Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 23rd June 2011
magnesik magnesik is offline
New User
Join Date: Feb 2010
Posts: 3
Default PF - packets filtering by length?

Is it possible to filter packets by lenght? If it is possible then how? I know that ipatables (for Linux) has it.

My piece of router's firewall looks like this:

##Upload without main queue
queue up_komp1     bandwidth  12% priority 5 qlimit 500 hfsc (realtime 10% upperlimit 99% ecn) { u_komp1 u_ack_komp1}

    queue u_ack_komp1 bandwidth 50% priority 6 qlimit 500 hfsc
    queue u_komp1   bandwidth 50% priority 5 qlimit 500 hfsc

##Download without main queue
queue dn_komp1      bandwidth  12% priority 5 qlimit 500 hfsc (realtime 10% upperlimit 99% ecn) { d_komp1, d_ack_komp1 }

    queue d_ack_komp1 bandwidth 50% priority 6 qlimit 500 hfsc
    queue d_komp1   bandwidth 50% priority 5 qlimit 500 hfsc

## and after all

pass in quick on $int_if from $komp1 to any tag komp1 keep state queue (d_komp1, d_ack_komp1)
pass out quick on $ext_if tagged komp1 keep state queue (u_komp1, u_ack_komp1)
My question is related to problem which I have. During uploading files on machine connected to router with firewall listed above by http (port 80), internet on it is frozen. Any other service doesnt work or works very very slowly. (Maybe should I have another firewall with QOS on local machine?)

I read somewhere that ACKs are not only small packets but sometimes contain playload. In this case they have higher priority than other packets and I suspect them (huge ACKs) as my problem.
In iptables is possible to filter packets by length and assign proper priority for smaller ACKs and bigger ACKs.

Is it a good idea to set SYN and RST with priority to optimize utilization of bandwidth? If yes - how?
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
What tool for dynamic I.P filtering unixjingleman OpenBSD Security 1 2nd March 2011 11:31 AM
first install, first boot on netbsd, change password length wesley NetBSD General 0 26th August 2010 08:18 AM
A PF packet tagging (policy filtering) question... Quaxo OpenBSD Security 2 30th March 2009 10:47 PM
Web content filtering Crypt FreeBSD Security 14 14th December 2008 02:38 PM

All times are GMT. The time now is 07:41 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick