silly me, now the ascii doodles should look ok. sorry
----
Queueing incoming Traffic ?!
ALTQ can be used to queue outgoing traffic on a network device.
Incoming traffic to a network device CAN NOT be queued..
..atleast not directly ;)
However, when using ALTQ on a Router, e.g. a Firewall between
the Internet and your local LAN, one can queue the INCOMING traffic
from the internet as OUTGOING traffic to the local LAN !
Get it? Short Example:
(internet)<- - - - - - - - - - - - - - - - - - - - - - -> (client)
<-- [external_iface]...queue_OUT... [internal_iface] <--
--> [external_iface] ...queue_IN...[internal_iface] -->
This seems to work.
+++
Problems arise when one runs proxy services on the Firewall.
Take this example with Squid:
(internet)< - - - - - - - - - - - - - - - - - - - - - - -> (client)
<-- [external_iface]..queue_OUT.<-+ +--<----[internal_iface]<--
| |
[[ Squid on Localhost ]]
| |
--> [external_iface] -->-----+ +->..queue_IN..[internal_iface]-->
Situation 1: Squid has WWW Site cached
-> queue_IN is not appropiate as the Data the client recieves comes
from the Firewall itself and is **NOT** incoming via external iface
Situation 2: Squid needs to load WWW Site
-> queue_IN (data squid sends to client) does probably match the actual
incoming data via external interface that squid did recieve.
With a rule on the Firewall for Squid accessing Internet HTTP Servers
like this:
pass out on $external_if inet tcp from $external_ip to any port 80 \
keep state queue (http_ext_out)
queue http_ext_out will catch all OUTGOING to any port 80 traffic
(including the tcp ack for incoming) but not incoming traffic
-- again: ONLY OUTGOING traffic can be queued. amen. ;)
+++
Now, what i did and what seems to work is using a third network device,
the Loopback device !
pass out on $external_if inet tcp from $external_ip to any port 80 \
queue (http_ext_out)
pass in on $external_if route-to to $localhost_if inet tcp from any\
port 80 to $external_ip queue (http_ext_in)
Strange? Well, it works. Queue http_ext_in catches the incoming http
traffic. squid doen't care about interfaces (the source and destination
ip's are unchanged) and is happy recieving the data.
(internet)<- - - -- - - - - - - - - - - - - - - - - - - - -> (client)
<-- [external_iface]..queue_OUT.<-+ +------[internal_iface]<--
| |
[[ Squid on Localhost ]]-->[internal_iface]-->
|
[localhost_iface]..queue_IN..
|
route-to localhost_iface
|
--> [external_iface]------->+
+++
And now, my Problem ;)
With my route-to localhost Solution i can queue the incoming
traffic but i loose the statefull inspection features of pf :( . .
If i use Statefull inspection, a state will be created for the
incoming http packets, state rules are evaluated before any other
rules and the route-to rule *never* sees the packets.
Looking forward for you network guru's to comment on that :)
Thanks to all contributers to the pf-mailing list.
Keep up the good work!
Yours
Torsten aka erpel23
