DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th April 2011
A_Sorenby A_Sorenby is offline
New User
 
Join Date: Apr 2011
Posts: 6
Default Help with pf.conf

Hello everybody.

I need some help with my pf.conf.
My goal is to have all traffic (inbound and outbound) placed in queues, to speed up some parts and to make sure some things wont take up all the bandwidth.

At the moment all my outbound traffic is queued as it should but not the inbound.

I´m sure i´v made some obvious misstakes since i´m quite new at all of this.

Any help would be greatly appreciated.

Thanks

pf.conf
Code:
############ Macros

###### Interfaces
ext_if = "em0"
ext_bw = "4Mb"

int_if = "em1"
int_bw = "30Mb"

###### Clients
zoidberg = "192.168.1.3"
fry = "192.168.1.4"

###### Ports
torrent_port = "{ 45000, 50000 }"
torrent_port_zoidberg = "50000"
torrent_port_fry = "45000"
web_port = "{ 80, 443 }"
mail_port = "{ 25, 110, 220, 993, 995 }"
ftp_port = "{ 20, 21 }"
dns_port = "{ 53, 123 }"
icmp_types = "{ echoreq, unreach }"
ssh_port = "22"

############ Queues

###### Queue on external interface
altq on $ext_if hfsc bandwidth $ext_bw queue { main, ack, web, mail, filetransfer, ssh, dns, bruteforce }
        queue ack               bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%)
        queue dns               bandwidth 5%  priority 7 qlimit 500 hfsc (realtime 5%)
        queue ssh               bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {ssh_login, ssh_bulk}
          queue ssh_login       bandwidth 50% priority 6 qlimit 500 hfsc
          queue ssh_bulk        bandwidth 50% priority 5 qlimit 500 hfsc
        queue main              bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn)
        queue web               bandwidth 5%  priority 4 qlimit 500 hfsc (realtime 10%)
        queue mail              bandwidth 5%  priority 3 qlimit 500 hfsc (realtime 5%)
        queue filetransfer      bandwidth 1%  priority 3 qlimit 500 hfsc (upperlimit 95%)
        queue bruteforce        bandwidth 1%  priority 1 qlimit 500 hfsc (upperlimit 1Kb)

###### Queue on internal interface
altq on $int_if hfsc bandwidth $int_bw queue { i_main, i_ack, i_web, i_mail, i_filetransfer, i_ssh, i_dns }
        queue i_ack             bandwidth 20% priority 8 qlimit 500 hfsc (realtime 20%)
        queue i_dns             bandwidth 5%  priority 7 qlimit 500 hfsc (realtime 5%)
        queue i_ssh             bandwidth 30% priority 6 qlimit 500 hfsc (realtime 20%) {i_ssh_login, i_ssh_bulk}
          queue i_ssh_login     bandwidth 50% priority 6 qlimit 500 hfsc
          queue i_ssh_bulk      bandwidth 50% priority 5 qlimit 500 hfsc
        queue i_main            bandwidth 20% priority 5 qlimit 500 hfsc (realtime 20% default, ecn)
        queue i_web             bandwidth 5%  priority 4 qlimit 500 hfsc (realtime 10%)
        queue i_mail            bandwidth 5%  priority 3 qlimit 500 hfsc (realtime 5%)
        queue i_filetransfer    bandwidth 1%  priority 3 qlimit 500 hfsc (upperlimit 95%)

############ Tables
table <rfc1918> persist file "/etc/pftables/rfc1918"
table <clients> persist file "/etc/pftables/clients"
table <bruteforce> persist


############ Anchors
anchor "ftp-proxy/*"

############ Rules set
###### Misc rules (nat, scrub, skip)
set skip on { lo, $int_if }
match out on $ext_if from <clients> nat-to ($ext_if)
block in quick log on $ext_if from <rfc1918> to any
block out quick log on $ext_if from any to <rfc1918>
pass in quick log on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021
pass quick log inet proto tcp from <bruteforce> to any queue bruteforce
pass log inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <bruteforce> flus
h global)
block all

###### Filter inbound $ext_if
pass in on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state (max 6, source-track rule, max-src-states 6, max-src-nodes 6, max-src-conn-rate 6/60, overload <brutef
orce> flush global)
pass in on $ext_if inet proto { tcp udp } to port $dns_port
pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_zoidberg rdr-to $zoidberg
pass in on $ext_if inet proto { tcp udp } from any to any port $torrent_port_fry rdr-to $fry

###### Filter outbound $ext_if
pass out on $ext_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (ssh_bulk, ssh_login)
pass out on $ext_if inet proto { tcp udp } to port $dns_port queue (dns)
pass out on $ext_if inet proto { tcp udp } from any to any port $torrent_port queue (filetransfer)
pass out on $ext_if inet proto tcp from any to any port $web_port queue (web, ack)
pass out on $ext_if inet proto tcp from any to any port $mail_port queue (mail, ack)
pass out on $ext_if inet proto icmp icmp-type $icmp_types queue (dns, ack)

###### Filter inbound $int_if
pass in on $int_if inet proto tcp from any to any port ssh flags S/SAFR synproxy state
pass in on $int_if inet proto { tcp udp } from any to any port $dns_port
pass in on $int_if inet proto { tcp udp } from any to any port $torrent_port
pass in on $int_if inet proto tcp from any to any port $web_port
pass in on $int_if inet proto tcp from any to any port $mail_port
pass in on $ext_if inet proto icmp icmp-type $icmp_types

###### Filter outbound $int_if
pass out on $int_if inet proto { tcp udp } to port $dns_port queue (i_dns)
pass out on $int_if inet proto tcp to port ssh flags S/SAFR synproxy state queue (i_ssh_bulk, i_ssh_login)
pass out on $int_if inet proto { tcp udp } from any to any port $torrent_port queue (i_filetransfer)
pass out on $int_if inet proto tcp from any to any port $web_port queue (i_web, i_ack)
pass out on $int_if inet proto tcp from any to any port $mail_port queue (i_mail, i_ack)
pass out on $int_if inet proto icmp icmp-type $icmp_types queue (i_dns, i_ack)
Reply With Quote
  #2   (View Single Post)  
Old 13th April 2011
mwjpiero mwjpiero is offline
Real Name: DeadSun
New User
 
Join Date: Nov 2010
Location: Shanghai
Posts: 2
Default

ALTQ only work on outbound.
Reply With Quote
  #3   (View Single Post)  
Old 13th April 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,020
Default

Welcome to daemonforums!

1. Keep in mind, all queing is on outbound traffic. You cannot queue an inbound packet...once it has arrived, it has arrived. So queues assigned to any "pass in" rule are meaningless. To shape traffic that has arrived at your router, shape it as it passes out the other direction. By that I mean shape inbound traffic from your local interface as it is passed out to your ISP, and shape inbound traffic from your ISP as it is passed out your local interface.

2. I've never used hfsc queuing, so can't comment on your queue rules.
Reply With Quote
  #4   (View Single Post)  
Old 13th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,159
Default

You are already nicely queuing outbound traffic only, so I wonder why the two previous posters feel the need to remind you of something you are already doing

An overview:
  • External interface
    • Outgoing traffic
      Possible to be rate limited/queued on this interface
      This is "upload" for the local network clients.
    • incoming traffic
      Not possible to be rate limited/queued on this interface
      This is "download" for the local network clients
  • Internal interface
    • outgoing traffic
      Possible to be rate limited/queued
      This is "download" for the local network clients
    • incoming traffic
      Not possible to be rate limited/queued on this interface
      This is "upload" for the local network clients

Check the output of pfctl -vvs rules to see whether the rules have any affect. Keep in mind that pf uses a "last rule match" strategy. By using the "quick" keyword you can prevent this strategy.

Does the the output of "pfctl -vvs queue" give any clue? Or the output of "systat queues" ?

In a discussion of the OpenBSD tech mailing list Stuart Henderson gave some nice links about HFSC queueing

Quote:
If you want to play around with HFSC (and I'd recommend this before
considering changing code), here's some suggested reading...

http://forum.pfsense.org/index.php/t....html#msg48336
http://www.probsd.net/pf/index.php/H...HFSC_explained
http://forum.pfsense.org/index.php?topic=33950.0
http://forum.pfsense.org/index.php/topic,3050.0.html
"Building firewalls with OpenBSD and PF" (slightly outdated as it
pre-dates PF nat changes - in particular I think the "queuing incoming
packets" section talking about needing two boxes no longer applies -
but on the whole the altq section in here is rather good).
The http://www.probsd.net/pf/index.php/H...HFSC_explained link is excellent.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 13th April 2011
A_Sorenby A_Sorenby is offline
New User
 
Join Date: Apr 2011
Posts: 6
Default

Thanks for the quick reply.
I am aware that queue only works on outbound traffic, my solution was to queue on both outbound on the external interface and outbound on the internal interface. Problem is that all the outbound on $int_if get queued in the default queue.
Reply With Quote
  #6   (View Single Post)  
Old 13th April 2011
A_Sorenby A_Sorenby is offline
New User
 
Join Date: Apr 2011
Posts: 6
Default

Thank you J65nko.
Ill look up the links you posted.
According to systat queues the external queues are working like a charm but the internal gets all traffic assigned to the default queue.
Reply With Quote
  #7   (View Single Post)  
Old 13th April 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,020
Default

Quote:
Originally Posted by J65nko View Post
...I wonder why the two previous posters feel the need to remind you...
Here's why I replied:
Quote:
Originally Posted by A_Sorenby View Post
... but not the inbound ...
Code:
...
pass quick log inet proto tcp from <bruteforce> to any queue bruteforce
...
Reply With Quote
  #8   (View Single Post)  
Old 13th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,159
Default

Quote:
Originally Posted by J65nko
Check the output of pfctl -vvs rules to see whether the rules have any affect.
An example of a queue rule which did not have any effect:
Code:
@11 pass out quick on em1 all  queue clientA_up 
  [ Evaluations: 136433501  Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 13419 State Creations: 0     ]
This particular rule has been evaluated many times, but did not do any queuing, because the "Packets", "Bytes", "States" and "State Creations" counters all show "0".

An example of a working one where a lot of packets are getting queued:
Code:
@33 pass out quick on em1 all  queue it_up 
  [ Evaluations: 127970598  Packets: 17620281  Bytes: 2496318206  States: 7     ]
  [ Inserted: uid 0 pid 13419 State Creations: 39323 ]
@jggimi
Good catch, I missed that "pass quick log inet proto tcp from <bruteforce> to any queue bruteforce" rule
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 13th April 2011
A_Sorenby A_Sorenby is offline
New User
 
Join Date: Apr 2011
Posts: 6
Default

Hello again.

Here´s a sample from my systat queues
Code:
   1 users    Load 0.08 0.08 0.08                      Thu Apr 14 01:00:13 2011

QUEUE                             BW SCH  PRIO     PKTS    BYTES   DROP_P   DROP_B QLEN BORROW SUSPEN     P/S     B/S
root_em0                       4000K hfsc    0        0        0        0        0    0                     0       0
 ack                            800K hfsc    8       14      768        0        0    0                     0       0
 dns                            200K hfsc    7      109     9470        0        0    0                     0       0
 ssh                           1200K hfsc    6        0        0        0        0    0                     0       0
  ssh_login                     600K hfsc    6        0        0        0        0    0                     0       0
  ssh_bulk                      600K hfsc    5        0        0        0        0    0                     0       0
 main                           800K hfsc    5        1      136        0        0    0                     0       0
 web                            200K hfsc    4        8     5942        0        0    0                     0       0
 mail                           200K hfsc    3        6      533        0        0    0                     0       0
 filetransfer                  40000 hfsc    3        0        0        0        0    0                     0       0
 bruteforce                    40000 hfsc             0        0        0        0    0                     0       0
root_em1                         30M hfsc    0        0        0        0        0    0                     0       0
 i_ack                         6000K hfsc    8        0        0        0        0    0                     0       0
 i_dns                         1500K hfsc    7        0        0        0        0    0                     0       0
 i_ssh                         9000K hfsc    6        0        0        0        0    0                     0       0
  i_ssh_login                  4500K hfsc    6        0        0        0        0    0                     0       0
  i_ssh_bulk                   4500K hfsc    5        0        0        0        0    0                     0       0
 i_main                        6000K hfsc    5       98    42088        0        0    0                   0.2      37
 i_web                         1500K hfsc    4        0        0        0        0    0                     0       0
 i_mail                        1500K hfsc    3        0        0        0        0    0                     0       0
 i_filetransfer                 300K hfsc    3        0        0        0        0    0                     0       0

Thanks for the heads up on the "pass quick log inet proto tcp from <bruteforce> to any queue bruteforce"
I changed it to "pass out quick log inet proto tcp to <bruteforce> queue bruteforce" i hope it will work as it should.

As you see from the systat the outbound rules on $ext_if is working fine, but all traffic going out on the internal interface gets placed in the i_main queue (default).
Reply With Quote
Old 14th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,159
Default

As I mentioned http://www.daemonforums.org/showthre...5892#post37916 you have to check the output of pfctl -vvs rules.

Only this will proof whether the rules for outbound traffic on the internal interface really have any effect. In other words do these rules have non-zero values for the "Packets", "Bytes", "States" and "State Creations" counters?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 14th April 2011
A_Sorenby A_Sorenby is offline
New User
 
Join Date: Apr 2011
Posts: 6
Default

I pulled two samples from the pfctl -vvs rules. All of them looks similar to these. (Outbound on $ext_if got Evals, Packets and Bytes sent through. None on outbound $int_if)

Outbound $ext_if
Code:
@27 pass out on em0 inet proto tcp from any to any port = https flags S/SA keep state queue(web, ack)
  [ Evaluations: 4322      Packets: 2391      Bytes: 1376712     States: 1     ]
  [ Inserted: uid 0 pid 15611 State Creations: 42    ]
Outbound $int_if
Code:
@63 pass out on em1 inet proto tcp from any to any port = https flags S/SA keep state queue(i_web, i_ack)
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 15611 State Creations: 0     ]
Reply With Quote
Old 14th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,159
Default

So the problem is that the rules for the outbound traffic on the internal interface never get evaluated, and thus cannot queue the traffic.

Change these rules to use "match" instead of "pass". Then check the pfctl -vvs rules output whether these 'match' rules are being evaluated.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 14th April 2011
A_Sorenby A_Sorenby is offline
New User
 
Join Date: Apr 2011
Posts: 6
Default

Code:
RULE  ACTION   DIR LOG Q IF     PR        K     PKTS    BYTES   STATES   MAX INFO
   0  Pass     Any                                 0        0        0       all flags any
   1  Match    Out       em0                     524   220996       25       from <clients> to any
   2  Block    In  Log Q em0                      48    25919        0       drop from <rfc1918> to any
   3  Block    Out Log Q em0                       0        0        0       drop from any to <rfc1918>
   4  Pass     In  Log Q em1    tcp       K        0        0        0       inet from any to any port = ftp
   5  Pass     Out Log Q em0    tcp       K        0        0        0       inet from any to <bruteforce>  queue bruteforce
   6  Pass     Any Log          tcp                0        0        0     6 inet from any to any port = ssh flags S/FSRA
   7  Block    Any                              1174    81033        0       drop all
   8  Pass     In        em0    tcp                0        0        0     6 inet from any to any port = ssh flags S/FSRA
   9  Pass     In        em0    tcp       K        0        0        0       inet from any to any port = domain
  10  Pass     In        em0    tcp       K        0        0        0       inet from any to any port = ntp
  11  Pass     In        em0    udp       K        0        0        0       inet from any to any port = domain
  12  Pass     In        em0    udp       K        0        0        0       inet from any to any port = ntp
  13  Pass     In        em0    tcp       K      109     5708       41       inet from any to any port = 50000
  14  Pass     In        em0    udp       K       37     2581       10       inet from any to any port = 50000
  15  Pass     In        em0    tcp       K        0        0        0       inet from any to any port = 45000
  16  Pass     In        em0    udp       K        0        0        0       inet from any to any port = 45000
  17  Pass     Out       em0    tcp                0        0        0       inet from any to any port = ssh flags S/FSRA queue(ssh_bulk, ssh_login)
  18  Pass     Out       em0    tcp       K        0        0        0       inet from any to any port = domain  queue dns
  19  Pass     Out       em0    tcp       K        0        0        0       inet from any to any port = ntp  queue dns
  20  Pass     Out       em0    udp       K      330    82323      165       inet from any to any port = domain  queue dns
  21  Pass     Out       em0    udp       K        6      456        3       inet from any to any port = ntp  queue dns
  22  Pass     Out       em0    tcp       K        0        0        0       inet from any to any port = 45000  queue filetransfer
  23  Pass     Out       em0    tcp       K        0        0        0       inet from any to any port = 50000  queue filetransfer
  24  Pass     Out       em0    udp       K        0        0        0       inet from any to any port = 45000  queue filetransfer
  25  Pass     Out       em0    udp       K       10     2230        1       inet from any to any port = 50000  queue filetransfer
  26  Pass     Out       em0    tcp       K      435   199085       21       inet from any to any port = www  queue(web, ack)
  27  Pass     Out       em0    tcp       K       18     9244        1       inet from any to any port = https  queue(web, ack)
  28  Pass     Out       em0    tcp       K        0        0        0       inet from any to any port = smtp  queue(mail, ack)
  29  Pass     Out       em0    tcp       K       29     5176        1       inet from any to any port = pop3  queue(mail, ack)
  30  Pass     Out       em0    tcp       K        0        0        0       inet from any to any port = imap3  queue(mail, ack)
  31  Pass     Out       em0    tcp       K        0        0        0       inet from any to any port = imaps  queue(mail, ack)
  32  Pass     Out       em0    tcp       K       32     5261        1       inet from any to any port = pop3s  queue(mail, ack)
  33  Pass     Out       em0    icmp      K        0        0        0       inet all  queue(dns, ack)
  34  Pass     Out       em0    icmp      K        0        0        0       inet all  queue(dns, ack)
  35  Pass     In        em1    tcp                0        0        0       inet from any to any port = ssh flags S/FSRA
  36  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = domain
  37  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = ntp
  38  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = 45000
  39  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = 50000
  40  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = www
  41  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = https
  42  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = smtp
  43  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = pop3
  44  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = imap3
  45  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = imaps
  46  Pass     In        em1    tcp       K        0        0        0       inet from any to any port = pop3s
  47  Pass     In        em1    udp       K        0        0        0       inet from any to any port = domain
  48  Pass     In        em1    udp       K        0        0        0       inet from any to any port = ntp
  49  Pass     In        em1    udp       K        0        0        0       inet from any to any port = 45000
  50  Pass     In        em1    udp       K        0        0        0       inet from any to any port = 50000
  51  Pass     In        em0    icmp      K       18     1152        3       inet all
  52  Pass     In        em0    icmp      K        0        0        0       inet all
  53  Match    Out       em1    tcp                0        0        0       inet from any to any port = domain  queue i_dns
  54  Match    Out       em1    tcp                0        0        0       inet from any to any port = ntp  queue i_dns
  55  Match    Out       em1    udp                0        0        0       inet from any to any port = domain  queue i_dns
  56  Match    Out       em1    udp                0        0        0       inet from any to any port = ntp  queue i_dns
  57  Match    Out       em1    tcp                0        0        0       inet from any to any port = ssh  queue(i_ssh_bulk, i_ssh_login)
  58  Match    Out       em1    tcp                0        0        0       inet from any to any port = 45000  queue i_filetransfer
  59  Match    Out       em1    tcp                0        0        0       inet from any to any port = 50000  queue i_filetransfer
  60  Match    Out       em1    udp                0        0        0       inet from any to any port = 45000  queue i_filetransfer
  61  Match    Out       em1    udp                0        0        0       inet from any to any port = 50000  queue i_filetransfer
  62  Match    Out       em1    tcp                0        0        0       inet from any to any port = www  queue(i_web, i_ack)
  63  Match    Out       em1    tcp                0        0        0       inet from any to any port = https  queue(i_web, i_ack)
  64  Match    Out       em1    tcp                0        0        0       inet from any to any port = smtp  queue(i_mail, i_ack)
  65  Match    Out       em1    tcp                0        0        0       inet from any to any port = pop3  queue(i_mail, i_ack)
  66  Match    Out       em1    tcp                0        0        0       inet from any to any port = imap3  queue(i_mail, i_ack)
  67  Match    Out       em1    tcp                0        0        0       inet from any to any port = imaps  queue(i_mail, i_ack)
  68  Match    Out       em1    tcp                0        0        0       inet from any to any port = pop3s  queue(i_mail, i_ack)
  69  Match    Out       em1    icmp               0        0        0       inet all  queue(i_dns, i_ack)
  70  Match    Out       em1    icmp               0        0        0       inet all  queue(i_dns, i_ack)
Still nothing.
It might help to know the traffic i want to shape is not for any services, but client requested traffic. (e.g. Downloading OpenBSD_snapshots_i386-2011-04-14-0102.torrent) so that downloading said file wont hog everything else.
Reply With Quote
Old 14th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,159
Default

This is an attempt to describe the problem. Please keep in mind that I am focusing only on the internal interface:

The client initiates a connection, for example a DNS request to a nameserver. The destination port is port 53, the default port for DNS/domain. The source port is one randomly chosen above port 1023, say port 40000. So we have

Code:
client:40000 --> nameserver:53
pf sees this request and creates a state for this connection . That way it will automatically pass out the answer (internal interface) to the client :
Code:
nameserver:53 --> client:40000
The problem is that upon seeing the answer packet from the name server, pf will first consult the state table. In this case if finds a state, and allows the packet in, without evaluating the rule set at all. And thus will/can not assign the reply packet to a queue.

The suggestion to use "match" instead of "pass" is an attempt to decouple the queuing from the state creation logic.

BTW both the pass and now the match rules are not correct. They don't match the reply packets
Code:
Match Out em1 udp 0 0 0 inet from any to any port = domain  queue i_dns
This matches the incoming request
Code:
23:43:06.134763 192.168.222.20.41004 > 192.168.222.10.53: 
58162+ A? www.daemonforums.org. (38)
The reply uses port 53 as source port:
Code:
23:43:06.135727 192.168.222.10.53 > 192.168.222.20.41004:
 58162 1/0/0 A 94.142.245.224 (54)
So to queue the reply, this particular rule should be changed from
Code:
inet from any to any port = domain  queue i_dns
to
Code:
inet from any port = domain to any queue i_dns
I cannot test it here at this moment, but I am afraid you will have to use "no state" on the rules for the internal interface.
And the match rules need to moved up, so they will be evaluated before the stateless pass rules.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 21st June 2011
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Hi, I've been away from pf for a while, but unless something in pf has changed in the more recent versions, the following should achieve what you're asking for.

Code:
###### Filter inbound $int_if

pass in on $int_if inet proto tcp \
  from ($int_if:network) to any port ssh \
     flags S/SAFR synproxy state \
        queue( i_ssh,i_ack )

#
# in this rule's context, 
# ($int_if:network) is far superior security than "any"
Assigning a QUEUE of that interface's own SCHEDULER on an INBOUND rule causes the RETURNING STATEFUL traffic to abide the SCHEDULER. Returning packets will, therefore, be queued on their egress on the inside interface.

The reason your pass out on $int_if ... queue(...) isn't working is because the packets already have state and NO FURTHER RULE PROCESSING IS PERFORMED ON THE PACKETS.

Repeat the mod's to all your inbound rules in your rule block.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Pf.conf issues afcelie OpenBSD Security 5 3rd January 2011 09:12 PM
Pf.conf erict35 OpenBSD Security 1 30th January 2010 10:19 PM
please check my pf.conf gosha OpenBSD Security 10 30th January 2009 12:32 AM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM


All times are GMT. The time now is 10:18 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick