On Thu, Jan 29, 2004 at 07:30:09PM -0800, Andre LaBranche wrote:
>
> For some reason, all traffic to and from NAT'd machines falls into the
> default inbound / outbound queues.
do you mean the default with respect to cbq( default ), or the default
with respect to the queue you're deciding you want the packets to go
out of if they're not in a special queue ( as i guess those might not
_need_ to be the same thing ... ) ?
> #pass out quick on sis0 from $local_nets to $local_nets \
> # label local_out queue local_out keep state
> pass out quick on sis0 proto udp from any to any \
> label udp_out queue udp_out
> pass out quick on sis0 inet proto icmp from any to any \
> label icmp_out queue icmp_out keep state
> pass out quick on sis0 proto { tcp udp } from any port domain to any \
> label dns_out queue dns_out keep state
> pass out quick on sis0 proto { tcp udp } from any port $ssh_ports to
> any \
> label ssh_out queue ssh_im_out keep state
i'm guessing that the packets aren't making it into the 'dns_out'
queue because of the pass out _quick_ on the first one up there.
"proto udp from any to any" would indeed match DNS traffic at that
point, so the dns packet would never make it down to the subsequent
rules.
maybe removing quick on the 'catch-all' rules would help?
jared
--
[ openbsd 3.4 GENERIC ( jan 31 ) // i386 ]
