This has been fixed 4.8
On Thu, Aug 19, 2010 at 03:08:23AM +0300, ?????? ?????????? wrote:
> Hi
> I move from 4.6 to 4.7, rewrite my pf.conf rules to match new style.
> Everything works fine, but when I try to traceroute a host with -I flag
> (force to use icmp) on my obsd fw
> I got Request time out on all hops exclude the last one, which I was my
> target to traceroute. Here is an example:
>
> [ns]~$ traceroute -I data.bg
> traceroute to data.bg (195.149.248.130), 64 hops max, 60 byte packets
> 1 * * *
> 2 * * *
> 3 * * *
> 4 web.data.bg (195.149.248.130) 0.740 ms 0.707 ms 0.733 ms
>
> As you can see only the last hop is present.
> Example without -I flag (using udp);
>
> [ns]~$ traceroute data.bg
> traceroute to data.bg (195.149.248.130), 64 hops max, 40 byte packets
> 1 gw.tbc.bg (94.26.7.33) 0.591 ms 0.462 ms 0.443 ms
> 2 peer.tbc.bg (94.26.50.2) 0.961 ms 1.317 ms 1.965 ms
> 3 85.91.141.65 (85.91.141.65) 0.866 ms 0.905 ms 1.93 ms
> 4 web.data.bg (195.149.248.130) 0.847 ms 0.732 ms 0.712 ms
>
> When I use 'tracert host' on MS Windows box behind my obsd fw, I got a same
> behavior
>
> C:\Users\Administrator>tracert data.bg
> Tracing route to data.bg [195.149.248.130]
> over a maximum of 30 hops:
> 1 <1 ms <1 ms <1 ms ns.bsdbg.net [192.168.1.1]
> 2 * * * Request timed out.
> 3 * * * Request timed out.
> 4 * * * Request timed out.
> 5 <1 ms 1 ms 1 ms web.data.bg [195.149.248.130]
> Trace complete.
>
> Here first hop is my obsd fw. I use tcpdump to see what actually happens:
>
> [ns]~# tcpdump -nettti pflog0 host vlado and icmp
> tcpdump: listening on pflog0, link-type PFLOG
> Aug 19 02:29:32.165656 rule 85/(match) pass in on em1: 192.168.1.2 >
> 195.149.248.130: icmp: echo request [ttl 1]
> Aug 19 02:29:33.168104 rule 120/(match) pass out on em0: 192.168.1.2 >
> 195.149.248.130: icmp: echo request [ttl 1]
> Aug 19 02:29:33.168117 rule 17/(match) match out on em0: 192.168.1.2 >
> 195.149.248.130: icmp: echo request [ttl 1]
> Aug 19 02:29:33.168128 rule 16/(match) match out on em0: 192.168.1.2 >
> 195.149.248.130: icmp: echo request [ttl 1]
> Aug 19 02:29:33.168593 rule 120/(match) pass in on em0: 94.26.7.33 >
> 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
> Aug 19 02:29:33.168613 rule 14/(match) block out on em1: 94.26.7.33 >
> 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
> Aug 19 02:29:36.960715 rule 120/(match) pass in on em0: 94.26.7.33 >
> 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
> Aug 19 02:29:40.960831 rule 120/(match) pass in on em0: 94.26.7.33 >
> 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
> Aug 19 02:29:44.962196 rule 120/(match) pass in on em0: 94.26.50.2 >
> 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
> Aug 19 02:29:48.961438 rule 120/(match) pass in on em0: 94.26.50.2 >
> 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
> Aug 19 02:29:52.961678 rule 120/(match) pass in on em0: 94.26.50.2 >
> 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
> Aug 19 02:29:56.960795 rule 120/(match) pass in on em0: 85.91.141.65 >
> 192.168.1.2: icmp: time exceeded in-transit
> Aug 19 02:30:00.960785 rule 120/(match) pass in on em0: 85.91.141.65 >
> 192.168.1.2: icmp: time exceeded in-transit
> Aug 19 02:30:05.002249 rule 120/(match) pass in on em0: 85.91.141.65 >
> 192.168.1.2: icmp: time exceeded in-transit
> Aug 19 02:30:08.960640 rule 120/(match) pass in on em0: 195.149.248.130 >
> 192.168.1.2: icmp: echo reply
> Aug 19 02:30:08.961639 rule 120/(match) pass in on em0: 195.149.248.130 >
> 192.168.1.2: icmp: echo reply
> Aug 19 02:30:08.962888 rule 120/(match) pass in on em0: 195.149.248.130 >
> 192.168.1.2: icmp: echo reply
>
> When I turn off pf (pfctl -d) 'traceroute -I' work as it should.
> I really don't know what happen.
> Thanks in advance,
> Atanas
>
> Here is my pf.conf
> ##############
> pf.conf
> ##############
>
> ################ Macros ######################
>
> ### Interfaces ###
> ExtIf ="em0"
> IntIf ="em1"
>
> ### Hosts ###
> vl="192.168.1.2"
> jl="192.168.1.3"
> ve="192.168.1.4"
> ntp="192.168.1.5"
>
> ### Queues, States and Types ###
> IcmpType ="icmp-type 8 code 0"
> SynState ="flags S/SAFR synproxy state"
> TcpState ="flags S/SAFR modulate state"
> UdpState ="keep state"
>
> ### Ports ###
> # Squid
> squid="2020"
>
> # Remote Desktop Connection
> rdc_int="3389"
> rdc_ext="4000"
>
> # Skype
> vl_skype="30001"
> jl_skype="30002"
> ve_skype="30003"
>
> # uTorrent
> vl_torrent="30004"
> jl_torrent="30005"
> ve_torrent="30006"
> urange="30004:30006"
>
> # HFS
> vl_hfs="8080"
>
> # VsFTP
> ftprange="55000:60000"
> FtpPort ="8021"
>
> # Symux
> symux="2100"
>
> # Battle.net
> bnet="6112"
>
> # Ssh
> ssh_ext="443"
>
> ### Stateful Tracking Options (STO) ###
> ExtIfSTO ="(max 9000, source-track rule, max-src-conn 2000, max-src-nodes
> 254)"
> IntIfSTO ="(max 250, source-track rule, max-src-conn 100, max-src-nodes
> 254, max-src-conn-rate 75/20)"
> PostfxSTO ="(max 100, source-track rule, max-src-states 5,
> max-src-nodes 30, max-src-conn-rate 10/300, overload <BLACKLIST> flush
> global, tcp.established 45)"
> SpamdSTO ="(max 500, source-track rule, max-src-conn 10, max-src-nodes
> 300, max-src-conn-rate 2/300, tcp.established 10)"
> SshSTO ="(max 10, source-track rule, max-src-conn 10, max-src-nodes
> 5, max-src-conn-rate 20/60, overload <OVERLOAD_SSH> flush global)"
> ntpSTO ="(max 500, source-track rule, max-src-states 30,
> max-src-conn-rate 20/5, overload <OVERLOAD_NTP> flush global)"
> TorSTO ="(max 250, source-track rule, max-src-conn 1, max-src-nodes
> 250, max-src-conn-rate 3/300, tcp.established 60)"
> ApacheSTO ="(max 30, source-track rule, max-src-conn 10, max-src-nodes 4,
> max-src-conn-rate 20/60, tcp.established 60)"
>
> ### Tables ###
> table <BLACKLIST> persist file "/etc/blacklist"
> table <OVERLOAD_SSH> persist
> table <OVERLOAD_NTP> persist
> table <bgnets> file "/etc/bgnets"
> table <spamd-white> persist
> table <proxy-users> persist { 80.251.14.106, 193.110.130.103,
> 85.92.222.254, \
> 72.93.1.168, 76.19.242.55 }
> table <isp> persist { 94.26.0.0/17 }
>
> ################ Options
> ######################################################
> ### Misc Options
> set debug urgent
> set reassemble yes
> set require-order yes
> set block-policy drop
> set loginterface $ExtIf
> set state-policy if-bound
> set fingerprints "/etc/pf.os"
> set ruleset-optimization none
>
> ### Timeout Options
> set optimization aggressive
> set timeout { frag 30, tcp.established 1200 }
> set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
> set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
> set timeout { other.first 30, other.single 30, other.multiple 30 }
>
> ################ Queueing
> ####################################################
>
> altq on $ExtIf bandwidth 100% hfsc queue { BG, INTER, ISP }
> queue INTER bandwidth 2% hfsc (upperlimit 1960Kb) \
> { i_ntp, i_ack, i_dns, i_ssh, i_http, i_bulk, i_bittor }
> queue i_ntp bandwidth 10% priority 8 qlimit 500 hfsc (realtime
> 10%)
> queue i_ack bandwidth 30% priority 7 qlimit 500 hfsc (realtime 25%)
> queue i_dns bandwidth 10% priority 6 qlimit 500 hfsc (realtime 3% )
> queue i_ssh bandwidth 1% priority 6 qlimit 500 hfsc (realtime 2% )
> queue i_http bandwidth 20% priority 5 qlimit 500 hfsc (realtime (25%,
> 5000, 15%))
> queue i_bulk bandwidth 28% priority 4 qlimit 500 hfsc (realtime 20%
> default)
> queue i_bittor bandwidth 1% priority 0 qlimit 2000 hfsc (upperlimit
> 90%)
>
> queue BG bandwidth 30% hfsc (upperlimit 30Mb) \
> { b_ack, b_dns, b_ntp, b_skype b_rdc, b_http, b_bulk, b_bittor }
> queue b_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime 10%)
> queue b_dns bandwidth 1% priority 7 qlimit 500 hfsc (realtime 1% )
> queue b_ntp bandwidth 1% priority 6 qlimit 500 hfsc (realtime 1% )
> queue b_skype bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%)
> queue b_rdc bandwidth 10% priority 4 qlimit 500 hfsc (realtime 10%)
> queue b_http bandwidth 30% priority 3 qlimit 500 hfsc (realtime 30%)
> queue b_bulk bandwidth 37% priority 2 qlimit 500 hfsc (realtime 10%)
> queue b_bittor bandwidth 1% priority 0 qlimit 500 hfsc (upperlimit
> 93%)
>
> queue ISP bandwidth 65% hfsc { isp_ack, isp_bulk }
> queue isp_ack bandwidth 10% priority 8 qlimit 500 hfsc (realtime
> 10%)
> queue isp_bulk bandwidth 90% priority 5 qlimit 500 hfsc
>
> ################ Translation and Filtering
> ###################################
>
> ### Blocking spoofed packets: enable "set state-policy if-bound" above
> antispoof log quick for { lo0 $IntIf ($ExtIf) }
>
> ### Block to/from illegal sources/destinations
> block quick inet6
> block in quick on $ExtIf from <BLACKLIST> to any
> block in quick on $ExtIf inet proto tcp from <OVERLOAD_SSH> to $ExtIf
> port $ssh_ext
> block in quick on $ExtIf inet proto udp from <OVERLOAD_NTP> to $ExtIf
> port ntp
> block in quick on $ExtIf inet from any to 255.255.255.255
> block in log quick on $ExtIf inet from urpf-failed to any
> block in log quick on $ExtIf inet from no-route to any
>
> ### BLOCK all in/out on all interfaces by default and log
> block log on $ExtIf
> block return log on $IntIf
>
> ### Network Address Translation (NAT with outgoing source port
> randomization)
> match out log on egress from (self) \
> to any tag SELF nat-to ($ExtIf:0) port 1024:65535
> match out log on egress from !$ExtIf \
> to any nat-to ($ExtIf:0) port 1024:65535
>
> ### Packet normalization ( "scrubbing" )
> match log on $ExtIf all scrub (random-id no-df reassemble tcp max-mss 1460)
>
> ### Ftp ( secure ftp proxy for LAN )
> anchor "ftp-proxy/*"
>
> ### $ExtIf inbound ################
>
> # Named ( bind dns )
> pass in log on $ExtIf inet proto udp from any \
> to ($ExtIf) port domain $UdpState queue i_dns rdr-to lo0
> pass in log on $ExtIf inet proto udp from <bgnets> \
> to ($ExtIf) port domain $UdpState queue b_dns rdr-to lo0
>
> # OpenSSH
> # pass in log on $ExtIf inet proto tcp from any \
> # to ($ExtIf) port ssh $TcpState $SshSTO queue b_bulk rdr-to lo0
>
> # Postfix
> pass in log on $ExtIf inet proto tcp from <spamd-white> \
> to ($ExtIf) port smtp $SynState $PostfxSTO queue i_skype rdr-to lo0
> pass in log on $ExtIf inet proto tcp from !<spamd-white> \
> to ($ExtIf) port smtp $SynState $PostfxSTO rdr-to lo0 port spamd
>
> # Apache
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port www $SynState $ApacheSTO queue (b_http, b_ack) rdr-to lo0
> pass in log on $ExtIf inet proto tcp from !<bgnets> \
> to ($ExtIf) port www $SynState $ApacheSTO queue (i_http, i_ack) rdr-to lo0
>
> # Ntpd ( time server )
> pass in log on $ExtIf inet proto udp from any \
> to ($ExtIf) port ntp $UdpState $ntpSTO queue i_ntp tag NTP rdr-to $ntp
> pass in log on $ExtIf inet proto udp from <bgnets> \
> to ($ExtIf) port ntp $UdpState $ntpSTO queue b_ntp tag NTP rdr-to $ntp
> pass in log on $ExtIf inet proto udp from <isp> \
> to ($ExtIf) port ntp $UdpState $ntpSTO queue isp_ack tag NTP rdr-to $ntp
>
> # RDC_BG
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port $rdc_ext $SynState queue (b_rdc) tag RDC rdr-to $vl port
> $rdc_int
>
> # Squid
> pass in log on $ExtIf inet proto tcp from <proxy-users> \
> to ($ExtIf) port $squid $SynState rdr-to lo0
>
> # Skype (queue BG)
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $vl_skype $TcpState queue (b_skype) tag SKYPE rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $jl_skype $TcpState queue (b_skype) tag SKYPE rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $ve_skype $TcpState queue (b_skype) tag SKYPE rdr-to $ve
>
> # Skype (queue INTER)
> pass in log on $ExtIf inet proto {tcp, udp} from !<bgnets> \
> to ($ExtIf) port $vl_skype $TcpState tag SKYPE rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from !<bgnets> \
> to ($ExtIf) port $jl_skype $TcpState tag SKYPE rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from !<bgnets> \
> to ($ExtIf) port $ve_skype $TcpState tag SKYPE rdr-to $ve
>
> # Battle.net
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $bnet $TcpState queue (b_ack) rdr-to $vl
>
> # uTorrent (queue INTER)
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $vl_torrent $SynState $TorSTO queue (i_bittor, i_ack)
> rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $jl_torrent $SynState $TorSTO queue (i_bittor, i_ack)
> rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from any \
> to ($ExtIf) port $ve_torrent $SynState $TorSTO queue (i_bittor, i_ack)
> rdr-to $ve
>
> # uTorrent (queue BG)
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $vl_torrent $SynState $TorSTO queue (b_bittor, b_ack)
> rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $jl_torrent $SynState $TorSTO queue (b_bittor, b_ack)
> rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from <bgnets> \
> to ($ExtIf) port $ve_torrent $SynState $TorSTO queue (b_bittor, b_ack)
> rdr-to $ve
>
> # uTorrent (queue ISP)
> pass in log on $ExtIf inet proto {tcp, udp} from <isp> \
> to ($ExtIf) port $vl_torrent $SynState $TorSTO queue (isp_bulk, isp_ack)
> rdr-to $vl
> pass in log on $ExtIf inet proto {tcp, udp} from <isp> \
> to ($ExtIf) port $jl_torrent $SynState $TorSTO queue (isp_bulk, isp_ack)
> rdr-to $jl
> pass in log on $ExtIf inet proto {tcp, udp} from <isp> \
> to ($ExtIf) port $ve_torrent $SynState $TorSTO queue (isp_bulk, isp_ack)
> rdr-to $ve
>
> # HFS
> pass in log on $ExtIf inet proto tcp from <bgnets> \
> to ($ExtIf) port $vl_hfs $SynState $ApacheSTO queue (b_http) rdr-to $vl
>
> # VsFtp (queue BG)
> # pass in log on $ExtIf inet proto tcp from <bgnets> \
> # to ($ExtIf) port ftp $SynState queue (b_http, b_ack)
> # pass in log on $ExtIf inet proto tcp from <bgnets> \
> # to ($ExtIf) port $ftprange $SynState queue (b_http, b_ack)
>
> # VsFtp (queue INTER)
> # pass in log on $ExtIf inet proto tcp from !<bgnets> \
> # to ($ExtIf) port ftp $SynState queue (i_http, i_ack)
> # pass in log on $ExtIf inet proto tcp from !<bgnets> \
> # to ($ExtIf) port $ftprange $SynState queue (i_http, i_ack)
>
> # Ping
> # pass in log on $ExtIf inet proto icmp from any \
> # to ($ExtIf) $UdpState
>
> ### End $ExtIf inbound ###########
>
> ### $IntIf outbound ###########
>
> # ntp.bsdbg.net
> pass out log on $IntIf inet proto udp from any \
> to $ntp port ntp $UdpState tagged NTP
>
> # RDC
> pass out log on $IntIf inet proto tcp from any \
> to $vl port $rdc_int $TcpState tagged RDC
>
> # Battle.Net
> pass out log on $IntIf inet proto {tcp, udp} from <bgnets> \
> to $vl port $bnet $TcpState
>
> # Skype
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $vl port $vl_skype $TcpState tagged SKYPE
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $jl port $jl_skype $TcpState tagged SKYPE
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $ve port $ve_skype $TcpState tagged SKYPE
>
> # uTorrent
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $vl port $vl_torrent $TcpState
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $jl port $jl_torrent $TcpState
> pass out log on $IntIf inet proto {tcp, udp} from any \
> to $ve port $ve_torrent $TcpState
>
> # HFS
> pass out log on $IntIf inet proto tcp from <bgnets> \
> to $vl port $vl_hfs $TcpState
>
> # Allow self to reach Lan
> pass out log on $IntIf inet proto {tcp, udp, icmp} from (self) \
> to $IntIf:network $TcpState
>
> # Ping
> # pass out log on $IntIf inet proto icmp from any \
> # to $IntIf:network $UdpState
>
> ### End $IntIf outbound ##########
>
> ### $IntIf inbound ###############
>
> # Allow all out
> pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \
> to any $TcpState tag BULK
>
> pass in log on $IntIf inet proto icmp from $IntIf:network \
> to any $UdpState
>
> # Capcha Torrent traffic
> pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network port
> $urange \
> to any $TcpState tag BITTOR
>
> # ntp.bsdbg.net
> pass in log on $IntIf inet proto {tcp, udp} from $ntp \
> to any $TcpState tag NTP
>
> # Ftp-proxy
> pass in log on $IntIf inet proto tcp from $IntIf:network \
> to !$IntIf port ftp $TcpState $IntIfSTO rdr-to lo0 port $FtpPort
>
> # Symux
> pass in log on $IntIf inet proto {tcp, udp} from $IntIf:network \
> to $IntIf port $symux $TcpState $IntIfSTO rdr-to lo0
>
> ### End $IntIf inbound ############
>
> ### $ExtIf outbound ###############
>
> #################
> # TCP #
> #################
> ### Queue bulk (i_bulk $ b_bulk & isp_bulk) ###
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to any $TcpState $ExtIfSTO queue (i_bulk, i_ack) tagged BULK
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <bgnets> $TcpState $ExtIfSTO queue (b_bulk, b_ack) tagged BULK
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <isp> $TcpState $ExtIfSTO queue (isp_bulk, isp_ack) tagged BULK
>
> ### Queue default (i_bittor & b_bittor & isp_bulk) ###
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to any $TcpState $ExtIfSTO queue (i_bittor, i_ack) tagged BITTOR
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <bgnets> $TcpState $ExtIfSTO queue (b_bittor, b_ack) tagged BITTOR
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <isp> $TcpState $ExtIfSTO queue (isp_bulk, isp_ack) tagged BITTOR
>
> ### Queue ssh (i_ssh)
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to !<bgnets> port ssh $TcpState $ExtIfSTO queue i_ssh
>
> ### SELF ###
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to any $TcpState queue i_bulk tagged SELF
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <bgnets> $TcpState queue b_bulk tagged SELF
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <isp> $TcpState queue isp_bulk tagged SELF
>
> ### ntp.bsdbg.net ###
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to any $TcpState queue i_ntp tagged NTP
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <bgnets> $TcpState queue b_ntp tagged NTP
> pass out log on $ExtIf inet proto tcp from ($ExtIf) \
> to <isp> $TcpState queue isp_bulk tagged NTP
>
> #################
> # UDP #
> #################
> ### Queue bulk (i_bulk & b_bulk)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any $UdpState $ExtIfSTO queue i_bulk tagged BULK
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> $UdpState $ExtIfSTO queue b_bulk tagged BULK
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <isp> $UdpState $ExtIfSTO queue isp_bulk tagged BULK
>
> ### Queue torrent (i_bittor & b_bittor)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any $UdpState $ExtIfSTO queue i_bittor tagged BITTOR
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> $UdpState $ExtIfSTO queue b_bittor tagged BITTOR
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <isp> $UdpState $ExtIfSTO queue isp_bulk tagged BITTOR
>
> ### Queue dns (i_dns & b_dns)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any port domain $UdpState queue i_dns
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> port domain $UdpState queue b_dns
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <isp> port domain $UdpState queue isp_bulk
>
> ### Queue ntp (i_ntp & b_ntp)
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any $UdpState queue i_ntp tagged NTP
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> $UdpState queue b_ntp tagged NTP
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <isp> $UdpState queue isp_bulk tagged NTP
>
> ### Battle.net ###
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> port $bnet $UdpState queue b_ack
>
> ### Ping ###
> pass out log (all) on $ExtIf inet proto icmp from ($ExtIf) \
> to any $UdpState queue i_dns
> pass out log (all) on $ExtIf inet proto icmp from ($ExtIf) \
> to <bgnets> $UdpState queue b_dns
> pass out log (all) on $ExtIf inet proto icmp from ($ExtIf) \
> to <isp> $UdpState queue isp_ack
>
> ### SELF ###
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to any $UdpState queue i_bulk tagged SELF
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <bgnets> $UdpState queue b_bulk tagged SELF
> pass out log on $ExtIf inet proto udp from ($ExtIf) \
> to <isp> $UdpState queue isp_bulk tagged SELF
> pass out log on $ExtIf inet proto icmp from ($ExtIf) \
> to any $UdpState tagged SELF
>
> ### End $ExtIf outbound ###########
>
> ################################ END ##############################
>
>
> My dmesg
> ##############
> DMESG
> ##############
>
> OpenBSD 4.7-stable (NS) #1: Wed Aug 18 21:28:32 EEST 2010
> [email protected]:/usr/src/sys/arch/amd64/compile/NS
> real mem = 1054801920 (1005MB)
> avail mem = 1015279616 (968MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0000 (70 entries)
> bios0: vendor Phoenix Technologies, LTD version "ASUS M2NPV-VM ACPI BIOS
> Revision 1301" date 02/05/2008
> bios0: ASUSTek Computer INC. M2NPV-VM
> acpi0 at bios0: rev 2
> acpi0: tables DSDT FACP MCFG APIC
> acpi0: wakeup devices HUB0(S5) XVRA(S5) XVRB(S5) XVRC(S5) UAR1(S5) UAR2(S5)
> PS2M(S4) PS2K(S4) USB0(S4) USB2(S4) AZAD(S5) MMAC(S5) MMCI(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD Sempron(tm) Processor 3200+, 1804.00 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
> cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 128KB
> 64b/line 16-way L2 cache
> cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
> cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
> cpu0: apic clock running at 200MHz
> ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 24 pins
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (HUB0)
> acpicpu0 at acpi0
> acpitz0 at acpi0: critical temperature 75 degC
> acpibtn0 at acpi0: PWRB
> aibs0 at acpi0
> aibs0: FSIF: misformed package: 3/5, assume 5
> pci0 at mainbus0 bus 0
> "NVIDIA C51 Host" rev 0xa2 at pci0 dev 0 function 0 not configured
> "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 1 not configured
> "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 2 not configured
> "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 3 not configured
> "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 4 not configured
> "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 5 not configured
> "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 6 not configured
> "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 7 not configured
> vga1 at pci0 dev 5 function 0 "NVIDIA GeForce 6150" rev 0xa2
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> "NVIDIA MCP51 Host" rev 0xa2 at pci0 dev 9 function 0 not configured
> pcib0 at pci0 dev 10 function 0 "NVIDIA MCP51 ISA" rev 0xa3
> nviic0 at pci0 dev 10 function 1 "NVIDIA MCP51 SMBus" rev 0xa3
> iic0 at nviic0
> spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5
> spdmem1 at iic0 addr 0x51: 512MB DDR2 SDRAM non-parity PC2-5300CL5
> iic1 at nviic0
> "NVIDIA MCP51 Memory" rev 0xa3 at pci0 dev 10 function 2 not configured
> pciide0 at pci0 dev 13 function 0 "NVIDIA MCP51 IDE" rev 0xa1: DMA, channel
> 0 configured to compatibility, channel 1 configured to compatibility
> wd0 at pciide0 channel 0 drive 0: <WDC WD800JB-00JJC0>
> wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
> pciide0: channel 1 disabled (no drives)
> ppb0 at pci0 dev 16 function 0 "NVIDIA MCP51 PCI-PCI" rev 0xa2
> pci1 at ppb0 bus 1
> em0 at pci1 dev 8 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: apic 2
> int 16 (irq 10), address 00:07:e9:10:32:a8
> em1 at pci1 dev 9 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: apic 2
> int 17 (irq 11), address 00:07:e9:10:2a:20
> pchb0 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00
> pchb1 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00
> pchb2 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00
> kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00: core rev
> DH-F2
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: <PC speaker>
> spkr0 at pcppi0
> it0 at isa0 port 0x2e/2: IT8716F rev 1, EC port 0x290
> mtrr: Pentium Pro MTRR support
> vscsi0 at root
> scsibus0 at vscsi0: 256 targets
> softraid0 at root
> root on wd0a swap on wd0b dump on wd0b
