Hello All,
I am running OpenBSD 3.3-current with HFSC queueing and stateful filters.
If I enable my stateful filters anything defined via those filters does
not go through my queue filters and gets unlimited bandwidth.
Below is my pf.conf file, When I access 196.34.165.210 via ftp my
bandwidth is limited but as soon as I access it via port 80 I have
unlimited bandwidth.
Have a great day
Mark
# Interface Variables
i01="fxp0" # uplink
i02="dc0" # hosting
i03="dc1" # access00
i04="dc2" # shell
#
localbw="512Kb"
internationalbw="192Kb"
icmp="{ !196.34.165.210 }"
table <mics> { 196.34.165.0/24, 196.23.168.0/24 }
table <za> file "/usr/local/etc/zaip"
set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 100000, frags 15000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
scrub in on fxp0 all random-id no-df fragment reassemble
####### ALTQ
#### Uplink Interface - Peering
altq on $i01 bandwidth 10Mb hfsc queue { std_01, lan_01, local_01 }
queue std_01 bandwidth 32Kb hfsc(default upperlimit 512Kb) # change this
queue lan_01 bandwidth 2Mb
# Uplink - Local Bandwidth
queue local_01 bandwidth $localbw hfsc(upperlimit $localbw) { ssh_01, opium_01_l,
jobsd_01_l }
queue ssh_01 bandwidth 16Kb hfsc(realtime 16Kb)
queue opium_01_l bandwidth 128Kb hfsc(upperlimit 32Kb)
queue jobsd_01_l bandwidth 128Kb hfsc(realtime 128Kb)
# Uplink - International Bandwidth
#queue intl_01 bandwidth $internationalbw hfsc(upperlimit $internationalbw) \
# { opium_01_i, \
# jobsd_01_i }
# queue opium_01_i bandwidth 64Kb hfsc(realtime 64Kb)
# queue jobsd_01_i bandwidth 64Kb hfsc(realtime 16Kb)
#### Hosting Interface
altq on $i02 bandwidth 100Mb hfsc queue { std_02, lan_02, local_02, intl_02 }
queue std_02 bandwidth 32Kb hfsc(default upperlimit 512Kb) # change this
queue lan_02 bandwidth 2Mb
# Hosting - Local Bandwidth
queue local_02 bandwidth $localbw hfsc(upperlimit $localbw) \
{ ssh_02, \
joxp_02_l, \
jobsd_02_l }
queue ssh_02 bandwidth 16Kb hfsc(realtime 16Kb)
queue joxp_02_l bandwidth 128Kb hfsc(realtime 128Kb)
queue jobsd_02_l bandwidth 128Kb hfsc(realtime 128Kb)
# Hosting - International Bandwidth
queue intl_02 bandwidth $internationalbw hfsc(upperlimit $internationalbw) \
{ joxp_02_i, \
jobsd_02_i }
queue joxp_02_i bandwidth 64Kb hfsc(realtime 64Kb)
queue jobsd_02_i bandwidth 64Kb hfsc(realtime 64Kb)
#### Access00 Interface
altq on $i03 bandwidth 10Mb hfsc queue { std_03, lan_03, local_03, intl_03 }
queue std_03 bandwidth 32Kb hfsc(default upperlimit 512Kb) # change this
queue lan_03 bandwidth 2Mb
# Access00 - Local Bandwidth
queue local_03 bandwidth $localbw hfsc(upperlimit $localbw) \
{ ssh_03, \
opium_03_l, \
jobsd_03_l }
queue ssh_03 bandwidth 16Kb hfsc(realtime 16Kb)
queue opium_03_l bandwidth 128Kb hfsc(upperlimit 32Kb)
queue jobsd_03_l bandwidth 128Kb hfsc(realtime 128Kb)
# Access00 - International Bandwidth
queue intl_03 bandwidth $internationalbw hfsc(upperlimit $internationalbw) \
{ opium_03_i, \
jobsd_03_i }
queue opium_03_i bandwidth 64Kb hfsc(realtime 16Kb)
queue jobsd_03_i bandwidth 64Kb hfsc(realtime 64Kb)
#
####### /ALTQ
#rdr on dc1 proto tcp from any to any port 31337 -> 196.23.168.2 port 23
#block in on fxp0 from no-route to any
###### ALTQ/Host firewall definers
# unlimited lan
pass out quick on $i01 from <mics> to <mics> keep state queue lan_01
pass out quick on $i02 from <mics> to <mics> keep state queue lan_02
pass out quick on $i03 from <mics> to <mics> keep state queue lan_03
# priority definers
pass out quick on $i01 proto { tcp, udp } from any to any port 22 keep state queue
ssh_01
pass out quick on $i01 proto { tcp, udp } from any port 22 to any keep state queue
ssh_01
pass out quick on $i02 proto { tcp, udp } from any port 22 to any keep state queue
ssh_02
pass out quick on $i02 proto { tcp, udp } from any to any port 22 keep state queue
ssh_02
pass out quick on $i03 proto { tcp, udp } from any port 22 to any keep state queue
ssh_03
pass out quick on $i03 proto { tcp, udp } from any to any port 22 keep state queue
ssh_03
#
pass out on $i01 from 196.34.165.210 to any keep state queue opium_01_i
pass out on $i03 from any to 196.34.165.210 keep state queue opium_03_i
pass out on $i01 from 196.34.165.210 to <za> keep state queue opium_01_l
pass out on $i03 from <za> to 196.34.165.210 keep state queue opium_03_l
#pass out on $i01 from 196.34.165.210 to <za> keep state queue opium_01_l
#pass out on $i01 from <za> to 196.34.165.210 keep state queue opium_01_l
#pass out on $i03 from <za> to 196.34.165.210 keep state queue opium_03_l
#pass out on $i03 from 196.34.165.210 to <za> keep state queue opium_03_l
########
#### Firewall
#block in log on fxp0 all
# Allow Ping/Traceroute
pass on fxp0 inet proto icmp from any to $icmp icmp-type 0 keep state
pass on fxp0 inet proto icmp from any to $icmp icmp-type 8 keep state
pass in on fxp0 proto udp from any to $icmp port 33433><33466
# Incoming keepstates
#pass in on fxp0 proto tcp from any to any port 22 keep state
#temp
#pass in on fxp0 proto tcp all flags S/SAFR keep state
pass in on fxp0 proto tcp from any to 196.34.165.210 port 80 keep state
pass in on fxp0 proto udp from any to any port 33434<>33465 keep state
# Outgoing keepstates
pass out on fxp0 proto tcp all flags S/SAFR keep state
pass out on fxp0 proto udp all keep state
#### /Firewall
### Anti-Spoofing
antispoof for fxp0 inet
#antispoof for dc0 inet
antispoof for dc1 inet
#antispoof for dc2 inet
#antispoof for dc3 inet
#antispoof for dc4 inet
###
