pf/altq, what's wrong

pf/altq, what's wrong

Post by UnixBird/P » Mon, 30 Jun 2003 05:19:50



Hi All!

My pf/altq rules do not seem to work and I can't find any errors.
Here is the background.

I have 512/512 kbit cable modem connection to Internet and 100Mbit
on internal side of the firewall. I want to prioritize shoutcast/mp3,
windows media services, icq messages and udp traffic higher than ftp
and http bulk downloads and other tcp traffic. Additionally, I want
ssh and tcp ack packets to have highest priority. More, I want to

Here are my rules.

# /etc/pf.conf

lo_if="lo0"
ext_if="rl0"
ext_net="x.x.246.0/23"
ext_broadcast="x.x.247.255"
ext_dhcpserver_ip="x.x.246.250"
int_if="rl1"
int_ip="192.168.240.254"
int_net="192.168.240.0/24"
int_server21_ip="192.168.240.21"

##################################################################

table <reserved_ip> persist file "/etc/reserved_ips"

##################################################################

set loginterface rl0
set optimization aggressive
set block-policy drop

##################################################################

scrub in all

##################################################################

altq on $ext_if cbq bandwidth 512Kb queue { ext_def, ext_med, ext_hi }
 queue ext_def bandwidth 275Kb priority 1 cbq(default,borrow)
 queue ext_med priority 4
 queue ext_hi  priority 5

altq on $int_if cbq bandwidth 100Mb queue { int_lan, int_inet }
    queue int_lan priority 1 { int_lan_def, int_lan_med, int_lan_hi }
        queue int_lan_def  priority 1
        queue int_lan_med  priority 4 cbq(red)
        queue int_lan_hi   priority 7
    queue int_inet priority 3 bandwidth 500Kb { int_inet_hi, \
            int_inet_med, int_inet_def }
        queue int_inet_hi  priority 7
        queue int_inet_med priority 4 cbq(red)
        queue int_inet_def bandwidth 250Kb priority 1 \
            cbq(default,borrow)

##################################################################

# translate outgoing internal ips to external ip
nat on $ext_if from $int_net to any -> ($ext_if) static-port

##################################################################

# block ipv6 packets
block inet6 all

# block reserved address ranges
block quick on $ext_if from <reserved_ip> to any
block quick on $ext_if from any           to <reserved_ip>

# by default block and log any packet on external interface
block log on $ext_if all

# by default block and log any packet on internal interface
block return log on $int_if all

# block and log outgoing packets that do not have our address as source,
# they are either spoofed or something is misconfigured (NAT disabled
# for instance) we want to be nice and do not send out garbage.
block out log quick on $ext_if inet from ! ($ext_if) to any

# block outside noise
block in quick on $ext_if proto udp from 0.0.0.0/32 port 68 to \
    255.255.255.255 port 67
block in quick on $ext_if proto udp from $ext_net port 68 to \
    { $ext_broadcast, 255.255.255.255 } port 67
block in quick on $ext_if proto udp from $ext_net port 138 to \
    $ext_broadcast port 138

# block destination unreachable outward
block out quick on $ext_if inet proto icmp all icmp-type 3

# allow dhcp requests from this host to external dhcp server
pass in  quick on $ext_if inet proto udp from $ext_dhcpserver_ip \
    port 67 to ($ext_if) port 68 keep state
pass out quick on $ext_if proto udp from ($ext_if) port 68 to \
    $ext_dhcpserver_ip port 67 keep state

# allow ping requests outward
pass in  quick on $int_if proto icmp from $int_net  to any icmp-type 8 \
    keep state queue int_lan_med
pass out quick on $ext_if inet proto icmp from ($ext_if) to any \
    icmp-type 8 keep state queue ext_med

# allow ssh from internal hosts to internal ip
pass in  quick on $int_if proto tcp from $int_net port >1023 \
    to $int_ip port 22 flags S/SA modulate state \
    queue (int_lan_med, int_lan_hi)

# allow ftp trafic outward
pass in  quick on $int_if proto tcp from $int_net port >1023 to any \
    port 21 flags S/SA modulate state queue (int_inet_med, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
    to any port 21 flags S/SA modulate state queue (ext_med, ext_hi)

# allow dns queries from this host to server21
pass out quick on $int_if inet proto udp from $int_ip port >1023 \
    to $int_server21_ip port 53 keep state queue int_lan_med

# allow dns queries from server21 to external dns servers
pass in  quick on $int_if proto udp from $int_server21_ip port >1023 \
    to any port 53 keep state queue int_inet_med
pass out quick on $ext_if inet proto udp from ($ext_if) port >1023 \
    to any port 53 keep state queue ext_med

# allow ntp outward
pass in  quick on $int_if proto udp from $int_server21_ip port 123 \
    to any port 123 keep state queue int_inet_med
pass out quick on $ext_if inet proto udp from ($ext_if) port 123 \
    to any port 123 keep state queue ext_med

# allow web outward
pass in  quick on $int_if proto tcp from $int_net  port >1023 to any \
    port { 80, 443 } flags S/SA modulate state \
    queue (int_inet_def, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
    to any port { 80, 443 } flags S/SA modulate state \
    queue (ext_def, ext_hi)

# allow news outward
pass in  quick on $int_if proto tcp from $int_net  port >1023 to \
    any port 119 flags S/SA modulate state \
    queue (int_inet_def, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
    to any port 119 flags S/SA modulate state queue (ext_def, ext_hi)

# allow pop3 and smtp outward
pass in  quick on $int_if proto tcp from $int_net  port >1023 to any \
    port { 25, 110 } flags S/SA modulate state \
    queue (int_inet_def, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
    to any port { 25, 110 } flags S/SA modulate state \
    queue (ext_def, ext_hi)

# icq
pass in  quick on $int_if proto tcp from $int_net  port >1023 to any \
    port 5190 flags S/SA modulate state \
    queue (int_inet_med, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 \
    to any port 5190 flags S/SA modulate state queue (ext_med, ext_hi)

# wma and shoutcast
pass in  quick on $int_if proto tcp from $int_net  port >1023 to \
    any port { 1754 >< 1757, 7999 >< 9000 } flags S/SA modulate state \
    queue (int_inet_med, int_inet_hi)
pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 to \
    any port { 1754 >< 1757, 7999 >< 9000 } flags S/SA modulate state \
    queue (ext_med, ext_hi)

# allow other traffic outward
pass in quick on $int_if proto tcp from $int_net port >1023 to \
    any port { 20, >1023 } flags S/SA modulate state \
    queue (int_inet_def, int_inet_hi)

pass in quick on $int_if proto udp from $int_net  port >1023 to any \
port >1023 keep state queue int_inet_med

pass out quick on $ext_if inet proto tcp from ($ext_if) port >1023 to \
any port { 20, >1023 } flags S/SA modulate state queue (ext_def, ext_hi)

pass out quick on $ext_if inet proto udp from ($ext_if) port >1023 to \
any port >1023 keep state queue ext_med

# /etc/pf.conf END

I basically have 3 levels of priority. I split 100 Mbit on internal
interface in to 512 kbits for internet traffic and the rest for internal
traffic. I don't want ftp and http traffic to use more then 250 kbits
of 512 when there is shoutcast or wma traffic present, but do get full
512 otherwise.

The problem is that the bulk traffic never gets more then 250kbits when
there is no other traffic, despite "borrow" word.

What should I do?

With regards.
UnixBird/PS

 
 
 

pf/altq, what's wrong

Post by UnixBird/P » Mon, 30 Jun 2003 05:28:20


Oops, "More, I want to" is not supposed to be in the post.

UnixBird/PS