|
|||
ALTQ Question regarding
Hello,
I am running a FBSD 7 firewall @ home connected to a DSL line which I share with my wife. One of the main problems that I have encountered is that when my wife surfs the internet my online gaming screeches to a halt untill the page has loaded and by that time I've been pwned I was thinking about using ALTQ to prioritize the traffic and after checking out Daniel Hartmeier's page on "Prioritizing empty TCP ACKs" (http://www.benzedrine.cx/ackpri.html) I came up with the variation of his rule set. Code:
ext_if="tun0" cod_ports = "{28960:29000}" altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def, q_cod, q_domain, q_ssh } queue q_pri priority 10 queue q_cod priority 9 queue q_domain priority 8 queue q_ssh priority 7 queue q_def priority 1 priq(default) pass out on $ext_if proto tcp from $ext_if to any flags S/SA keep state queue (q_def, q_pri) pass in on $ext_if proto tcp from any to $ext_if flags S/SA keep state queue (q_def, q_pri) pass out on $ext_if proto udp from $ext_if to any port $cod_ports modulate state queue q_cod pass in on $ext_if proto udp from any to $ext_if port $cod_ports modulate state queue q_cod pass out on $ext_if proto tcp from $ext_if to any port domain flags S/SA keep state queue q_domain pass in on $ext_if proto tcp from any to $ext_if port domain flags S/SA keep state queue q_domain pass out on $ext_if proto udp from $ext_if to any port domain modulate state queue q_domain pass in on $ext_if proto udp from any to $ext_if port domain modulate state queue q_domain pass out on $ext_if proto tcp from $ext_if to any port ssh flags S/SA keep state queue q_ssh pass in on $ext_if proto tcp from any to $ext_if port ssh flags S/SA keep state queue q_ss 1) Can you specify a range of ports in a macro e.g. cod_ports = "{28960:29000}"? 2) Will the rest of the priority queues even come in to play or will the first priority queue override the rest? Thanks |
|
|||
Thanks for the suggestions. I've implemented points #1, #2, and #4.
I'm not sure about #3 because it contradicts Daniels page http://www.benzedrine.cx/ackpri.html unless I'm missing something? Also, When I implement the rule set and use pfctl -s rules the macro is not expanded? # pfctl -sr pass out on tun0 inet proto tcp from 196.2.19.32 to any flags S/SA keep state queue(q_def, q_pri) pass in on tun0 inet proto tcp from any to 196.2.19.32 flags S/SA keep state queue(q_def, q_pri) pass out quick on tun0 inet proto udp from 196.2.19.32 to any port 28960:29000 keep state queue q_cod pass in quick on tun0 inet proto udp from any to 196.2.19.32 port 28960:29000 keep state queue q_cod |
|
||||
Yeah, I may be making a slight 'thinking error' there, because, at first sight, outgoing TCP acks are only caused by incoming TCP packets, so it would only be necessary to associate the TCP ack queue with incoming tcp connection rules.
But, of course, when making an outbound tcp connection (like an interactive ssh session), you will have to reply to return traffic with acks as well, and those are also outbound TCP acks. So yes, put those double queues on the inbound and outbound tcp rules. |
|
||||
Quote:
cod_ports = "{28960:29000}" + port $cod_ports = port 28960:29000 ( using macros doesn't always mean shorter syntax ) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
external drive partition question + fdisk question | gosha | OpenBSD General | 15 | 15th June 2009 02:00 PM |
PF w/ ALTQ - Queue errors exceeding bandwidth | plexter | OpenBSD Security | 11 | 26th October 2008 12:01 AM |
PF/ALTQ rules not working as intended | Weaseal | FreeBSD Security | 4 | 6th August 2008 12:41 PM |
[PF] Problem with ftp and ALTQ | gotian | FreeBSD Security | 1 | 22nd July 2008 11:25 PM |
Queuing with PF and ALTQ | Weaseal | FreeBSD Security | 1 | 22nd July 2008 05:18 PM |