Hi all,

I've haven't used PF yet for a full firewall solution although I plan to shortly but I have a problem at the moment that I could do with a pointer for.

Can someone suggest a quick and dirty pf.conf file so I can just limit outgoing FTP traffic from my OpenBSD FTP server.. My 750/128kbps cable connection is crippled by outbound at the moment. :-(

The firewall would be running on the server itself so that should make things easier... I hope.

Thanks guys.

The PF Repository (https://solarflux.org/pf/) and the PF User's Guide (ttp://www.openbsd.org/faq/pf/queueing.html) are the best places to look for this kind of info. PF-R has plenty of examples to look at and glean from (i.e. rip off :squarewin ).

There's couple approaches that I can see depending on how you want handle it. You could use class based queueing (CBQ) and assign ftp a set amount of bandwidth to use. You can let it borrow bandwidth from other queues or lock it down. Another option is to use priority queueing (PRIQ) and put ftp in a low queue (probably even below the default queue). This allows ftp to use as much bandwidth as is available but any other traffic in a higher queue will bump it when needed. If you use PRIQ then definitely check out Daniel Hartmeier's page (http://www.benzedrine.cx/ackpri.html) on prioritizing TCPACK packets. It makes a big difference on every network I've used it on.


A few things you need to remember when setting up queueing.

Block all and then pass with queue assignments. I can't tell you how many times I've seen people setup queues and wonder why they don't work when they didn't setup initial blocks.

Queue on the outbound side of each interface. The packet has already used the bandwidth on inbound so queueing at that point is basically worthless.

Don't forget to change your queue speeds if your connection speed changes. If you set it too high then you won't get benefit of queuing, if you set it too low then you won't get all your bandwidth. I went from a 3mb/128k line to 4mb/512k and it took me a couple days to realize why my speeds weren't improving. I changed the queue speeds and it was muuuuuuch better. :smile-l:

Thanks Strog,

I'll take a look and see how I get on.

I see a busy week ahead learning cool new stuff :-)