Re: controlling ext. inbound traffic on int. interface - few doubts/thoughts

2006-07-16 Thread Travis H. 

On 7/14/06, Michal Soltys <[EMAIL PROTECTED]> wrote:

Recently I've been writing rules for small router (2 internal interfaces, 1
external, few services running).  I've just set 1 queue for the whole
inbound (1 mbit) on internal interface, so it won't get stalled by other
traffic from int. net to the server itself. Essentially:

altq on $if_100 cbq bandwidth 100Mb queue { if100_extbulk, \
if100_misc, if100_ack, ... other queues }


I can't parse this.  If the traffic is to the server, it will be inbound.
Queuing works on outbound traffic.  They are distinct, and don't
interact in full-duplex mode.

Or are you talking about doing this on your external interface?


But then I recalled the 2nd example from PF faq, that actually used
subqueues to shape traffic of inbound traffic. But ... they all had 'borrow'
option - does it even have a chance to work as intended this way ?


What do you mean?

If the max bandwidth isn't being used, then any one subqueue can
borrow from the others, until they need it.


Am I thinking right ?


Can't tell, your post is lacking a lot of detail.
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Re: pf "default deny" compile-time option?

2006-07-16 Thread Travis H. 

On 7/15/06, Ryan McBride <[EMAIL PROTECTED]> wrote:

Root can do stupid things which compromise security. Obfuscation or
needles complexity in an attempt to protect yourself from the root
account will only make your system less secure.


If every ruleset needs to put a rule in to default to blocking
packets, then that's needless complexity to me.


Because the /etc/rc ruleset is only temporary, and quite small, I don't
see the point in making performance-related changes to it (particularly
performance-related changes that one would have a hard time measuring
the effects of)


I doubt it could hurt.


> and make some allowance for DHCP.
DHCP uses bpf(4), and is unaffected by pf rulesets.


Ah, learn something new every day.

I suppose the outbound packets are passed by the ruleset, so it makes
no difference that they have a SRC IP of 0.0.0.0...
--
``I am not a pessimist.  To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484