Queueing incoming Traffic ?!
ALTQ can be used to queue outgoing traffic on a network device.
Incoming traffic to a network device CAN NOT be queued.. atleast not
directly ;)
However, when using ALTQ on a Router, e.g. a Firewall between the
Internet and your local LAN,
one can queue the INCOMING traffic from the internet as OUTGOING traffic
to the local LAN !
Get it? Short Example:
(internet)< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -> (client)
<---- [external_interface]...queue_OUT...
[internal_interface]<----
----> [external_interface]
...queue_IN...[internal_interface]---->
This seems to work. Problems arise when one runs proxy services on the
Firewall. :/
Like Squid (Transparent). Take this example:
(internet)< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - -> (client)
<---- [external_interface]..queue_OUT.<-+
+-------------[internal_interface]<----
|
|
+<-[[ Squid on
Localhost ]]
| |
----> [external_interface] -----------------+
+->..queue_IN..[internal_interface]---->
Situation 1: Squid has WWW Site cached
-> queue_IN is not appropiate as the Data the client recieves comes from
the Firewall itself and is
**NOT** incoming via external interface
Situation 2: Squid needs to load WWW Site
-> queue_IN (data squid sends to client) does probably match the actual
incoming data via external interface
that squid did recieve.
With a rule on the Firewall for Squid accessing Internet HTTP Servers
like this:
pass out on $external_if inet tcp from $external_ip to any port 80 keep
state queue (http_ext_out)
queue http_ext_out will catch all OUTGOING to any port 80 traffic
(including the tcp ack for incoming)
but not incoming traffic (again: ONLY OUTGOING traffic can be queued.
amen. ;)
+++
Now, what i did and what seems to work is using a third network device,
the Loopback device !
pass out on $external_if inet tcp from $external_ip to any port 80 queue
(http_ext_out)
pass in on $external_if route-to to $localhost_if inet tcp from any port
80 to $external_ip queue (http_ext_in)
Strange? Well, it works. Queue http_ext_in catches the incoming http
traffic.
squid doen't care about interfaces (the source and destination ip's are
unchanged) and is happy recieving the data.
(internet)< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - -> (client)
<---- [external_interface]..queue_OUT.<-+
+-------------[internal_interface]<----
|
|
+<-[[ Squid on
Localhost ]]
| |
[localhost_interface]..queue_IN..->|
+-------->[internal_interface]---->
|
route-to localhost_interface
|
----> [external_interface]->+
And now, my Problem ;)
With my route-to localhost Solution i can queue the incoming traffic
but i loose the statefull inspection features of pf :( . . .
If i use Statefull inspection, a state will be created for the incoming
http packets, state rules are evaluated before
any other rules and the route-to rule *never* sees the packets.
Looking forward for you network guru's to comment on that :)
Thanks to all contributers to the pf-mailing list. Keep up the good
work!
Yours
Torsten aka erpel23
