|
|||
Help with pf.conf
Hello everybody.
I need some help with my pf.conf. My goal is to have all traffic (inbound and outbound) placed in queues, to speed up some parts and to make sure some things wont take up all the bandwidth. At the moment all my outbound traffic is queued as it should but not the inbound. I´m sure i´v made some obvious misstakes since i´m quite new at all of this. Any help would be greatly appreciated. Thanks pf.conf Code:
############ Macros ###### Interfaces ext_if = "em0" ext_bw = "4Mb" int_if = "em1" int_bw = "30Mb" ###### Clients zoidberg = "192.168.1.3" fry = "192.168.1.4" ###### Ports torrent_port = "{ 45000, 50000 }" torrent_port_zoidberg = "50000" torrent_port_fry = "45000" web_port = "{ 80, 443 }" mail_port = "{ 25, 110, 220, 993, 995 }" ftp_port = "{ 20, 21 }" dns_port = "{ 53, 123 }" icmp_types = "{ echoreq, unreach }" ssh_port = "22" ############ Queues ###### Queue on external interface altq on $ext_if hfsc bandwidth $ext_bw queue { main, ack, web, mail, filetransfer, ssh, dns, bruteforce } queue ack bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%) queue dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 5%) queue ssh bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {ssh_login, ssh_bulk} queue ssh_login bandwidth 50% priority 6 qlimit 500 hfsc queue ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc queue main bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn) queue web bandwidth 5% priority 4 qlimit 500 hfsc (realtime 10%) queue mail bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5%) queue filetransfer bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit 95%) queue bruteforce bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 1Kb) ###### Queue on internal interface altq on $int_if hfsc bandwidth $int_bw queue { i_main, i_ack, i_web, i_mail, i_filetransfer, i_ssh, i_dns } queue i_ack bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%) queue i_dns bandwidth 5% priority 7 qlimit 500 hfsc (realtime 5%) queue i_ssh bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {i_ssh_login, i_ssh_bulk} queue i_ssh_login bandwidth 50% priority 6 qlimit 500 hfsc queue i_ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc queue i_main bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn) queue i_web bandwidth 5% priority 4 qlimit 500 hfsc (realtime 10%) queue i_mail bandwidth 5% priority 3 qlimit 500 hfsc (realtime 5%) queue i_filetransfer bandwidth 1% priority 3 qlimit 500 hfsc (upperlimit 95%) ############ Tables table <rfc1918> persist file "/etc/pftables/rfc1918" table <clients> persist file "/etc/pftables/clients" table <bruteforce> persist ############ Anchors anchor "ftp-proxy/*" ############ Rules set ###### Misc rules (nat, scrub, skip) set skip on { lo, $int_if } match out on $ext_if from <clients> nat-to ($ext_if) block in quick log on $ext_if from <rfc1918> to any block out quick log on $ext_if from any to <rfc1918> pass in quick log on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 pass quick log inet proto tcp from <bruteforce> to any queue bruteforce pass log inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <bruteforce> flus h global) block all ###### Filter inbound $ext_if pass in on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <brutef orce> flush global) pass in on $ext_if inet proto { tcp udp } to port $dns_port pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_zoidberg rdr-to $zoidberg pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_fry rdr-to $fry ###### Filter outbound $ext_if pass out on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (ssh_bulk, ssh_login) pass out on $ext_if inet proto { tcp udp } to port $dns_port queue (dns) pass out on $ext_if inet proto { tcp udp } from any to any port $torrent_port queue (filetransfer) pass out on $ext_if inet proto tcp from any to any port $web_port queue (web, ack) pass out on $ext_if inet proto tcp from any to any port $mail_port queue (mail, ack) pass out on $ext_if inet proto icmp icmp-type $icmp_types queue (dns, ack) ###### Filter inbound $int_if pass in on $int_if inet proto tcp from any to any port ssh flags S/SAFR synproxy state pass in on $int_if inet proto { tcp udp } from any to any port $dns_port pass in on $int_if inet proto { tcp udp } from any to any port $torrent_port pass in on $int_if inet proto tcp from any to any port $web_port pass in on $int_if inet proto tcp from any to any port $mail_port pass in on $ext_if inet proto icmp icmp-type $icmp_types ###### Filter outbound $int_if pass out on $int_if inet proto { tcp udp } to port $dns_port queue (i_dns) pass out on $int_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (i_ssh_bulk, i_ssh_login) pass out on $int_if inet proto { tcp udp } from any to any port $torrent_port queue (i_filetransfer) pass out on $int_if inet proto tcp from any to any port $web_port queue (i_web, i_ack) pass out on $int_if inet proto tcp from any to any port $mail_port queue (i_mail, i_ack) pass out on $int_if inet proto icmp icmp-type $icmp_types queue (i_dns, i_ack) |
|
|||
ALTQ only work on outbound.
|
|
|||
You are already nicely queuing outbound traffic only, so I wonder why the two previous posters feel the need to remind you of something you are already doing
An overview:
Check the output of pfctl -vvs rules to see whether the rules have any affect. Keep in mind that pf uses a "last rule match" strategy. By using the "quick" keyword you can prevent this strategy. Does the the output of "pfctl -vvs queue" give any clue? Or the output of "systat queues" ? In a discussion of the OpenBSD tech mailing list Stuart Henderson gave some nice links about HFSC queueing Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for the quick reply.
I am aware that queue only works on outbound traffic, my solution was to queue on both outbound on the external interface and outbound on the internal interface. Problem is that all the outbound on $int_if get queued in the default queue. |
|
|||
Thank you J65nko.
Ill look up the links you posted. According to systat queues the external queues are working like a charm but the internal gets all traffic assigned to the default queue. |
|
|||
Quote:
Code:
@11 pass out quick on em1 all queue clientA_up [ Evaluations: 136433501 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 13419 State Creations: 0 ] An example of a working one where a lot of packets are getting queued: Code:
@33 pass out quick on em1 all queue it_up [ Evaluations: 127970598 Packets: 17620281 Bytes: 2496318206 States: 7 ] [ Inserted: uid 0 pid 13419 State Creations: 39323 ] Good catch, I missed that "pass quick log inet proto tcp from <bruteforce> to any queue bruteforce" rule
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hello again.
Here´s a sample from my systat queues Code:
1 users Load 0.08 0.08 0.08 Thu Apr 14 01:00:13 2011 QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S root_em0 4000K hfsc 0 0 0 0 0 0 0 0 ack 800K hfsc 8 14 768 0 0 0 0 0 dns 200K hfsc 7 109 9470 0 0 0 0 0 ssh 1200K hfsc 6 0 0 0 0 0 0 0 ssh_login 600K hfsc 6 0 0 0 0 0 0 0 ssh_bulk 600K hfsc 5 0 0 0 0 0 0 0 main 800K hfsc 5 1 136 0 0 0 0 0 web 200K hfsc 4 8 5942 0 0 0 0 0 mail 200K hfsc 3 6 533 0 0 0 0 0 filetransfer 40000 hfsc 3 0 0 0 0 0 0 0 bruteforce 40000 hfsc 0 0 0 0 0 0 0 root_em1 30M hfsc 0 0 0 0 0 0 0 0 i_ack 6000K hfsc 8 0 0 0 0 0 0 0 i_dns 1500K hfsc 7 0 0 0 0 0 0 0 i_ssh 9000K hfsc 6 0 0 0 0 0 0 0 i_ssh_login 4500K hfsc 6 0 0 0 0 0 0 0 i_ssh_bulk 4500K hfsc 5 0 0 0 0 0 0 0 i_main 6000K hfsc 5 98 42088 0 0 0 0.2 37 i_web 1500K hfsc 4 0 0 0 0 0 0 0 i_mail 1500K hfsc 3 0 0 0 0 0 0 0 i_filetransfer 300K hfsc 3 0 0 0 0 0 0 0 Thanks for the heads up on the "pass quick log inet proto tcp from <bruteforce> to any queue bruteforce" I changed it to "pass out quick log inet proto tcp to <bruteforce> queue bruteforce" i hope it will work as it should. As you see from the systat the outbound rules on $ext_if is working fine, but all traffic going out on the internal interface gets placed in the i_main queue (default). |
|
|||
As I mentioned http://www.daemonforums.org/showthre...5892#post37916 you have to check the output of pfctl -vvs rules.
Only this will proof whether the rules for outbound traffic on the internal interface really have any effect. In other words do these rules have non-zero values for the "Packets", "Bytes", "States" and "State Creations" counters?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I pulled two samples from the pfctl -vvs rules. All of them looks similar to these. (Outbound on $ext_if got Evals, Packets and Bytes sent through. None on outbound $int_if)
Outbound $ext_if Code:
@27 pass out on em0 inet proto tcp from any to any port = https flags S/SA keep state queue(web, ack) [ Evaluations: 4322 Packets: 2391 Bytes: 1376712 States: 1 ] [ Inserted: uid 0 pid 15611 State Creations: 42 ] Code:
@63 pass out on em1 inet proto tcp from any to any port = https flags S/SA keep state queue(i_web, i_ack) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 15611 State Creations: 0 ] |
|
|||
So the problem is that the rules for the outbound traffic on the internal interface never get evaluated, and thus cannot queue the traffic.
Change these rules to use "match" instead of "pass". Then check the pfctl -vvs rules output whether these 'match' rules are being evaluated.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Code:
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES MAX INFO 0 Pass Any 0 0 0 all flags any 1 Match Out em0 524 220996 25 from <clients> to any 2 Block In Log Q em0 48 25919 0 drop from <rfc1918> to any 3 Block Out Log Q em0 0 0 0 drop from any to <rfc1918> 4 Pass In Log Q em1 tcp K 0 0 0 inet from any to any port = ftp 5 Pass Out Log Q em0 tcp K 0 0 0 inet from any to <bruteforce> queue bruteforce 6 Pass Any Log tcp 0 0 0 6 inet from any to any port = ssh flags S/FSRA 7 Block Any 1174 81033 0 drop all 8 Pass In em0 tcp 0 0 0 6 inet from any to any port = ssh flags S/FSRA 9 Pass In em0 tcp K 0 0 0 inet from any to any port = domain 10 Pass In em0 tcp K 0 0 0 inet from any to any port = ntp 11 Pass In em0 udp K 0 0 0 inet from any to any port = domain 12 Pass In em0 udp K 0 0 0 inet from any to any port = ntp 13 Pass In em0 tcp K 109 5708 41 inet from any to any port = 50000 14 Pass In em0 udp K 37 2581 10 inet from any to any port = 50000 15 Pass In em0 tcp K 0 0 0 inet from any to any port = 45000 16 Pass In em0 udp K 0 0 0 inet from any to any port = 45000 17 Pass Out em0 tcp 0 0 0 inet from any to any port = ssh flags S/FSRA queue(ssh_bulk, ssh_login) 18 Pass Out em0 tcp K 0 0 0 inet from any to any port = domain queue dns 19 Pass Out em0 tcp K 0 0 0 inet from any to any port = ntp queue dns 20 Pass Out em0 udp K 330 82323 165 inet from any to any port = domain queue dns 21 Pass Out em0 udp K 6 456 3 inet from any to any port = ntp queue dns 22 Pass Out em0 tcp K 0 0 0 inet from any to any port = 45000 queue filetransfer 23 Pass Out em0 tcp K 0 0 0 inet from any to any port = 50000 queue filetransfer 24 Pass Out em0 udp K 0 0 0 inet from any to any port = 45000 queue filetransfer 25 Pass Out em0 udp K 10 2230 1 inet from any to any port = 50000 queue filetransfer 26 Pass Out em0 tcp K 435 199085 21 inet from any to any port = www queue(web, ack) 27 Pass Out em0 tcp K 18 9244 1 inet from any to any port = https queue(web, ack) 28 Pass Out em0 tcp K 0 0 0 inet from any to any port = smtp queue(mail, ack) 29 Pass Out em0 tcp K 29 5176 1 inet from any to any port = pop3 queue(mail, ack) 30 Pass Out em0 tcp K 0 0 0 inet from any to any port = imap3 queue(mail, ack) 31 Pass Out em0 tcp K 0 0 0 inet from any to any port = imaps queue(mail, ack) 32 Pass Out em0 tcp K 32 5261 1 inet from any to any port = pop3s queue(mail, ack) 33 Pass Out em0 icmp K 0 0 0 inet all queue(dns, ack) 34 Pass Out em0 icmp K 0 0 0 inet all queue(dns, ack) 35 Pass In em1 tcp 0 0 0 inet from any to any port = ssh flags S/FSRA 36 Pass In em1 tcp K 0 0 0 inet from any to any port = domain 37 Pass In em1 tcp K 0 0 0 inet from any to any port = ntp 38 Pass In em1 tcp K 0 0 0 inet from any to any port = 45000 39 Pass In em1 tcp K 0 0 0 inet from any to any port = 50000 40 Pass In em1 tcp K 0 0 0 inet from any to any port = www 41 Pass In em1 tcp K 0 0 0 inet from any to any port = https 42 Pass In em1 tcp K 0 0 0 inet from any to any port = smtp 43 Pass In em1 tcp K 0 0 0 inet from any to any port = pop3 44 Pass In em1 tcp K 0 0 0 inet from any to any port = imap3 45 Pass In em1 tcp K 0 0 0 inet from any to any port = imaps 46 Pass In em1 tcp K 0 0 0 inet from any to any port = pop3s 47 Pass In em1 udp K 0 0 0 inet from any to any port = domain 48 Pass In em1 udp K 0 0 0 inet from any to any port = ntp 49 Pass In em1 udp K 0 0 0 inet from any to any port = 45000 50 Pass In em1 udp K 0 0 0 inet from any to any port = 50000 51 Pass In em0 icmp K 18 1152 3 inet all 52 Pass In em0 icmp K 0 0 0 inet all 53 Match Out em1 tcp 0 0 0 inet from any to any port = domain queue i_dns 54 Match Out em1 tcp 0 0 0 inet from any to any port = ntp queue i_dns 55 Match Out em1 udp 0 0 0 inet from any to any port = domain queue i_dns 56 Match Out em1 udp 0 0 0 inet from any to any port = ntp queue i_dns 57 Match Out em1 tcp 0 0 0 inet from any to any port = ssh queue(i_ssh_bulk, i_ssh_login) 58 Match Out em1 tcp 0 0 0 inet from any to any port = 45000 queue i_filetransfer 59 Match Out em1 tcp 0 0 0 inet from any to any port = 50000 queue i_filetransfer 60 Match Out em1 udp 0 0 0 inet from any to any port = 45000 queue i_filetransfer 61 Match Out em1 udp 0 0 0 inet from any to any port = 50000 queue i_filetransfer 62 Match Out em1 tcp 0 0 0 inet from any to any port = www queue(i_web, i_ack) 63 Match Out em1 tcp 0 0 0 inet from any to any port = https queue(i_web, i_ack) 64 Match Out em1 tcp 0 0 0 inet from any to any port = smtp queue(i_mail, i_ack) 65 Match Out em1 tcp 0 0 0 inet from any to any port = pop3 queue(i_mail, i_ack) 66 Match Out em1 tcp 0 0 0 inet from any to any port = imap3 queue(i_mail, i_ack) 67 Match Out em1 tcp 0 0 0 inet from any to any port = imaps queue(i_mail, i_ack) 68 Match Out em1 tcp 0 0 0 inet from any to any port = pop3s queue(i_mail, i_ack) 69 Match Out em1 icmp 0 0 0 inet all queue(i_dns, i_ack) 70 Match Out em1 icmp 0 0 0 inet all queue(i_dns, i_ack) It might help to know the traffic i want to shape is not for any services, but client requested traffic. (e.g. Downloading OpenBSD_snapshots_i386-2011-04-14-0102.torrent) so that downloading said file wont hog everything else. |
|
|||
This is an attempt to describe the problem. Please keep in mind that I am focusing only on the internal interface:
The client initiates a connection, for example a DNS request to a nameserver. The destination port is port 53, the default port for DNS/domain. The source port is one randomly chosen above port 1023, say port 40000. So we have Code:
client:40000 --> nameserver:53 Code:
nameserver:53 --> client:40000 The suggestion to use "match" instead of "pass" is an attempt to decouple the queuing from the state creation logic. BTW both the pass and now the match rules are not correct. They don't match the reply packets Code:
Match Out em1 udp 0 0 0 inet from any to any port = domain queue i_dns Code:
23:43:06.134763 192.168.222.20.41004 > 192.168.222.10.53: 58162+ A? www.daemonforums.org. (38) Code:
23:43:06.135727 192.168.222.10.53 > 192.168.222.20.41004: 58162 1/0/0 A 94.142.245.224 (54) Code:
inet from any to any port = domain queue i_dns Code:
inet from any port = domain to any queue i_dns And the match rules need to moved up, so they will be evaluated before the stateless pass rules.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Hi, I've been away from pf for a while, but unless something in pf has changed in the more recent versions, the following should achieve what you're asking for.
Code:
###### Filter inbound $int_if pass in on $int_if inet proto tcp \ from ($int_if:network) to any port ssh \ flags S/SAFR synproxy state \ queue( i_ssh,i_ack ) # # in this rule's context, # ($int_if:network) is far superior security than "any" The reason your pass out on $int_if ... queue(...) isn't working is because the packets already have state and NO FURTHER RULE PROCESSING IS PERFORMED ON THE PACKETS. Repeat the mod's to all your inbound rules in your rule block. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Pf.conf issues | afcelie | OpenBSD Security | 5 | 3rd January 2011 09:12 PM |
Pf.conf | erict35 | OpenBSD Security | 1 | 30th January 2010 10:19 PM |
please check my pf.conf | gosha | OpenBSD Security | 10 | 30th January 2009 12:32 AM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |