freebsd-pf Digest, Vol 271, Issue 1
freebsd-p...@freebsd.org
freeb...@freebsd.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org
You can reach the person managing the list at
freebsd-...@freebsd.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."
Today's Topics:
1. trying to figure out how to altq single interface.. (B. Cook)
2. Current problem reports assigned to freeb...@FreeBSD.org
(FreeBSD bugmaster)
----------------------------------------------------------------------
Message: 1
Date: Sun, 29 Nov 2009 10:20:11 -0500
From: "B. Cook" <bc...@poughkeepsieschools.org>
Subject: trying to figure out how to altq single interface..
To: freeb...@freebsd.org
Message-ID: <4B12912B...@poughkeepsieschools.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
I'm trying to setup a valid test case on a single machine running
FreeBSD 8.0R. (amd64 and i386)
Seems all of the pf/altq examples assume that FreeBSD is the router, and
you are working with more than on interface.
I am trying to shape my traffic on a per physical server basis with on a
*single* interface where the NAT is performed elsewhere.
I understand the logic that you can only queue outgoing.
My goal is to have full bandwidth for the local network (interface
speed) with ack priq if possible - and - have queues for services when
the "not local network" users access them.
There are ASA devices further up the line from me which I have no
control over; they are providing NAT..
we have a large private network (10.20.0.0/18) but we have some machines
that serve the public as well as serves the lan.
(feel free to interject reality into my logic where need be.. )
here is what I have come up with as far as altq/queues is concerned:
pfctl -sq
queue root_bge0 on bge0 bandwidth 1Mb priority 0 cbq( wrr root ) {idef,
iack, http, dns, mua, icmp, smtp, ssh}
queue idef on bge0 bandwidth 100Kb cbq( borrow default )
queue iack on bge0 bandwidth 100Kb priority 7 cbq( borrow )
queue http on bge0 bandwidth 800Kb priority 5 cbq( borrow )
queue dns on bge0 bandwidth 200Kb priority 6 cbq( borrow )
queue mua on bge0 bandwidth 800Kb priority 2 cbq( borrow )
queue icmp on bge0 bandwidth 50Kb priority 6
queue smtp on bge0 bandwidth 500Kb cbq( borrow )
queue ssh on bge0 bandwidth 100Kb priority 6 cbq( borrow ) {scp, term}
queue scp on bge0 bandwidth 80Kb priority 0
queue term on bge0 bandwidth 20Kb priority 7
(or if it matters - directly from pf.conf.local)
48 altq on $ext_if cbq bandwidth 1Mb queue { idef, iack, http, dns,
mua, icmp, smtp, ssh }
49 queue idef bandwidth 10% cbq(default borrow)
50 queue iack bandwidth 10% cbq(borrow) priority 7
51 queue http bandwidth 80% cbq(borrow) priority 5
52 queue dns bandwidth 20% cbq(borrow) priority 6
53 queue mua bandwidth 80% cbq(borrow) priority 2
54 queue icmp bandwidth 5% priority 6
55 queue smtp bandwidth 50% cbq(borrow) priority 1
56 queue ssh bandwidth 10% cbq(borrow) priority 6 {
scp, term }
57 queue scp bandwidth 80% priority 0
58 queue term bandwidth 20% priority 7
My question(s) are:
When do I apply things to pass in and when do I apply to pass out?
It seems when I don't apply a queue rule to a pass in/out rule the
default kicks in, which is fine; but why does it 'queue on inbound' when
it can only 'queue on outbound'? - is keeping state what is altering that?
pfctl -sr | cat -n
1 scrub in all no-df random-id fragment reassemble
2 block return in log all
3 block return in log quick from <blocksshd> to any
4 pass out on bge0 inet proto icmp from (bge0) to any keep state
queue icmp
5 pass out on bge0 inet proto udp from (bge0) to any port = domain
keep state queue dns
6 pass out on bge0 inet proto udp from (bge0) to any port = ntp
keep state queue dns
7 pass out on bge0 inet proto udp from (bge0) to any port = snmp
keep state queue dns
8 pass out on bge0 inet proto tcp from (bge0) to any port = ssh
flags S/SA keep state queue(scp, term)
9 block drop in log quick on ! bge0 inet from 10.20.0.0/25 to any
10 block drop in log quick inet from 10.20.0.5 to any
11 block drop in log quick inet from 10.20.0.4 to any
12 block drop in log quick inet from 10.20.0.19 to any
13 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = domain keep state queue dns
14 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = ntp keep state queue dns
15 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = snmp keep state queue dns
16 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = syslog keep state queue dns
17 pass in quick on bge0 inet proto udp from any to 10.20.0.19 port
= domain keep state queue dns
18 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0)
port = smtp flags S/SA keep state
19 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0)
port = rsync flags S/SA keep state
20 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= ssh flags S/SA keep state queue(scp, term)
21 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= http flags S/SA keep state queue(http, iack)
22 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= https flags S/SA keep state queue(http, iack)
23 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= 2359 flags S/SA keep state queue(http, iack)
24 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= 2812 flags S/SA keep state queue(http, iack)
25 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = domain keep state
26 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = ntp keep state
27 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = snmp keep state
28 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = syslog keep state
29 pass in quick on bge0 inet proto icmp from any to (bge0)
icmp-type echoreq code 0 keep state
All of these rules might not quite be valid public services, but I was
looking for real services that I could test with.
Also afaict FreeBSD 8 is running with (approximately) version 4.1 of
OpenBSDs PF; is that correct? Assumed from pftop compile output of:
cc -O2 -pipe -DHAVE_ALTQ=1 -fno-strict-aliasing -Wall -DOS_LEVEL=41
-std=gnu99 -fstack-protector -c pftop.c
------------------------------
Message: 2
Date: Mon, 30 Nov 2009 11:06:58 GMT
From: FreeBSD bugmaster <bugm...@FreeBSD.org>
Subject: Current problem reports assigned to freeb...@FreeBSD.org
To: freeb...@FreeBSD.org
Message-ID: <200911301106....@freefall.freebsd.org>
Note: to view an individual PR, use:
http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).
The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.
S Tracker Resp. Description
--------------------------------------------------------------------------------
o kern/140697 pf [pf] pf behaviour changes - must be documented
o kern/137982 pf [pf] when pf can hit state limits, random IP failures
o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg
o kern/135948 pf [pf] [gre] pf not natting gre protocol
o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel
o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w
o kern/133732 pf [pf] max-src-conn issue
o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent
f kern/132176 pf [pf] pf stalls connection when using route-to [regress
o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co
o kern/127920 pf [pf] ipv6 and synproxy don't play well together
o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o kern/127439 pf [pf] deadlock in pf
f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression]
o kern/127121 pf [pf] [patch] pf incorrect log priority
o kern/127042 pf [pf] [patch] pf recursion panic if interface group is
o kern/125467 pf [pf] pf keep state bug while handling sessions between
s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge
o kern/122773 pf [pf] pf doesn't log uid or pid when configured to
o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf
o kern/121704 pf [pf] PF mangles loopback packets
o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr
o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355 pf [pf] [patch] pfctl(8) help message options order false
o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c
o kern/114095 pf [carp] carp+pf delay with high state limit
o kern/111220 pf [pf] repeatable hangs while manipulating pf tables
s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5.
o kern/103283 pf pfsync fails to sucessfully transfer some sessions
o kern/103281 pf pfsync reports bulk update failures
o kern/93825 pf [pf] pf reply-to doesn't work
o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s
o kern/92949 pf [pf] PF + ALTQ problems with latency
o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271 pf [pf] cbq scheduler cause bad latency
37 problems total.
------------------------------
End of freebsd-pf Digest, Vol 271, Issue 1
******************************************