configuration's errors with pf ?

2007-05-10 Thread Yggdrasill Senecoen 

Hi,


Since I use an OpenBSD server as gateway, instead of a Linksys WRT54GL 
under OpenWRT, I find my network performances are worse than before.

I have high-latency, much deconnections and websites are often unreachable.

I don't know if it's due to hardware or configuration's errors in my 
pf.conf, all seems ok when i check cpu/memory/network on the gateway.


Here is my pf.conf, may be some mistakes in it which could explain this ?


#   $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext=rl0
int=xl0

Valistar={172.16.85.0/27}
Larry=172.16.85.27

Ssh_Larry=22
Ssh_Cyrrhus=443block in inet
Tcp_ports={21,53,80,443,6667,6697,8080}
Udp_ports={53}

set block-policy drop
set loginterface none
set optimization high-latency
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set state-policy if-bound
set skip on lo
scrub in all

nat on $ext inet from xl0:network to any - $ext
rdr on $ext proto tcp from any to any port $Ssh_Larry - $Larry

antispoof quick for {lo $int} inet

block in log quick inet6
block out log quick inet6
pass in log on $int from $Valistar to any flags S/SA keep state
pass out log on $int from any to $Valistar flags S/SA keep state

pass in quick on $int proto tcp from $Valistar to ($int) port 
$Ssh_Cyrrhus flags S/SA keep state
pass in on $ext proto tcp from any to any port $Tcp_ports flags S/SA 
keep state
pass in log on $ext proto tcp from any to any port $Ssh_Larry flags S/SA 
keep state
pass in log on $ext proto tcp from any to any port $Ssh_Cyrrhus flags 
S/SA keep state

pass in on $ext proto udp from any to any port $Udp_ports keep state
pass in log on $ext inet proto icmp all icmp-type 
{echorep,timex,unreach} keep state
pass in log on $int inet proto icmp all icmp-type 
{echoreq,echorep,timex,unreach} keep state

pass out log on $ext proto tcp all flags S/SA modulate state
pass out on $ext proto {udp,icmp} all keep state


Thanks for help.



Yanic

Re: configuration's errors with pf ?

2007-05-10 Thread Tobias Weingartner 
In article [EMAIL PROTECTED], Yggdrasill Senecoen wrote:
 
  Ssh_Cyrrhus=443block in inet

This line could be problematic.

--Toby.