Henning Brauer wrote:
> that's interesting. I have no tun/pppoe setup to test myself - mind
> sharing pf.conf/pfctl -gvsq/other relevant setup?
"It seems to work!"
However, when I tried to implement the SOHO example from the pf FAQ, I
got very erratic results and overall performance dropped significantly.
I blame the fact that I don't entirely understand altq, yet. For
example, why does the ackpri example work without capping the downstream
down to <bandwidth> as well? Is this because altq can never ever shape
incoming traffic, so whatever I put in queues on $ext_if, it always
handles outgoing traffic? This still is a very confusing topic for me.
This is running for a while now, and the packets appear to end up in the
correct queues. I shortened the lines somewhat to prevent wrapping.
# pfctl -gvsq
queue q_pri priority 7
[ pkts: 12207 bytes: 559156 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
[ qid=8 ifname=tun0 ifbandwidth=120Kb ]
queue q_def priq( default )
[ pkts: 34851 bytes: 16527690 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
[ qid=2 ifname=tun0 ifbandwidth=120Kb ]
Some more possibly relevant stuff from `ifconfig -a`:
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:01:02:e2:5a:80
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.9.100 netmask 0xffffff00 broadcast 192.168.9.255
inet6 fe80::201:2ff:fee2:5a80%xl0 prefixlen 64 scopeid 0x1
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1492
inet 80.136.175.7 --> 217.5.98.79 netmask 0xffffffff
While the tun0 mtu is 1492, i have to set mtu and mru to 1488 in
ppp.conf to get it to work reliably. This is 768/128 T-DSL.
Here's my pf.conf, hopefully in a readable manner. The one thing I
couldn't get to work, no matter what, was having ftp connections
originating from the firewall itself to be passed through ftp-proxy. Any
comments and hints about this problem and my configuration in general
are highly appreciated!
--- snip ---
##########
# MACROS #
##########
ext_if = "tun0"
int_if = "xl0"
int_nets = "192.168/16"
kolanet = "192.168.9/24"
# FTP, SSH and unencrypted IMAP/POP3 are handled separately
tcpserv = "21, 22, 25, 80, 443, 993, 995"
floater = "192.168.9.10"
rain = "192.168.9.1"
raintcp = "{ 63392 }"
rainudp = "{ 63392 }"
floatertcp = "{ 2234, 5534 }"
#floaterudp = "{ }"
nmproxytcp = "49999 >< 50010"
nmproxyudp = "49999 >< 50060"
SM = "flags S/SAFRPU modulate state"
SK = "flags S/SAFRPU keep state"
##########
# TABLES #
##########
table <spoof> const persist { \
127/8, 10/8, 172.16/12, 192.168/16, \
255.255.255.255/32, 169.254/16, \
192.0.2/24, 198.18/15, 224/4 }
table <spamd> persist
###########
# OPTIONS #
###########
set block-policy return
set loginterface $ext_if
set limit { states 20000, frags 20000 }
set optimization normal
#################
# NORMALIZATION #
#################
scrub in all no-df fragment reassemble
scrub out on $ext_if all random-id fragment reassemble max-mss 1448
scrub out on $int_if all random-id fragment reassemble max-mss 1460
############
# QUEUEING #
############
altq on $ext_if priq bandwidth 120Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
###############
# TRANSLATION #
###############
# Redirections
# ftp-proxy
rdr on $int_if proto tcp from any to ! $int_nets port 21 \
-> 127.0.0.1 port 8021
# I wish this would work - FTP connections originating
# locally won't get redirected, no matter what I try here.
#rdr on $ext_if proto tcp from any to ! $int_nets port 21 \
-> 127.0.0.1 port 8021
# SPAMd
rdr on $ext_if proto tcp from <spamd> to any port 25 \
-> 127.0.0.1 port 8025
# # nmproxy for H.323, currently defunct, help underway
# rdr proto tcp from any to any port 1720 -> 127.0.0.1 port 1720
rdr on $ext_if proto tcp from any to any port $raintcp -> $rain
rdr on $ext_if proto udp from any to any port $rainudp -> $rain
rdr on $ext_if proto tcp from any to any port $floatertcp -> $floater
#rdr on $ext_if proto udp from any to any port $floaterudp -> $floater
# BINAT
# (nothing to see here, move along)
# NAT
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
#############
# FILTERING #
#############
block log
# Security stuff and general niceness
pass quick on lo0 all
# antispoof won't work for $ext_if since there are times when
# $ext_if doesn't have an IP
antispoof for { lo0, $int_if }
block drop quick from no-route to any
block drop in log quick on $ext_if from <spoof> to any
block drop in quick on $ext_if from any to 255.255.255.255/32
block in log quick proto tcp from any to any flags SE/SWE
block in log quick proto tcp from any to any flags SW/SWE
block out log quick on $ext_if inet from ! ($ext_if) to any
# IPv6
block in quick on $ext_if inet6 all
pass in quick inet6 all
pass out quick inet6 all keep state
# Encryption
pass proto { ah, esp } all keep state
# ICMP
pass in log inet proto icmp from any to any \
icmp-type 8 code 0 keep state
#
# Internal interface, INCOMING
#
# DNS
pass in on $int_if proto tcp from $int_nets to any port 53 $SK
pass in on $int_if proto udp from $int_nets to any port 53 keep state
# DHCP
pass in on $int_if proto udp from any port 68 \
to 255.255.255.255 port 67 keep state
pass in on $int_if inet proto udp from $int_nets port 68 \
to ($int_if) port 67 keep state
# Not for us / Internet
pass in on $int_if inet from $int_nets to ! ($int_if) keep state
# For me from everybody else
pass in on $int_if proto tcp from $int_nets to any \
port { 110, 143, $tcpserv } $SK
# Passive FTP from everybody else
pass in on $int_if inet proto tcp from $int_nets to ($int_if) \
port 55000 >< 60001 $SK
# For me from kolanet
pass in on $int_if inet proto tcp from $kolanet to ($int_if) \
port { 110, 143, 139, 5771, 5880, $tcpserv } $SK allow-opts
pass in on $int_if inet proto udp from $kolanet to ($int_if) \
port { 137, 138, 518 } keep state
pass in on $int_if inet proto icmp from $kolanet to ($int_if) \
keep state
#
# Internal interface, OUTGOING
#
# Proxies
pass out on $int_if inet proto tcp from ($int_if) to any \
$SM user proxy
# DHCP
pass out on $int_if inet proto udp from ($int_if) port 67 \
to any port 68
# DNS
pass out on $int_if inet proto tcp from ($int_if) port 53 \
to $int_nets $SM
pass out on $int_if inet proto udp from ($int_if) port 53 \
to $int_nets keep state
# SSH into the LAN
pass out on $int_if inet proto tcp from ($int_if) to $int_nets \
port 22 $SM
# FTP
pass out on $int_if inet proto tcp from ($int_if) port 20 \
to $int_nets port > 1023 $SM
# Redirections
pass out on $int_if proto tcp from any \
to $rain port $raintcp $SM
pass out on $int_if proto udp from any \
to $rain port $rainudp keep state
pass out on $int_if proto tcp from any \
to $floater port $floatertcp $SM
#pass out on $int_if proto udp from any \
# to $floater port $floaterudp keep state
# Samba needs somethin' special
pass out on $int_if inet proto tcp from ($int_if) \
to $int_nets port 135 $SM
pass out on $int_if inet proto udp from ($int_if) \
to $int_nets port { 137, 138 } keep state
#
# External interface, IT'S COMING RIGHT FOR US!
#
# FTP
pass in on $ext_if proto tcp from any \
to any port 55000 >< 60001 $SK queue (q_def, q_pri)
pass in on $ext_if proto tcp from any \
to any port 50099 >< 55001 $SK user proxy queue (q_def, q_pri)
pass in on $ext_if proto tcp from any port 20 \
to any port > 49151 $SK queue (q_def, q_pri)
# SSH and others
pass in on $ext_if proto tcp from any \
to any port { $tcpserv } $SK queue (q_def, q_pri)
# Redirections
pass in on $ext_if proto tcp from any \
to $rain port $raintcp $SK queue (q_def, q_pri)
pass in on $ext_if proto udp from any \
to $rain port $rainudp keep state
pass in on $ext_if proto tcp from any \
to $floater port $floatertcp $SK queue (q_def, q_pri)
#pass in on $ext_if proto udp from any \
# to $floater port $floaterudp keep state
# # nmproxy
# pass in on $ext_if proto udp from any \
# to any port $nmproxyudp keep state
# pass in on $ext_if proto tcp from any \
# to any port $nmproxytcp $SM
#
# External interface, OUTGOING
#
pass out on $ext_if inet from ($ext_if) to any keep state
pass out on $ext_if inet proto tcp from ($ext_if) \
to any $SM allow-opts queue (q_def, q_pri)
pass out on $ext_if inet proto { udp, icmp } from ($ext_if) \
to any keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any \
icmp-type 8 code 0 keep state queue (q_pri)
--- snap ---
Bye,
Moritz
