Aries-III
June 7th, 2005, 08:54
Hey,
Noticed that there are no posts in this forum in the past 30 days :-/... not sure if I'll get an answer, but I'm plain-out STUCK.
I have a (so far) working pf.conf, and I have all the altq stuff I thought I needed in there, and it seems to read well, but it isn't working correctly! The internet works fine, and there are no errors, but the queue's aren't wanting to work correctly other than the SYN/ACK prioritization queue (which is a good sign nonetheless).
So, I will post my pf.conf in the hopes that someone can tell me why the queues don't wanna work the way that I'm intending. Just hope that my intentions are understandable from the code :P
/edit Code removed due to an obvious screw-up I made!! Will fix and see if it works, then if not, I'll repost it :P
/edit again... ARGH nope didn't work --so here is my pf.conf :|
################################################## #########################
# OpenBSD PF Ruleset
#
# Network is 192.168.1.x
#
# Main computers:
# ---Main(Win2K): 192.168.1.16 (High Priority-Game box ;P)
# ---Main(*nix) : 192.168.1.17 (Medium Priority)
# ---WebServer : 192.168.1.15 (Lowest priority [in whole network])
#
# Note: I should probably install another NIC and put the server on it by
# itself. Many sites seem to say this.
#
# All other computers should be low priority (I have roommates that HOG)
#
################################################## ##########################
################################################## ########
# Macro Definitions:
loop= "lo0"
ext_if= "{ tun0 }"
int_if= "rl0"
int_net= "192.168.1.0/24"
unfiltered= "{ lo0, rl0 }"
#modulate state=keep state with high quality random ISNs
tcp_opts = "flags S/SA modulate state"
udp_opts = "keep state"
main_comp= "192.168.1.16"
unix_comp= "192.168.1.17"
server= "192.168.1.15"
# low_comps= "192.168.1.xx" How do I specify ip-ranges?
# Web Services offered by 192.168.1.15 (ports):
services= "{ 80, 443, 20:21, 25, 8888, 32006 }"
# /Macro Defs
#############################
################################################## ########
# Network Options:
set block-policy drop
#set loginterface $ext_if
#
#############################
################################################## ########
# Table Definitions:
# table containing all IP addresses assigned to the firewall
table <firewall> const { self }
# Networks that aren't assigned and/or aren't allowed to be routed on the internet
table <reserved> persist { \
0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 7.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, \
27.0.0.0/8, 31.0.0.0/8, 36.0.0.0/7, 39.0.0.0/8, 41.0.0.0/8, 42.0.0.0/8, \
49.0.0.0/8, 50.0.0.0/8, 58.0.0.0/7, 70.0.0.0/7, 72.0.0.0/5, 83.0.0.0/8, \
84.0.0.0/6, 88.0.0.0/5, 96.0.0.0/3, 169.254.0.0/16, 172.16.0.0/12, \
173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/5, 184.0.0.0/6, 189.0.0.0/8, \
190.0.0.0/8, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8, 198.18.0.0/15, \
223.0.0.0/8, 224.0.0.0/3, 255.255.255.255 \
}
# Evil advertizing spam
table <doubleclick> persist { \
216.73.80.0/20, 204.253.104.0/24, 205.138.3.0/24, 208.184.29.0/24, \
206.65.183.0/24 \
}
table <mediaforce> persist { \
2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24, 208.251.137.0/24 \
}
table <main_comps> persist { 192.168.1.16, 192.168.1.17 }
table <them> persist { 192.168.1.0/24, ! $main_comp, ! $unix_comp, ! $server }
# /Table Defs
#############################
################################################## ########
# Packet-Scrubbing
# In-bound scrubbing
scrub in on $ext_if all \
no-df min-ttl 100 max-mss 1492 fragment reassemble
# Out-bound scrubbing
#
scrub out on $ext_if all \
max-mss 1492 fragment reassemble random-id no-df
# For NFS
scrub in on $int_if all no-df
scrub out on $int_if all no-df
# /Scrub
#############################
################################################## ########
# Queues - Priorities (AKA: Keeping me on top!!)
# Will use CBQ 'cause it seems to be the easiest. I need
# to use 3 queue's--one for me, one for the webserver,
# and one for the rest of the people on the network.
# Note: Using 'RED' alot since it seems to be the best
# option, from what I was reading (don't see why it
# is not used on all the configs I've seen)... maybe
# this isn't a good thing to use *ALL* the time???
# Incoming queue
altq on $int_if cbq bandwidth 2.8Mb queue { std_in, fast_in }
queue std_in bandwidth 90% cbq(default, borrow) { me_in, thm_in, srv_in }
queue me_in bandwidth 60% priority 3 cbq(red, borrow)
queue thm_in bandwidth 30% priority 2 cbq(red, borrow)
queue srv_in bandwidth 10% priority 1 cbq(red, borrow)
queue fast_in bandwidth 10% priority 5 cbq(red, borrow)
# Outgoing queue
altq on $ext_if cbq bandwidth 280Kb queue { std_out, fast_out }
queue std_out bandwidth 90% cbq(default, red, borrow) { me_out, thm_out, srv_out }
queue me_out bandwidth 60% priority 3 cbq(red, borrow)
queue thm_out bandwidth 30% priority 2 cbq(red, borrow)
queue srv_out bandwidth 10% priority 1 cbq(red, borrow)
queue fast_out bandwidth 10% priority 5 cbq(red, borrow)
# /Queue
#############################
################################################## ########
# NAT - "Port Forwarding"
# NAT
nat on $ext_if inet from $int_net to any -> $ext_if
# Port Redirection
# Webserver (This rule is probably WAY too loose!)
rdr on $ext_if proto { tcp, udp } from any to $ext_if port $services -> $server
# GnuTella on main computer.
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 18006 -> $main_comp port 18006
# That freaky thing to let internal network get to server:
rdr on $int_if proto tcp from 192.168.1.0/24 to $ext_if port 80 -> \
127.0.0.1 port 5000
# /NAT
#############################
################################################## ########
# Packet Filtering "Security" and Queue Assignment
# Dont bug loopback/internal network:
pass quick on $unfiltered all
# Default policy
block in log quick from no-route to any
block in log on $ext_if
block return in quick log on $ext_if inet proto tcp from any to $ext_if port 113
block return-icmp(10) in quick log on $int_if to { <verisign>, <doubleclick>, <mediaforce> }
block in quick on $ext_if from { <verisign>, <doubleclick>, <mediaforce> }
block return-icmp(10) in log on $int_if to <reserved>
block in log on $ext_if from <reserved>
# I dont see me using inet6 yet...
#block all inet6
# Kill spoofing
antispoof quick for $int_if inet
# Allow SSH *ONLY* from my main box:
block return in quick on $int_if proto tcp from ! <main_comps> \
to $int_if port ssh flags S/SA
# Normal pass rules and Queue Assignment:
# Outgoing - Prioritize connection-creation:
pass out quick on $ext_if inet proto tcp from any to any flags S/SA keep state queue fast_out
# Pass rules for ME-queue
pass in on $ext_if inet proto { tcp, udp } from any to <main_comps> port 18006 flags S/SA keep state queue me_in
pass in on $ext_if inet proto icmp from any to <main_comps> icmp-type { echorep, echoreq, timex, unreach } queue me_in
pass in on $ext_if inet proto tcp from any to <main_comps> queue me_in
pass out on $ext_if inet proto { tcp, udp, icmp } from <main_comps> to any keep state queue me_out
# Pass rules for Server-queue
pass in on $ext_if inet proto tcp from any to any port $services flags S/SA keep state queue fast_in
pass in on $ext_if inet proto icmp from any to $server icmp-type { echorep, echoreq, timex, unreach } queue srv_in
pass in on $ext_if inet proto tcp from any to $server queue srv_in
pass out on $ext_if inet proto { tcp, udp, icmp } from $server to any keep state queue srv_out
# Pass rules for the rest of the idiots on the network
pass in on $ext_if inet proto icmp from any to <them> icmp-type { echorep, echoreq, timex, unreach } queue thm_in
pass in on $ext_if inet proto tcp from any to <them> queue thm_in
pass out on $ext_if inet proto { tcp, udp, icmp } from <them> to any keep state queue thm_out
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp from any to ! <firewall> \
port ssh flags S/SA synproxy state queue srv_in
# /Packet Filters
#############################
#######################---End of File---#######################
Here is the output of "pfctl -vvs queue"
queue root_rl0 bandwidth 2.80Mb priority 0 cbq( wrr root ) {std_in, fast_in}
[ pkts: 2236 bytes: 1704120 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue std_in bandwidth 2.52Mb cbq( red borrow default ) {me_in, thm_in, srv_in}
[ pkts: 2236 bytes: 1704120 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue me_in bandwidth 1.51Mb priority 3 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue thm_in bandwidth 756Kb priority 2 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue srv_in bandwidth 252Kb cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue fast_in bandwidth 280Kb priority 5 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue root_tun0 bandwidth 280Kb priority 0 cbq( wrr root ) {std_out, fast_out}
[ pkts: 2232 bytes: 279509 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue std_out bandwidth 252Kb cbq( red borrow default ) {me_out, thm_out, srv_out}
[ pkts: 910 bytes: 54721 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue me_out bandwidth 151.20Kb priority 3 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue thm_out bandwidth 75.60Kb priority 2 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue srv_out bandwidth 25.20Kb cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue fast_out bandwidth 28Kb priority 5 cbq( red borrow )
[ pkts: 1322 bytes: 224788 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 544 suspends: 0 ]
It seems that the main queues are working, but the child queues are not... and I can't figure out for the life of me why they aren't working.
Noticed that there are no posts in this forum in the past 30 days :-/... not sure if I'll get an answer, but I'm plain-out STUCK.
I have a (so far) working pf.conf, and I have all the altq stuff I thought I needed in there, and it seems to read well, but it isn't working correctly! The internet works fine, and there are no errors, but the queue's aren't wanting to work correctly other than the SYN/ACK prioritization queue (which is a good sign nonetheless).
So, I will post my pf.conf in the hopes that someone can tell me why the queues don't wanna work the way that I'm intending. Just hope that my intentions are understandable from the code :P
/edit Code removed due to an obvious screw-up I made!! Will fix and see if it works, then if not, I'll repost it :P
/edit again... ARGH nope didn't work --so here is my pf.conf :|
################################################## #########################
# OpenBSD PF Ruleset
#
# Network is 192.168.1.x
#
# Main computers:
# ---Main(Win2K): 192.168.1.16 (High Priority-Game box ;P)
# ---Main(*nix) : 192.168.1.17 (Medium Priority)
# ---WebServer : 192.168.1.15 (Lowest priority [in whole network])
#
# Note: I should probably install another NIC and put the server on it by
# itself. Many sites seem to say this.
#
# All other computers should be low priority (I have roommates that HOG)
#
################################################## ##########################
################################################## ########
# Macro Definitions:
loop= "lo0"
ext_if= "{ tun0 }"
int_if= "rl0"
int_net= "192.168.1.0/24"
unfiltered= "{ lo0, rl0 }"
#modulate state=keep state with high quality random ISNs
tcp_opts = "flags S/SA modulate state"
udp_opts = "keep state"
main_comp= "192.168.1.16"
unix_comp= "192.168.1.17"
server= "192.168.1.15"
# low_comps= "192.168.1.xx" How do I specify ip-ranges?
# Web Services offered by 192.168.1.15 (ports):
services= "{ 80, 443, 20:21, 25, 8888, 32006 }"
# /Macro Defs
#############################
################################################## ########
# Network Options:
set block-policy drop
#set loginterface $ext_if
#
#############################
################################################## ########
# Table Definitions:
# table containing all IP addresses assigned to the firewall
table <firewall> const { self }
# Networks that aren't assigned and/or aren't allowed to be routed on the internet
table <reserved> persist { \
0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 7.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, \
27.0.0.0/8, 31.0.0.0/8, 36.0.0.0/7, 39.0.0.0/8, 41.0.0.0/8, 42.0.0.0/8, \
49.0.0.0/8, 50.0.0.0/8, 58.0.0.0/7, 70.0.0.0/7, 72.0.0.0/5, 83.0.0.0/8, \
84.0.0.0/6, 88.0.0.0/5, 96.0.0.0/3, 169.254.0.0/16, 172.16.0.0/12, \
173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/5, 184.0.0.0/6, 189.0.0.0/8, \
190.0.0.0/8, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8, 198.18.0.0/15, \
223.0.0.0/8, 224.0.0.0/3, 255.255.255.255 \
}
# Evil advertizing spam
table <doubleclick> persist { \
216.73.80.0/20, 204.253.104.0/24, 205.138.3.0/24, 208.184.29.0/24, \
206.65.183.0/24 \
}
table <mediaforce> persist { \
2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24, 208.251.137.0/24 \
}
table <main_comps> persist { 192.168.1.16, 192.168.1.17 }
table <them> persist { 192.168.1.0/24, ! $main_comp, ! $unix_comp, ! $server }
# /Table Defs
#############################
################################################## ########
# Packet-Scrubbing
# In-bound scrubbing
scrub in on $ext_if all \
no-df min-ttl 100 max-mss 1492 fragment reassemble
# Out-bound scrubbing
#
scrub out on $ext_if all \
max-mss 1492 fragment reassemble random-id no-df
# For NFS
scrub in on $int_if all no-df
scrub out on $int_if all no-df
# /Scrub
#############################
################################################## ########
# Queues - Priorities (AKA: Keeping me on top!!)
# Will use CBQ 'cause it seems to be the easiest. I need
# to use 3 queue's--one for me, one for the webserver,
# and one for the rest of the people on the network.
# Note: Using 'RED' alot since it seems to be the best
# option, from what I was reading (don't see why it
# is not used on all the configs I've seen)... maybe
# this isn't a good thing to use *ALL* the time???
# Incoming queue
altq on $int_if cbq bandwidth 2.8Mb queue { std_in, fast_in }
queue std_in bandwidth 90% cbq(default, borrow) { me_in, thm_in, srv_in }
queue me_in bandwidth 60% priority 3 cbq(red, borrow)
queue thm_in bandwidth 30% priority 2 cbq(red, borrow)
queue srv_in bandwidth 10% priority 1 cbq(red, borrow)
queue fast_in bandwidth 10% priority 5 cbq(red, borrow)
# Outgoing queue
altq on $ext_if cbq bandwidth 280Kb queue { std_out, fast_out }
queue std_out bandwidth 90% cbq(default, red, borrow) { me_out, thm_out, srv_out }
queue me_out bandwidth 60% priority 3 cbq(red, borrow)
queue thm_out bandwidth 30% priority 2 cbq(red, borrow)
queue srv_out bandwidth 10% priority 1 cbq(red, borrow)
queue fast_out bandwidth 10% priority 5 cbq(red, borrow)
# /Queue
#############################
################################################## ########
# NAT - "Port Forwarding"
# NAT
nat on $ext_if inet from $int_net to any -> $ext_if
# Port Redirection
# Webserver (This rule is probably WAY too loose!)
rdr on $ext_if proto { tcp, udp } from any to $ext_if port $services -> $server
# GnuTella on main computer.
rdr on $ext_if proto { tcp, udp } from any to $ext_if port 18006 -> $main_comp port 18006
# That freaky thing to let internal network get to server:
rdr on $int_if proto tcp from 192.168.1.0/24 to $ext_if port 80 -> \
127.0.0.1 port 5000
# /NAT
#############################
################################################## ########
# Packet Filtering "Security" and Queue Assignment
# Dont bug loopback/internal network:
pass quick on $unfiltered all
# Default policy
block in log quick from no-route to any
block in log on $ext_if
block return in quick log on $ext_if inet proto tcp from any to $ext_if port 113
block return-icmp(10) in quick log on $int_if to { <verisign>, <doubleclick>, <mediaforce> }
block in quick on $ext_if from { <verisign>, <doubleclick>, <mediaforce> }
block return-icmp(10) in log on $int_if to <reserved>
block in log on $ext_if from <reserved>
# I dont see me using inet6 yet...
#block all inet6
# Kill spoofing
antispoof quick for $int_if inet
# Allow SSH *ONLY* from my main box:
block return in quick on $int_if proto tcp from ! <main_comps> \
to $int_if port ssh flags S/SA
# Normal pass rules and Queue Assignment:
# Outgoing - Prioritize connection-creation:
pass out quick on $ext_if inet proto tcp from any to any flags S/SA keep state queue fast_out
# Pass rules for ME-queue
pass in on $ext_if inet proto { tcp, udp } from any to <main_comps> port 18006 flags S/SA keep state queue me_in
pass in on $ext_if inet proto icmp from any to <main_comps> icmp-type { echorep, echoreq, timex, unreach } queue me_in
pass in on $ext_if inet proto tcp from any to <main_comps> queue me_in
pass out on $ext_if inet proto { tcp, udp, icmp } from <main_comps> to any keep state queue me_out
# Pass rules for Server-queue
pass in on $ext_if inet proto tcp from any to any port $services flags S/SA keep state queue fast_in
pass in on $ext_if inet proto icmp from any to $server icmp-type { echorep, echoreq, timex, unreach } queue srv_in
pass in on $ext_if inet proto tcp from any to $server queue srv_in
pass out on $ext_if inet proto { tcp, udp, icmp } from $server to any keep state queue srv_out
# Pass rules for the rest of the idiots on the network
pass in on $ext_if inet proto icmp from any to <them> icmp-type { echorep, echoreq, timex, unreach } queue thm_in
pass in on $ext_if inet proto tcp from any to <them> queue thm_in
pass out on $ext_if inet proto { tcp, udp, icmp } from <them> to any keep state queue thm_out
# allow ssh connections in on the external interface as long as they're
# NOT destined for the firewall (i.e., they're destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp from any to ! <firewall> \
port ssh flags S/SA synproxy state queue srv_in
# /Packet Filters
#############################
#######################---End of File---#######################
Here is the output of "pfctl -vvs queue"
queue root_rl0 bandwidth 2.80Mb priority 0 cbq( wrr root ) {std_in, fast_in}
[ pkts: 2236 bytes: 1704120 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue std_in bandwidth 2.52Mb cbq( red borrow default ) {me_in, thm_in, srv_in}
[ pkts: 2236 bytes: 1704120 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue me_in bandwidth 1.51Mb priority 3 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue thm_in bandwidth 756Kb priority 2 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue srv_in bandwidth 252Kb cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue fast_in bandwidth 280Kb priority 5 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue root_tun0 bandwidth 280Kb priority 0 cbq( wrr root ) {std_out, fast_out}
[ pkts: 2232 bytes: 279509 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue std_out bandwidth 252Kb cbq( red borrow default ) {me_out, thm_out, srv_out}
[ pkts: 910 bytes: 54721 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue me_out bandwidth 151.20Kb priority 3 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue thm_out bandwidth 75.60Kb priority 2 cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue srv_out bandwidth 25.20Kb cbq( red borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
queue fast_out bandwidth 28Kb priority 5 cbq( red borrow )
[ pkts: 1322 bytes: 224788 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 544 suspends: 0 ]
It seems that the main queues are working, but the child queues are not... and I can't figure out for the life of me why they aren't working.