick on $int_if proto tcp from $int_net  port >1023 to any \
p