DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2 Weeks Ago
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default queueing on incoming or outgoing?

I can't completly understand, how traffic shaping works. Some examples:
https://chibug.org/talks/2016-10-05-jimh-pf_queuing.pdf

there is sentence:
Pass rules: incoming (my preference) or no direction specified

also example:
pass in on em0 proto tcp to port {80,443} set queue http

So how this "incoming" declared trafic shaping works? For some (incomming) tcp connenction (applied in rules), outgoing trafffic should be limited by queueing? Or something elese?
Reply With Quote
  #2   (View Single Post)  
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,937
Default

You can only shape traffic when packets are outbound and leaving an interface. But this isn't really an issue, as long as you recall that any router has at least two network interfaces. Here's an ASCII "graphic":

{Internet} --- $external --- [router] --- $internal --- {local net}

Let us assume that there is a packet which has just arrived at our router from another computer on the local network, at the $internal NIC. The router can queue the packet, outbound, when it places it on a queue for transmission to a destination on the Internet, via the $external NIC.

The opposite direction is the same case. An inbound packet from the Internet can only be queued once it is placed on an outbound queue for transmission to a local computer on the $internal NIC.

Last edited by jggimi; 2 Weeks Ago at 01:15 AM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 2 Weeks Ago
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default

Yes, I know, we can only shape traffic when packets are outbound and leaving, that is general rule, for each and every router device (not only BSD).

But how to apply this on pf? So, for IP packet from LAN to Internet, we set:
pass in on $int_if proto...... to..... set queue gueueLANtoINTERNET
this packet from LAN to Internet will be queued on $ext_if, whe it leaves device?
Reply With Quote
  #4   (View Single Post)  
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,937
Default

See the QUEUING section of the pf.conf(5) man page. It includes both setting up queues with queue statements, and then applying queue names to pass rules with set queue options.

Last edited by jggimi; 2 Weeks Ago at 10:06 AM. Reason: typo
Reply With Quote
  #5   (View Single Post)  
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,937
Default

Also, yes, you can set a queue name on an inbound traffic rule; the queue name will apply to the state, if state is established, and therefore to any outbound traffic for that state. It just won't have any affect on the inbound traffic, since that cannot be queued.

There is an example showing pass in rules in the pf.conf(5) man page where the set queue option is defined.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD New queueing system (pf) now in -current J65nko News 3 21st October 2013 03:41 PM
redirect outgoing http petter OpenBSD Security 8 25th March 2013 04:56 PM
Machine not responding to incoming connections vi5in FreeBSD General 9 27th October 2009 10:17 PM
postfix incoming only on external vdubjunkie General software and network 5 7th June 2009 08:02 PM
BSD n00b needs to block incoming SQL on 3306 renolinux FreeBSD Security 5 27th May 2008 02:26 PM


All times are GMT. The time now is 07:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick