Date: Mon, 29 Nov 2004 20:01:59 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: PF strange problem. Message-ID: <200411292002.10067.max@love2party.net> In-Reply-To: <20041128235145.942843@mzk> References: <20041128235145.942843@mzk>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6225242.WpBz4xAVmt
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Sunday 28 November 2004 22:51, mzk wrote:
> First sorry my English and sorry my other mistakes, but that is my first
> post in mailing list ever. :-) Today i understood my pf doesn't work
> properly. For each host of my network i have 4 rules, 2 out (from int_if)
> and 2 in like:
>
> pass out quick on $int_if from <peering> to $host queue peering_host_in
> pass out quick on $int_if from any to $host queue host_in
> pass in quick on $int_if proto { tcp, udp } from $host to <peering> port
> $ports
> pass in quick on $int_if proto { tcp, udp } from $host to any port=20
> $ports
Okay, first of all some generic notes:
1) Consider stateful rules. It will not only make the firewall faster but w=
ill=20
also make sure that all outgoing traffic of a "connection" is enqueued to t=
he=20
same queue. This simplifies the ruleset a lot.
2) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the table real=
ly=20
contains what you think it does.
> The problem is, that the first `peering` rule works like the second one ->
> it pass everything from anyone using the peering_host_in queue. If i
> comment it, the second rule works, but that's not the idea. So my
> international connection (the second rules) is overloaded and i could not
> make good QoS. I am using GENERIC with these options, added by me ->
I don't really get what you are saying here. Sorry. Can you try to rephrase=
,=20
please? Maybe you can also include the rules in question with match-counter=
s:=20
"$pfctl -vvsr" and the queue stats: "$pfctl -vsq" Both are also good tools=
=20
for debugging the ruleset.
I hope these pointers help, and am really sorry that I don't fully understa=
nd=20
what the problem is.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart6225242.WpBz4xAVmt
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBBq3IxXyyEoT62BG0RAphcAJwJIUhWbJtXUXt/NfDI483nCH8ZeQCdGfhI
xKW7rkZARD1QNgDQ1q+mG3U=
=PzFK
-----END PGP SIGNATURE-----
--nextPart6225242.WpBz4xAVmt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411292002.10067.max>