View Single Post
  #4   (View Single Post)  
Old 4th January 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Default

Hello there,

Thanks for your replies.

I have adjusted my pf.conf file with your state suggestions. This seems to have actually helped. Ports are no longer being blocked Thanks!

However I with queues (a, b) ; the first field (a) is it not just a general marker where the second (b) is for TOS which would account for more than TCP ack?

I have adjusted the queues as you suggested anyway. I have not experienced any difference so far so I suppose it is possible (b) was not doing anything at all. Clarification would be nice if possible.

In regards to logging. I already did have log setup on some rules. However since I made the above changes I no longer see any log results for INCOMING traffic. I'm not sure why or how this happened. Perhaps I made a typo of some kind?

Code:
#Last Modified Jan 03 2009

#Interfaces
ext_if="fxp0"
int_if="fxp1"

#Devices
dlbox = "{ 10.10.200.4 }"
main = "{ 10.10.200.13 }"
ftpsrv = "{ 192.168.233.3 }"
websrv = "{ 192.168.233.4 }"
exc2k3 = "{ 10.10.200.3 }"
voipnet = "{ 192.168.255.0/24 }"
voipone = "{ 192.168.255.2 }"
sshport = "{ 2201 }"
VOIPSERV = "{ CENSORED }"

#Options
set require-order yes
set block-policy drop
set loginterface $ext_if
set loginterface $int_if
set state-policy floating
set fingerprints "/etc/pf.os"
set ruleset-optimization none

#Timeout Settings
set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }

#Connection Normalization

scrub all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

#Queuing ALTQ
#Upload assumed aprox 80kb or 640Kb queued aprox 94%

altq on $ext_if cbq bandwidth 600Kb queue { tcpack, voip, dns, mainpc, webftp, dlbox, std }

queue std bandwidth 10% priority 1 cbq(borrow red default)
queue dlbox bandwidth 10% priority 2 cbq(borrow red)
queue webftp bandwidth 5% priority 3 cbq(borrow red)
queue mainpc bandwidth 10% priority 4 cbq(borrow red)
queue dns bandwidth 5% priority 5 cbq(borrow red)
queue tcpack bandwidth 20% priority 6 cbq(borrow red)
queue voip bandwidth 40% priority 7 cbq(borrow red)

block in log on $ext_if

#TCP Traffic Out on $ext_if
pass out on $ext_if inet proto tcp from any to any modulate state queue(std, tcpack)
pass out quick on $ext_if inet proto tcp from $dlbox to any modulate state queue(dlbox, tcpack)
pass out quick on $ext_if inet proto tcp from $ftpsrv to any port ftp modulate state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $websrv to any port 10001 modulate state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $exc2k3 to any modulate state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $main to any modulate state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto tcp from any to any port domain modulate state queue(dns, tcpack)


#UDP Traffic Out on $ext_if
#pass out on $ext_if inet proto udp from any to any keep state queue(std, tcpack)
pass out quick on $ext_if inet proto udp from any to any port ntp queue(dns)
pass out quick on $ext_if inet proto udp from any to any port domain queue(dns)
pass out quick on $ext_if inet proto udp from any to any port 514 queue(std)
pass out quick log on $ext_if inet proto udp from $voipone to $VOIPSERV port 5060 keep state queue(voip) label VOIP_OUT
pass out quick log on $ext_if inet proto udp from $voipone to $VOIPSERV port 5000 keep state queue(voip) label VOIP_OUT
pass out quick log on $ext_if inet proto udp from $voipone to $VOIPSERV port > 10000 keep state queue(voip) label VOIP_OUT
pass out on $ext_if inet proto udp from $dlbox to any port 63600 keep state queue(dlbox)
#TCP/UDP Traffic Out on $ext_if

#TCP Traffic In on $ext_if

pass in quick on $ext_if inet proto tcp from any to any port 10001 synproxy state queue(webftp, tcpack)

#UDP Traffic In on $ext_if

pass in on $ext_if inet proto udp from any to any port domain queue(dns)
pass in on $ext_if inet proto udp from $voipone to any port ntp queue(dns)
pass in on $ext_if inet proto udp from any to any port 514 queue(std)
pass in on $ext_if inet proto udp from any to $dlbox port 63600 keep state queue(dlbox)
pass in quick log on $ext_if inet proto udp from any to $voipone port 5060 keep state queue(voip) label VOIP_IN
pass in quick log on $ext_if inet proto udp from any to $voipone port 5000 keep state queue(voip) label VOIP_IN
pass in quick log on $ext_if inet proto udp from any to $voipone port > 10000 queue(voip) label VOIP_IN
Any idea?

Thanks.
Reply With Quote