Re: Prioritizing empty TCP ACKs

Thu, 05 Jun 2003 23:57:44 -0700 

At least two people have pointed you to examples of ackpri rulesets.
Are you having a specific problem? If so, can you explain what it is so
that someone can help you.

.joel

Appreciated ! 

So I used those lines from the example /usr/share/pf/ackpri and
inserted them essentially into the example from PF-FAQ. The result
doesn't make any changes to the pf.conf without those lines. That
means: something must be wrong. What ?
Here is the pf.conf:

# Macros: Define useful variables
ExtIF="tun0"                    # External Interface
IntIF="ne1"                     # Our internal interface
IntNet="192.168.116.0/24"       # Our internal network
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
Services="{ www, ssh }"


# Tables: 

# Options:
set optimization aggressive
set loginterface tun0

# Scrub: Clean up fragmented and abnormal packets
scrub in all
scrub out on $ExtIF random-id

# Queueing: Packet Pritorization
altq on $ExtIF priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

# Translation: 
nat on tun0 from 192.168.116.0/24 to any -> (tun0)

# don't allow anyone to spoof non-routeable addresses
block in  log quick on $ExtIF from $NoRouteIPs to any
block out log quick on $ExtIF from any to $NoRouteIPs

# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in log on $ExtIF all

# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create
state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ExtIF                 all
pass  out on $ExtIF inet proto tcp  all flags S/SA keep state
pass  out on $ExtIF inet proto udp  all            keep state
pass  out on $ExtIF inet proto icmp all            keep state

# prioritize on outgoing packets
pass out on $ExtIF proto tcp from $ExtIF to any flags S/SA \
        keep state queue (q_def, q_pri)

# allow others to use http and https
pass  in log on $ExtIF inet proto tcp from any to any port $Services \
        flags S/SA keep state

# Pass desired ICMP traffic
pass in log quick inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick inet proto icmp all icmp-type 3 code 4 keep state
pass in log quick inet proto icmp all icmp-type 11       keep state

# prioritize on incoming packets
pass in  on $ExtIF proto tcp from any to $ExtIF flags S/SA \
        keep state queue (q_def, q_pri)



__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

Reply via email to