hi misc,
i just want to start using altq with simply priorizing the tcp acks (and
the other lowdelay stuff as it's stated in jaceks great firewallbook). i
looked in /usr/share/pf/ackpri and added the rules there to my pf.conf.
i don't know why it doesn't work, maybe i am too blind to see what i am
doing wrong.
if i add the queue-rules to the ruleset, it stops working.
i am using 4.0 -stable.
maybe someone can hit me with a cluestick, what i am doing wrong.
here's my pf.conf:
#################
# Macros #
#################
ext_if="pppoe0"
int_if="sis0"
internal_net="192.168.75.0/24"
#################
# Tables #
#################
table <bad-ssh> persist
table <no-ftpproxy> const {XXX.XXX.32.128/25, 192.168.83.0/24}
#################
# Options #
#################
set require-order yes
set block-policy drop
set optimization normal
set skip on lo0
#################
# Normalization #
#################
scrub in all
#################
# Queueing #
#################
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
#################
# NAT rules #
#################
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr pass on $ext_if proto tcp from any to ($ext_if) port 4000:4100 \
-> 192.168.75.30
rdr pass on $ext_if proto tcp from any to ($ext_if) port 6881:6889 \
-> 192.168.75.30
rdr pass on $int_if proto tcp from $internal_net to ! <no-ftpproxy> port
ftp -> 127.0.0.1 port 8021
#################
# Ruleset #
#################
block in log all
block in quick on $int_if inet proto tcp from ! 192.168.75.30 to \
! $internal_net port 25
block in quick from <bad-ssh>
anchor "ftp-proxy/*"
pass out quick on $ext_if proto tcp from ($ext_if) to any flags S/SA \
keep state queue (q_def, q_pri)
#pass in quick on $ext_if proto tcp from any to ($ext_if) flags S/SA \
#keep state queue (q_def, q_pri)
# ssh von aussen auf machen
pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA \
keep state (max-src-conn-rate 3/30, overload <bad-ssh> flush global) \
queue (q_def, q_pri)
pass in on $int_if inet from $internal_net to any modulate state
#pass in on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state
#################
# IPSec #
#################
pass in proto esp from XXX.XXX.124.34 to ($ext_if)
pass out proto esp from ($ext_if) to XXX.XXX.124.34
pass in on enc0 proto ipencap from XXX.XXX.124.34 to ($ext_if)
pass in on enc0 from 192.168.83.0/24 to 192.168.75.0/24
pass in on enc0 from XXX.XXX.32.128/25 to 192.168.75.20/24
pass in on $ext_if proto udp from XXX.XXX.124.34 port = 500 to \
($ext_if)port = 500
pass out on $ext_if proto udp from ($ext_if) port = 500 to \
XXX.XXX.124.34 port = 500
#################
#################
# Antispoof #
#################
antispoof for $ext_if
please note, that's it's not working, regardless if the rule
#pass in quick on $ext_if proto tcp from any to ($ext_if) flags S/SA \
#keep state queue (q_def, q_pri)
is active or not.
TIA,
marc
FWIW, here's the dmesg of this box:
OpenBSD 4.0-stable (GENERIC) #2: Mon Nov 20 16:48:40 CET 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Duron(tm) Processor ("AuthenticAMD" 686-class, 64KB L2 cache)
1.35 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 536375296 (523804K)
avail mem = 481329152 (470048K)
using 4256 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/09/02, BIOS32 rev. 0 @
0xfdae0, SMBIOS rev. 2.3 @ 0xf0630 (23 entries)
bios0: ECS K7S5A
apm0 at bios0: Power Management spec V1.2
apm0: AC on, no battery
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7950/160 (8 entries)
pcibios0: PCI Interrupt Router at 000:02:0 ("SiS 85C503 System" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xcc000/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "SiS 735 PCI" rev 0x01
ppb0 at pci0 dev 1 function 0 "SiS 86C201 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 1 function 0 "ATI Radeon VE QY" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 "SiS 85C503 System" rev 0x00
ohci0 at pci0 dev 2 function 2 "SiS 5597/5598 USB" rev 0x07: irq 11,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: SiS OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1 at pci0 dev 2 function 3 "SiS 5597/5598 USB" rev 0x07: irq 10,
version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: SiS OHCI root hub, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
pciide0 at pci0 dev 2 function 5 "SiS 5513 EIDE" rev 0xd0: 735: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SAMSUNG, DVD-ROM SD-616E, F502> SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd0 at pciide0 channel 1 drive 0: <SAMSUNG SP0411N>
wd0: 16-sector PIO, LBA48, 38204MB, 78242976 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
sis0 at pci0 dev 3 function 0 "SiS 900 10/100BaseTX" rev 0x90: irq 5,
address 00:0a:e6:10:ee:c0
rlphy0 at sis0 phy 1: RTL8201L 10/100 PHY, rev. 1
rl0 at pci0 dev 17 function 0 "Realtek 8139" rev 0x10: irq 12, address
00:50:ba:8f:2e:e9
rlphy1 at rl0 phy 0: RTL internal PHY
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
it0 at isa0 port 0x290/8: IT87
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask efdd netmask fffd ttymask ffff
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
uhub2 at uhub1 port 1
uhub2: Cypress Semiconductor USB2 Hub, rev 2.00/0.0b, addr 2
uhub2: 4 ports with 4 removable, self powered
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
ulpt0 at uhub2 port 1 configuration 1 interface 0
ulpt0: Kyocera Mita Kyocera Mita FS-920, rev 1.01/0.00, addr 3, iclass 7/1
ulpt0: using bi-directional mode
ulpt0: at uhub2 port 1 (addr 3) disconnected
ulpt0 detached
arplookup: unable to enter address for 0.0.0.0
ulpt0 at uhub2 port 1 configuration 1 interface 0
ulpt0: Kyocera Mita Kyocera Mita FS-920, rev 1.01/0.00, addr 3, iclass 7/1
ulpt0: using bi-directional mode
