I posted on the pf mailing list originally, but the very aggresive spam
filter will not allow me to post a follow-up. I guess there are some pf
users on this list also :)
My original post can be found here:
http://marc.info/?l=openbsd-pf&m=129740086511664&w=2
Stuart Henderson wrote:
Basically don't use queues named "foo_in" and "foo_out", just use
a single name "foo", defined with "queue foo on $tdcif" and "queue
foo on $sirif". See the list archives for more; this has come up
several times.
If using separate names is wrong, why does the sample in the pf FAQ use
that method?
But I tried making this change, and many others. I could get either the
incoming or outgoing traffic to pass through the correct queues, but not
both at the same time.
The final version (so far) uses only pass out, and no pass in rules. I
also had to add "no state" to all the rules, to get the traffic through
the queues.
How much performance penalty do you get by not using states? The CPU of
the system is an 800MHz Via Ezra, so it should be fast enough I guess.
Is it possible to get it working with states?
The new config is included below.
And another question. How do you subscribe to this list? Every subscribe
request I have sent (to the address listed on benzedrine.cx), gets
rejected as spam...
Best regards,
Mikkel C. Simonsen
sirif="fxp0"
tdcif="fxp1"
table <web> const {1.2.3.171, 1.2.3.164}
table <post> const {1.2.3.165, 1.2.3.168}
table <sirocco> const {1.2.3.172}
table <sir> const {1.2.3.160/28}
table <dns> const {1.2.3.170, 1.2.3.164}
table <dina> const {1.2.3.162}
altq on $tdcif hfsc bandwidth 10.5Mb queue { voip_out, dns_out,
bulk_out, web_out, mail_out }
queue voip_out on $tdcif bandwidth 5% priority 7 qlimit 500 hfsc
(realtime 5%)
queue dns_out on $tdcif bandwidth 5% priority 6 qlimit 500 hfsc
(realtime 5%)
queue web_out on $tdcif bandwidth 40% priority 5 qlimit 500 hfsc
(realtime 30%)
queue mail_out on $tdcif bandwidth 25% priority 3 qlimit 500 hfsc
(upperlimit 50%)
queue bulk_out on $tdcif bandwidth 25% priority 4 qlimit 500 hfsc
(upperlimit 50% default)
altq on $sirif hfsc bandwidth 13.5Mb queue { voip_in, dns_in, bulk_in,
web_in, mail_in }
queue voip_in on $sirif bandwidth 4% priority 7 qlimit 500 hfsc
(realtime 4%)
queue dns_in on $sirif bandwidth 5% priority 6 qlimit 500 hfsc
(realtime 5%)
queue web_in on $sirif bandwidth 20% priority 5 qlimit 500 hfsc
(realtime 15%)
queue mail_in on $sirif bandwidth 41% priority 3 qlimit 500 hfsc
(upperlimit 50%)
queue bulk_in on $sirif bandwidth 30% priority 4 qlimit 500 hfsc
(upperlimit 50% default)
set skip on lo
set skip on rl0
# Trafik IND
pass in quick proto tcp from 2.105.54.144/29 to any port telnet queue
bulk_in
block in quick on $tdcif proto tcp to <web> port smtp
block in quick on $tdcif proto tcp to <sirocco> port 500
block in quick on $tdcif proto tcp to <post> port 275
block in quick on $tdcif proto tcp to any port telnet
block in quick on $tdcif proto tcp to any port 717
block in quick on $tdcif proto tcp from 89.104.217.210 to 1.2.3.165 port
smtp
pass out quick on $sirif proto udp from any to <dina> queue voip_in no state
pass out quick on $sirif proto { tcp, udp } from any to <dns> port
domain queue dns_in no state
pass out quick on $sirif proto tcp from any to <web> port {80, 443}
queue web_in no state
pass out quick on $sirif proto tcp from any to <post> queue mail_in no state
pass in quick queue bulk_in no state
# Trafik UD
pass out quick on $tdcif proto udp from <dina> to any queue voip_out no
state
pass out quick on $tdcif proto tcp from <web> to any queue web_out no state
pass out quick on $tdcif from <dns> to any queue dns_out no state
pass out quick on $tdcif proto tcp from <post> to any queue mail_out no
state
pass out quick queue bulk_out no state
