From owner-freebsd-pf@FreeBSD.ORG Tue Nov 30 14:25:43 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3568D16A4CE for ; Tue, 30 Nov 2004 14:25:43 +0000 (GMT) Received: from sparky.gotobg.net (sparky.gotobg.net [212.36.9.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E4F943D4C for ; Tue, 30 Nov 2004 14:25:42 +0000 (GMT) (envelope-from mzk@anti-offline.net) Received: from [83.228.114.66] (helo=mzk) by sparky.gotobg.net with smtp (Exim 4.43 (FreeBSD)) id 1CZ8wX-000GJ1-Cv for freebsd-pf@freebsd.org; Tue, 30 Nov 2004 16:25:25 +0200 From: mzk To: X-Mailer: PocoMail 3.2 (2000) - Licensed Version Date: Tue, 30 Nov 2004 16:27:53 +0200 Message-ID: <20041130162753.312353@mzk> In-Reply-To: <200411292002.10067.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sparky.gotobg.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - anti-offline.net X-Source: X-Source-Args: X-Source-Dir: Subject: Re: PF strange problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 14:25:43 -0000 >=A0On Sunday 28 November 2004 22:51, mzk wrote: >>=A0First sorry my English and sorry my other mistakes, but that is >>=A0my first post in mailing list ever. :-) Today i understood my pf >>=A0doesn't work properly. For each host of my network i have 4 >>=A0rules, 2 out (from int_if) and 2 in like: >> >>=A0pass out quick on $int_if from =A0to $host queue >>=A0peering_host_in pass out quick on $int_if from any to $host queue >>=A0host_in pass in quick on $int_if proto { tcp, udp } from $host to >>=A0=A0port $ports >>=A0pass in quick on $int_if proto { tcp, udp } from $host to any >>=A0port $ports >> > >=A0Okay, first of all some generic notes: >=A01) Consider stateful rules. It will not only make the firewall >=A0faster but will also make sure that all outgoing traffic of a >=A0"connection" is enqueued to the same queue. This simplifies the >=A0ruleset a lot. >=A02) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the >=A0table really contains what you think it does. I tried these notes, thanks! 1) stateful rules should speed up my firewall 2) i understood my peering table (pf actually) works correctly > >>=A0The problem is, that the first `peering` rule works like the >>=A0second one ->=A0it pass everything from anyone using the >>=A0peering_host_in queue. If i comment it, the second rule works, >>=A0but that's not the idea. So my international connection (the >>=A0second rules) is overloaded and i could not make good QoS. I am >>=A0using GENERIC with these options, added by me -> >> > >=A0I don't really get what you are saying here. Sorry. Can you try to >=A0rephrase, please? Maybe you can also include the rules in question >=A0with match-counters: "$pfctl -vvsr" and the queue stats: "$pfctl - >=A0vsq" Both are also good tools for debugging the ruleset. The upper supposition is almost wrong. I found the problem, which was: my= peering table consist of hundreds of networks. One of these networks is= mine. When ftp-proxy is running (so i can run ftp for my users), it is with= `peering` ip (ip of the internal interface or some another router interface= ip), so client of my network does not actually download from ftp host= somewhere in the net, it downloads from the router's internal interface ip.= For the router's internal ip i have no queue definitions, no shape.= Therefore everybody can download without speed limit from ftp sites. ;). > >=A0I hope these pointers help, and am really sorry that I don't fully >=A0understand what the problem is. These pointers were very very useful for me! Thank you! I have to get some= English courses ;)