DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd June 2011
magnesik magnesik is offline
New User
 
Join Date: Feb 2010
Posts: 3
Default PF - packets filtering by length?

Is it possible to filter packets by lenght? If it is possible then how? I know that ipatables (for Linux) has it.

My piece of router's firewall looks like this:

Code:
##Upload without main queue
queue up_komp1     bandwidth  12% priority 5 qlimit 500 hfsc (realtime 10% upperlimit 99% ecn) { u_komp1 u_ack_komp1}

    queue u_ack_komp1 bandwidth 50% priority 6 qlimit 500 hfsc
    queue u_komp1   bandwidth 50% priority 5 qlimit 500 hfsc

##Download without main queue
queue dn_komp1      bandwidth  12% priority 5 qlimit 500 hfsc (realtime 10% upperlimit 99% ecn) { d_komp1, d_ack_komp1 }

    queue d_ack_komp1 bandwidth 50% priority 6 qlimit 500 hfsc
    queue d_komp1   bandwidth 50% priority 5 qlimit 500 hfsc

## and after all

pass in quick on $int_if from $komp1 to any tag komp1 keep state queue (d_komp1, d_ack_komp1)
pass out quick on $ext_if tagged komp1 keep state queue (u_komp1, u_ack_komp1)
My question is related to problem which I have. During uploading files on machine connected to router with firewall listed above by http (port 80), internet on it is frozen. Any other service doesnt work or works very very slowly. (Maybe should I have another firewall with QOS on local machine?)

I read somewhere that ACKs are not only small packets but sometimes contain playload. In this case they have higher priority than other packets and I suspect them (huge ACKs) as my problem.
In iptables is possible to filter packets by length and assign proper priority for smaller ACKs and bigger ACKs.

Is it a good idea to set SYN and RST with priority to optimize utilization of bandwidth? If yes - how?
Reply With Quote
  #2   (View Single Post)  
Old 23rd June 2011
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by magnesik View Post
Is it possible to filter packets by lenght?
The only "length" filtration that is possible is the max-mss option of scrub. Please refer to pf.conf(5)for the description and syntax.
Quote:
During uploading files on machine connected to router with firewall listed above by http (port 80), internet on it is frozen. Any other service doesnt work or works very very slowly.
I'd look to your queuing rules. I've never used HFSC queuing, so I can't comment on your rules, but the symptom you describe is indicative of incorrect traffic shaping.
Quote:
I suspect them (huge ACKs) as my problem.
Don't suspect. Know. Use tcpdump(8).
Reply With Quote
  #3   (View Single Post)  
Old 3rd July 2011
Loki Loki is offline
Port Guard
 
Join Date: Nov 2008
Location: Sydney
Posts: 11
Default

How about http://www.benzedrine.cx/ackpri.html
Reply With Quote
  #4   (View Single Post)  
Old 3rd July 2011
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

That is an example of queueing by TOS rather than length, but it may be applicable to the OP's situation.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
What tool for dynamic I.P filtering unixjingleman OpenBSD Security 1 2nd March 2011 11:31 AM
first install, first boot on netbsd, change password length wesley NetBSD General 0 26th August 2010 08:18 AM
A PF packet tagging (policy filtering) question... Quaxo OpenBSD Security 2 30th March 2009 10:47 PM
Web content filtering Crypt FreeBSD Security 14 14th December 2008 02:38 PM


All times are GMT. The time now is 04:10 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick