12345678901234567890123456789012345678901234567890123456789012345678901234
Hello, and greetings
I am currently experiencing issues with OpenBSD's hfsc packet
scheduler. When I attempt to
issue a "pass out" rule that places various packets in various
queues, it seems my rules are
being ignored by pf, (confirmed using pftop) and placed in the default
queue instead. I have
tried several resources, including manpages and google, but I cannot
seem to make any
progress on this issue.
An example:
pass out on $int_if from any to $pirate queue pirate
Rather than my expected behavior of placing all packets coming from
the internet to host
pirate in the pirate queue, they are instead placed in the default queue.
Another Example:
pass out on $ext_if proto { tcp udp } from $laptop port 3456 to any keep \
state queue bt_user1
(In this case, it is a port i have forwarded through OpenBSD to the host)
Again, rather than expected behavior, everything coming from host
laptop on port 3456
is instead being placed in the default queue
I would greatly appreciate any light that could be shed on my issue
Thank
you for your time
My network Topology
Pirate Lilith
\ / --------------------|
Switch---------------| vr1 OpenBSD |
/ \ | gif0 vr0|--------INTERNET
Laptop gemini --------------------|
my pf.conf follows:
######################################################################
######################################################################
#pf.conf
#martian67
# Interfaces
ext_if="vr0"
int_if="vr1"
#systems
gemini="192.168.1.102"
user2laptop="192.168.1.100"
laptop="192.168.1.101"
pirate="192.168.1.106"
lilith="192.168.1.104"
#local services
tcp_services="{ 2233 }"
#local network
localnets="{ 192.168.1.0/24, 2001:470:1f05:50a::/64 }"
##interactive tcp ports
tcpint="{ 26000 3988 3920 3212 3784 8594 1863 5190 5222 27020:27050 22 \
6667 9999 7000 }"
##interactive udp ports
# steam Teamspeak
# --------v------- v
udpint="{ 1200 27000:27015 8820 }"
# options
set block-policy drop
set loginterface $ext_if
set skip on lo
# scrub
scrub in all no-df random-id fragment reassemble
scrub on $ext_if all reassemble tcp
##Queues
#upload Queues
#Shaw Upload = 512Kb/s (queue at 96%)
altq on $ext_if bandwidth 491Kb hfsc queue { acku, dnsu, /
intctvu, bulku, bt }
queue acku bandwidth 70% priority 7 qlimit 500 hfsc (realtime \
50%)
queue dnsu bandwidth 7% priority 6 qlimit 500 hfsc (realtime \
5%)
queue intctvu bandwidth 20% priority 5 qlimit 500 hfsc (realtime \
20%) {int_highu, int_lowu}
queue int_highu bandwidth 90% priority 5 qlimit 500 hfsc
queue int_lowu bandwidth 10% priority 4 qlimit 500 hfsc
queue bulku bandwidth 1% priority 4 qlimit 500 hfsc (realtime \
5% default)
queue bt bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit \
99%) {bt_user1, bt_user2}
queue bt_user1 bandwidth 50% priority 3 qlimit 500 hfsc
queue bt_user2 bandwidth 50% priority 3 qlimit 500 hfsc
#Download Queues
#Shaw Download = 5Mb/s (queue at 98%)
altq on $int_if bandwidth 4.95Mb hfsc queue { ackd, user1, user2, bulkd,\
intctvd, dnsd }
queue ackd bandwidth 1% priority 7 qlimit 500 hfsc (realtime \
1%)
queue user1 bandwidth 39% priority 4 qlimit 500 hfsc {gemini, \
lilith, laptop}
queue gemini bandwidth 15% priority 1 qlimit 500 hfsc
queue lilith bandwidth 15% priority 2 qlimit 500 hfsc (realtime \
10%)
queue laptop bandwidth 70% priority 3 qlimit 500 hfsc (realtime \
10%)
queue user2 bandwidth 39% priority 4 qlimit 500 hfsc {pirate, \
user2lap}
queue pirate bandwidth 50% priority 3 qlimit 500 hfsc (realtime \
10%)
queue user2lap bandwidth 50% priority 3 qlimit 500 hfsc (realtime \
10%)
queue bulkd bandwidth 10% priority 2 qlimit 500 hfsc (default)
queue intctvd bandwidth 10% priority 5 qlimit 500 hfsc (realtime \
20%) {int_highd, int_lowd}
queue int_highd bandwidth 90% priority 5 qlimit 500 hfsc
queue int_lowd bandwidth 10% priority 4 qlimit 500 hfsc
queue dnsd bandwidth 1% priority 6 qlimit 500 hfsc (realtime \
5%)
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 80
rdr on $ext_if proto tcp from any to any port {3000,21,49152:49256} \
-> $gemini
rdr on $ext_if proto {tcp,udp} from any to any port 3456 -> $laptop
rdr on $ext_if proto {tcp,udp} from any to any port 4532 -> $pirate
## Filters ##
# block all incomming
block in
#no internal network access for users
block out quick on $int_if all user { > 1000 }
#block non-routable ips
block in quick on $ext_if inet from { 127.0.0.0/8, 192.168.0.0/16, \
172.16.0.0/12, 10.0.0.0/8 } to any
block out quick on $ext_if inet from any to { 127.0.0.0/8, \
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
#no ip spoofing
antispoof quick log (all, to pflog0) for { lo $int_if }
#outgoing tcp modulation
pass out modulate state
anchor "ftp-proxy/*"
# Local ports
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# NAT forwarded ports
pass in on $ext_if inet proto tcp from any to $gemini port {3000,21, \
49152:49256} synproxy state
pass in on $ext_if inet proto {tcp,udp} from any to $laptop port 3456
pass in on $ext_if inet proto {tcp,udp} from any to $pirate port 4532
#allow quick ipv6 tunnel passthrough
pass in quick on $ext_if proto 41 to gif0
pass out quick on gif0 proto 41 to $ext_if
#allow tunnel endpoint pings
pass in quick inet proto icmp from ipv6.he.net to any icmp-type echoreq
#################################queueing rule###########################
##########OUTBOND SECTION
pass out on $ext_if proto tcp from { $localnets, $ext_if } to any flags \
S/SA modulate state queue (bulku, acku)
pass out on $ext_if proto tcp from { $localnets, $ext_if } to any port \
$tcpint flags S/SA modulate state queue (int_lowu, int_highu)
pass out on $ext_if proto udp from { $localnets, $ext_if } to any port \
$udpint keep state queue (int_lowu, int_highu)
pass out on $ext_if proto tcp from ($ext_if) port 2233 to any queue \
(int_lowu, int_highu)
pass out on $ext_if proto { tcp udp } from (ext_if) to any port domain \
keep state queue dnsu
pass out on $ext_if proto { tcp udp } from $laptop port 3456 to any keep \
state queue bt_user1
pass out on $ext_if proto { tcp udp } from $pirate port 4532 to any keep \
state queue bt_user2
##########INBOUND SECTION
pass out on $int_if proto tcp from any to { $localnets, $ext_if } flags \
S/SA modulate state queue (bulkd, ackd)
pass out on $int_if from any to $gemini queue gemini
pass out on $int_if from any to $user2laptop queue user2lap
pass out on $int_if from any to $laptop queue laptop
pass out on $int_if from any to $pirate queue pirate
pass out on $int_if from any to $lilith queue lilith
pass out on $int_if proto tcp from any to { $localnets, $ext_if } port \
$tcpint flags S/SA modulate state queue (int_lowd, int_highd)
pass out on $int_if proto udp from any to { $localnets, $ext_if } port \
$udpint keep state queue (int_lowd, int_highd)
pass out on $int_if proto { tcp udp } from any to $localnets port domain \
keep state queue dnsd
