DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd July 2008
RudiK RudiK is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Question ALTQ Question regarding

Hello,

I am running a FBSD 7 firewall @ home connected to a DSL line which I share with my wife.

One of the main problems that I have encountered is that when my wife surfs the internet my online gaming screeches to a halt untill the page has loaded and by that time I've been pwned

I was thinking about using ALTQ to prioritize the traffic and after checking out Daniel Hartmeier's page on "Prioritizing empty TCP ACKs" (http://www.benzedrine.cx/ackpri.html) I came up with the variation of his rule set.

Code:
ext_if="tun0"

cod_ports = "{28960:29000}"

altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def, q_cod, q_domain, q_ssh }

queue q_pri priority 10
queue q_cod priority 9
queue q_domain priority 8
queue q_ssh priority 7
queue q_def priority 1 priq(default)

pass out on $ext_if proto tcp from $ext_if to any flags S/SA keep state queue (q_def, q_pri)
pass in  on $ext_if proto tcp from any to $ext_if flags S/SA keep state queue (q_def, q_pri)

pass out on $ext_if proto udp from $ext_if to any port $cod_ports modulate state queue q_cod
pass in  on $ext_if proto udp from any to $ext_if port $cod_ports modulate state queue q_cod

pass out on $ext_if proto tcp from $ext_if to any port domain flags S/SA keep state queue q_domain
pass in  on $ext_if proto tcp from any to $ext_if port domain flags S/SA  keep state queue q_domain

pass out on $ext_if proto udp from $ext_if to any port domain modulate state queue q_domain
pass in  on $ext_if proto udp from any to $ext_if port domain modulate state queue q_domain

pass out on $ext_if proto tcp from $ext_if to any port ssh flags S/SA keep state queue q_ssh
pass in  on $ext_if proto tcp from any to $ext_if port ssh flags S/SA  keep state queue q_ss
I have two questions:

1) Can you specify a range of ports in a macro e.g. cod_ports = "{28960:29000}"?
2) Will the rest of the priority queues even come in to play or will the first priority queue override the rest?

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 23rd July 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Just a few optimisations and suggestions:

1) 'modulate state' is for outbound tcp only, all others use 'keep state' (ignoring 'synproxy state' for special cases)
2) 'flags S/SA' is for tcp only
3) queueing for TCP acks should only be done on incoming tcp (you will be sending out TCP acks on those, so prioritising takes place there); in other words: rules for incoming tcp are the only ones with 'double queues' like '(q_def, q_pri)' in priq or 'queue(something, acks)' in cbq scheduling - wrong, see below
4) you are encouraged to write your rules in order of prefererred processing and use the 'quick' keyword wherever possible; work from specific to general, and start with a general block all rule.

Yes, you can specifiy a range of ports using a macro. Use pfctl -s rules to see the expanded ruleset after loading them.

Last edited by DutchDaemon; 23rd July 2008 at 02:56 PM.
Reply With Quote
  #3   (View Single Post)  
Old 23rd July 2008
RudiK RudiK is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Default

Thanks for the suggestions. I've implemented points #1, #2, and #4.

I'm not sure about #3 because it contradicts Daniels page http://www.benzedrine.cx/ackpri.html unless I'm missing something?

Also, When I implement the rule set and use pfctl -s rules the macro is not expanded?

# pfctl -sr
pass out on tun0 inet proto tcp from 196.2.19.32 to any flags S/SA keep state queue(q_def, q_pri)
pass in on tun0 inet proto tcp from any to 196.2.19.32 flags S/SA keep state queue(q_def, q_pri)
pass out quick on tun0 inet proto udp from 196.2.19.32 to any port 28960:29000 keep state queue q_cod
pass in quick on tun0 inet proto udp from any to 196.2.19.32 port 28960:29000 keep state queue q_cod
Reply With Quote
  #4   (View Single Post)  
Old 23rd July 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Yeah, I may be making a slight 'thinking error' there, because, at first sight, outgoing TCP acks are only caused by incoming TCP packets, so it would only be necessary to associate the TCP ack queue with incoming tcp connection rules.

But, of course, when making an outbound tcp connection (like an interactive ssh session), you will have to reply to return traffic with acks as well, and those are also outbound TCP acks.

So yes, put those double queues on the inbound and outbound tcp rules.
Reply With Quote
  #5   (View Single Post)  
Old 23rd July 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Quote:
Originally Posted by RudiK View Post
Also, When I implement the rule set and use pfctl -s rules the macro is not expanded?

# pfctl -sr

pass out quick on tun0 inet proto udp from 196.2.19.32 to any port 28960:29000 keep state queue q_cod
pass in quick on tun0 inet proto udp from any to 196.2.19.32 port 28960:29000 keep state queue q_cod
Those are expanded macros.

cod_ports = "{28960:29000}" + port $cod_ports = port 28960:29000
( using macros doesn't always mean shorter syntax )
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
external drive partition question + fdisk question gosha OpenBSD General 15 15th June 2009 02:00 PM
PF w/ ALTQ - Queue errors exceeding bandwidth plexter OpenBSD Security 11 26th October 2008 12:01 AM
PF/ALTQ rules not working as intended Weaseal FreeBSD Security 4 6th August 2008 12:41 PM
[PF] Problem with ftp and ALTQ gotian FreeBSD Security 1 22nd July 2008 11:25 PM
Queuing with PF and ALTQ Weaseal FreeBSD Security 1 22nd July 2008 05:18 PM


All times are GMT. The time now is 11:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick