Re: [pfSense] Traffic Shaper Errors

Ron Lemon Fri, 23 Dec 2011 09:18:39 -0800

Hi Norman,

I hope this is clean enough and still give you everything you need.  Again 
thanks for the help in finding my missing or strays pieces.


# cat rules.debug

#System aliases

loopback = "{ lo0 }"
LAN = "{ em1 }"
WAN = "{ em0 }"
IPsec = "{ enc0 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>

table <virusprot>

# User Aliases
table <Access_to_Hosting_Backups> {    }
Access_to_Hosting_Backups = "<Access_to_Hosting_Backups>"
table <Access_to_Hosting_File_Servers> {    }
Access_to_Hosting_File_Servers = "<Access_to_Hosting_File_Servers>"
table <Access_to_Hosting_SQL_Servers> {    }
Access_to_Hosting_SQL_Servers = "<Access_to_Hosting_SQL_Servers>"
table <Access_to_SQL_Profiler> {    }
Access_to_SQL_Profiler = "<Access_to_SQL_Profiler>"
table <demo> {   {My_Demo_IP} }
demo = "<demo>"
table <Hosting_Backups> {    }
Hosting_Backups = "<Hosting_Backups>"
table <Hosting_DCs> {    }
Hosting_DCs = "<Hosting_DCs>"
table <Hosting_File_Servers> {    }
Hosting_File_Servers = "<Hosting_File_Servers>"
table <Hosting_SQL_Servers> {    }
Hosting_SQL_Servers = "<Hosting_SQL_Servers>"
table <Maplewood_TS> {    }
Maplewood_TS = "<Maplewood_TS>"
table <Maplewood_Web> {    }
Maplewood_Web = "<Maplewood_Web>"
table <Office_DCs> {    }
Office_DCs = "<Office_DCs>"
table <Penalty_Box> {    }
Penalty_Box = "<Penalty_Box>"
table <Primus_TS> {    }
Primus_TS = "<Primus_TS>"
table <Primus_Web> {    }
Primus_Web = "<Primus_Web>"

# Gateways
GWGW_WAN = " route-to ( em0 {My_GateWay} ) "


set loginterface em1
set optimization normal
set limit states 349000
set limit src-nodes 349000

set skip on pfsync0

scrub in on $LAN all    fragment reassemble
scrub in on $WAN all    fragment reassemble

 altq on  em0 hfsc bandwidth 19Mb queue {  qACK,  qDefault,  qOthersHigh,  
qOthersLow  }
 queue qACK on em0 bandwidth 19.6% hfsc (  ecn  , linkshare 19.6%  )
 queue qDefault on em0 bandwidth 9.8% hfsc (  ecn  , default  )
 queue qOthersHigh on em0 bandwidth 10% hfsc (  ecn  , linkshare 9.8%  )
 queue qOthersLow on em0 bandwidth 10% hfsc (  ecn  , linkshare 2%  )

 altq on  em1 hfsc queue {  qLink,  qInternet  }
 queue qLink on em1 bandwidth 20% qlimit 500 hfsc (  ecn  , default  )
 queue qInternet on em1 bandwidth 19922.944Kb hfsc (  ecn  , linkshare 
19922.944Kb  , upperlimit 19922.944Kb  )  {  qACK,  qOthersHigh,  qOthersLow  }
 queue qACK on em1 bandwidth 19.6% hfsc (  ecn  , linkshare 19.6%  )
 queue qOthersHigh on em1 bandwidth 9.8% hfsc (  ecn  , linkshare 9.8%  )
 queue qOthersLow on em1 bandwidth 10% hfsc (  ecn  , linkshare 2%  )



no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules
nat on $WAN  from 10.0.0.0/24 to any port 500 -> {My_Public_IP}/32  static-port
nat on $WAN  from 127.0.0.0/8 to any -> {My_Public_IP}/32 port 1024:65535
nat on $WAN  from 10.0.0.0/24 to any -> {My_Public_IP}/32 port 1024:65535
nat on $WAN  from 10.0.1.0/24 to any -> {My_Public_IP}/32 port 1024:65535
nat on $WAN  from 10.0.4.0/24 to any -> {My_Public_IP}/32 port 1024:65535
nat on $WAN  from 10.0.10.0/24 to any -> {My_Public_IP}/32 port 1024:65535
nat on $WAN  from 172.16.200.0/24 to any -> {My_Public_IP}/32 port 1024:65535

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <vpn_networks> { 172.16.100.0/24 10.0.2.0/24 10.0.2.0/24 10.0.6.0/24 
10.0.6.0/24 10.0.8.0/24 10.0.7.0/24 10.0.11.0/24 }
table <negate_networks> { 10.0.0.0/24 {My_Network}/28  172.16.100.0/24 
10.0.2.0/24 10.0.2.0/24 10.0.6.0/24 10.0.6.0/24 10.0.8.0/24 10.0.7.0/24 
10.0.11.0/24 }
# NAT Inbound Redirects
rdr on em0 proto tcp from any to {My_Staff_IP} port 3389 -> 10.0.0.89
rdr on em0 proto tcp from any to {My_Staff_IP} port 443 -> 10.0.0.17
rdr on em0 proto tcp from any to {My_Demo_IP} port 3389 -> 10.0.10.110
rdr on em0 proto tcp from any to {My_Demo_IP} port 80 -> 10.0.10.110
rdr on em0 proto tcp from any to {My_Sharepoint_IP} port 80 -> 10.0.0.38
rdr on em0 proto tcp from any to {My_Leadership_IP} port 3389 -> 10.0.4.120
rdr on em0 proto tcp from any to {My_Leadership_IP} port 3388 -> 10.0.4.140 
port 3389
rdr on em0 proto tcp from any to {My_Dev_IP} port 3389 -> 10.0.0.93
rdr on em0 proto tcp from any to {My_WebUpd_IP} port 80 -> 10.0.0.85
rdr on em0 proto tcp from any to {My_MAC_IP} port 3389 -> 10.0.1.160
rdr on em0 proto tcp from any to {My_Public_IP} port 3388 -> 10.0.0.187 port 
3389
rdr on em0 proto tcp from any to {My_Public_IP} port 3387 -> 10.0.0.147 port 
3389
rdr on em0 proto tcp from any to {My_Public_IP} port 3389 -> 10.0.0.92
rdr on em0 proto tcp from any to {My_Public_IP} port 80 -> 10.0.0.92
rdr on em0 proto tcp from any to {My_Public_IP} port 443 -> 10.0.0.92
rdr on em0 proto tcp from any to {My_Public_IP} port 25 -> 10.0.0.17
rdr on em0 proto tcp from any to {My_Public_IP} port 110 -> 10.0.0.17
rdr on em0 proto tcp from any to {My_Public_IP} port 21 -> 10.0.0.92
rdr on em0 proto tcp from any to {My_Public_IP} port 8090 -> 10.0.1.170 port 80
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6
block in quick inet6 all
block out quick inet6 all

# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"
block in log quick proto carp from (self) to any
pass quick proto carp
pass quick proto pfsync

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port 80 label 
"webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
antispoof for em1
table <bogons> persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any label "block bogon networks 
from WAN"
antispoof for em0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks 
from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private 
networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private 
networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private 
networks from wan block 192.168/16"

# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host 
itself"
pass out route-to ( em0 {My_GateWay} ) from {My_Public_IP} to !{My_Network}/28 
keep state allow-opts label "let out anything from firewall host itself"
pass out on $IPsec all keep state label "IPsec internal host to host"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on em1 proto tcp from any to (em1) port { 80 22 } keep state 
label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
match    on {  em0  }  from any to any  queue (qOthersLow)  label "USER_RULE: 
Penalty Box"
pass  in  quick  on $WAN reply-to ( em0 {My_GateWay} )  inet proto icmp  from 
any to any keep state  label "USER_RULE"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.92 port 3389   label "USER_RULE: NAT Hosting RDP"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.92 port 443   label "USER_RULE: NAT Hosting HTTPS"
pass  in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to  
 10.0.0.92 port 80  flags S/SA keep state  label "USER_RULE: NAT Hosting HTTP"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.17 port 25   label "USER_RULE: NAT Office Mail Server"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.17 port 110   label "USER_RULE: NAT Office Mail Server"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.17 port 443   label "USER_RULE: NAT Access to OWA Server"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.89 port 3389   label "USER_RULE: NAT RDP to Staff Server"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.187 port 3389   label "USER_RULE: NAT RDP to Ron's Desktop"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.92 port 21   label "USER_RULE: NAT FTP"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.1.170 port 80   label "USER_RULE: NAT Web Services"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.10.110 port 3389   label "USER_RULE: NAT Demo Terminal Servers"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.10.110 port 80   label "USER_RULE: NAT Demo Web Servers"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.38 port 80   label "USER_RULE: NAT Customer Sharepoint"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.92 port 80   label "USER_RULE: NAT Hosting HTTP"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.4.120 port 3389   label "USER_RULE: NAT RDC to Leadership Web Server"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.4.140 port 3389   label "USER_RULE: NAT RDC to Leadership SQL Server"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.147 port 3389   label "USER_RULE: NAT RDP to Norberto's Desktop"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.93 port 3389   label "USER_RULE: NAT Development IP to Whatever They 
Want"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.0.85 port 80   label "USER_RULE: NAT Web Updates Server"
pass   in  quick  on $WAN reply-to ( em0 {My_GateWay} )  proto tcp  from any to 
  10.0.1.160 port 3389   label "USER_RULE: NAT MAC TS Access at Maplewood"
pass  in  quick  on $LAN  proto tcp  from   10.0.1.187 to   10.0.10.0/24 flags 
S/SA keep state  label "USER_RULE: Ron to Demo Network"
pass  in  quick  on $LAN  proto tcp  from   10.0.8.0/24 to   10.0.4.0/24 flags 
S/SA keep state  label "USER_RULE: Primus LS to Maplewood LS"
pass  in  quick  on $LAN  from   10.0.0.0/24 to   $Hosting_DCs keep state  
label "USER_RULE: Allow Office to Access Hosting DCs"
pass  in  quick  on $LAN  proto { tcp udp }  from   
$Access_to_Hosting_SQL_Servers to   $Hosting_SQL_Servers keep state  label 
"USER_RULE: Access to Hosting SQL Servers"
pass  in  quick  on $LAN  proto tcp  from   $Access_to_SQL_Profiler to   
10.0.2.148 flags S/SA keep state  label "USER_RULE: Access to SQL Profiler"
pass  in  quick  on $LAN  proto tcp  from   $Access_to_Hosting_Backups to   
$Hosting_Backups flags S/SA keep state  label "USER_RULE: Access Hosting 
Backups"
pass  in  quick  on $LAN  proto tcp  from   $Access_to_Hosting_File_Servers to  
 $Hosting_File_Servers flags S/SA keep state  label "USER_RULE: Access Hosting 
File Servers"
pass  in  quick  on $LAN  proto tcp  from   10.0.0.0/24 to   $Primus_Web flags 
S/SA keep state  label "USER_RULE: Office to Primus Web Servers"
pass  in  quick  on $LAN  proto tcp  from   10.0.0.145 to   10.0.2.154 flags 
S/SA keep state  label "USER_RULE: Ben to PASI-P2"
pass  in  quick  on $LAN  proto tcp  from   10.0.0.0/24 to   $Maplewood_Web 
flags S/SA keep state  label "USER_RULE: Office to Maplewood Web Servers"
pass  in  quick  on $LAN  proto tcp  from   10.0.0.0/24 to   $Primus_TS flags 
S/SA keep state  label "USER_RULE: Office to Primus Terminal Servers"
pass  in  quick  on $LAN  proto tcp  from   10.0.0.0/24 to   $Maplewood_TS 
flags S/SA keep state  label "USER_RULE: Office to Maplewood Terminal Servers"
pass  in  quick  on $LAN  from   10.0.4.120 to   10.0.1.170 keep state  label 
"USER_RULE: Leadership Services to Hosted Web Services"
pass  in  quick  on $LAN  proto tcp  from   10.0.1.0/24 to   10.0.4.120 port 
8090  flags S/SA keep state  label "USER_RULE: Pass Thru to Leadership From 
Hosting Web Servers"
pass  in  quick  on $LAN  from   $Maplewood_TS to   10.0.0.95 keep state  label 
"USER_RULE: Allow MW TS Clients to mwWebUpd-M1"
pass  in  quick  on $LAN  from   10.0.0.95 to   $Maplewood_TS keep state  label 
"USER_RULE: Allow MW TS Clients to mwWebUpd-M1"
block  in  quick  on $LAN  from   10.0.0.0/24 to   10.0.1.0/24  label 
"USER_RULE: Block Access from Office to Hosting"
block  in  quick  on $LAN  from   10.0.4.0/24 to   10.0.1.0/24  label 
"USER_RULE: Block Access from Leadership to Hosting"
block  in  quick  on $LAN  from   10.0.0.0/24 to   10.0.2.0/24  label 
"USER_RULE: Block Access from Office to Hosting"
block  in  quick  on $LAN  from   10.0.4.0/24 to   10.0.2.0/24  label 
"USER_RULE: Block Access from Leadership to Hosting"
block  in  quick  on $LAN  from   10.0.4.0/24 to   10.0.0.0/24  label 
"USER_RULE: Block Access from Leadership to Office"
pass  in  quick  on $LAN  from   10.0.10.100 to   $Office_DCs keep state  label 
"USER_RULE: Allow Access for Demo DNS to Office"
pass  in  quick  on $LAN  from   10.0.10.0/24 to   10.0.0.92 keep state  label 
"USER_RULE: Allow Access for Demo to Web Updates"
pass  in  quick  on $LAN  from   10.0.10.0/24 to   10.0.0.22 keep state  label 
"USER_RULE: Allow Access for Demo to Web Updates"
block  in  quick  on $LAN  from   10.0.10.0/24 to   10.0.0.0/24  label 
"USER_RULE: Block Access from Demo to Office"
pass  in  quick  on $LAN  from   10.0.0.0/24 to any keep state  label 
"USER_RULE: Office to Internet"
pass  in  quick  on $LAN  from   10.0.1.0/24 to any keep state  label 
"USER_RULE: Hosting to Internet"
pass  in  quick  on $LAN  from   10.0.4.0/24 to any keep state  label 
"USER_RULE: Leadership Services to Internet"
pass  in  quick  on $LAN  from   10.0.10.0/24 to any keep state  label 
"USER_RULE: Demo to Internet"
pass  in  quick  on $LAN  from   172.16.200.0/24 to any keep state  label 
"USER_RULE: Hyper-V Servers to Internet"
pass  in  quick  on $LAN  proto udp  from any to 10.0.0.254 port 1194  keep 
state  label "USER_RULE: OpenVPN Remote Tech Support - Ron wizard"
pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE"
pass  in  quick  on $IPsec  inet proto icmp  from any to any keep state  label 
"USER_RULE"
pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: 
OpenVPN Remote Tech Support - Ron wizard"

# VPN Rules
pass out on $WAN  route-to ( em0 {My_GateWay} )  proto udp from any to 
{My_Other_Building} port = 500 keep state label "IPsec: Office to Primus - 
outbound isakmp"
pass in on $WAN  reply-to ( em0 {My_GateWay} )  proto udp from 
{My_Other_Building} to any port = 500 keep state label "IPsec: Office to Primus 
- inbound isakmp"
pass out on $WAN  route-to ( em0 {My_GateWay} )  proto esp from any to 
{My_Other_Building} keep state label "IPsec: Office to Primus - outbound esp 
proto"
pass in on $WAN  reply-to ( em0 {My_GateWay} )  proto esp from 
{My_Other_Building} to any keep state label "IPsec: Office to Primus - inbound 
esp proto"
anchor "tftp-proxy/*"

#




-----Original Message-----
From: [email protected] [mailto:[email protected]] On 
Behalf Of Norman Golisz
Sent: Friday, December 23, 2011 4:54 AM
To: pfSense support and discussion
Subject: Re: [pfSense] Traffic Shaper Errors

Hi Ron,

On Thu Dec 22 2011 19:52, Ron Lemon wrote:
> Hi Norman,
>
> Thanks for the help. Is this what you need?

[...]

> # grep -e '^queue' -e 'altq' /tmp/rules.debug  altq on  em0 hfsc
> bandwidth 19Mb queue {  qACK,  qDefault,  qOthersHigh,  qOthersLow  }
> altq on  em1 hfsc queue {  qLink,  qInternet  }

the queue definitions are missing. Probably your pfSense version indents the 
output and my grep line does not care for that. Could you try it again with:

`grep -A2 -e '^ *queue' -e 'altq' /tmp/rules.debug`

Best would be to see the whole rules.debug, since it provides complete 
information to your configuration. But I encourage you to replace all sensitive 
info (public IP addresses, dns names, and such) with placeholders then.

> Even the previous version on pfSense on this box never had the traffic
> shaper installed so if there are old rules I really don't know where
> they came from.  I have been here longer than the box.

Where do you get this info from? systat(1)? GUI?
Pertaining the packet filter, I don't know, either. But I would, given you 
provide us with your complete rules.debug.

Please also tell us the version of pfSense your machine is running.

Yours,
Norman
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Shaper Errors

Reply via email to