From owner-freebsd-pf@FreeBSD.ORG Thu Mar 26 13:23:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2A191065678 for ; Thu, 26 Mar 2009 13:23:27 +0000 (UTC) (envelope-from alexiy@mail.kar.net) Received: from blackbox.kar.net (blackbox.vtv.kiev.ua [195.178.131.134]) by mx1.freebsd.org (Postfix) with ESMTP id 1EE368FC26 for ; Thu, 26 Mar 2009 13:23:26 +0000 (UTC) (envelope-from alexiy@mail.kar.net) Received: from [127.0.0.1] ([195.178.152.45]) by blackbox.kar.net (8.14.2/8.14.2) with ESMTP id n2QDDPcV055123 for ; Thu, 26 Mar 2009 15:13:25 +0200 (EET) (envelope-from alexiy@mail.kar.net) Message-ID: <49CB7DC7.3090500@mail.kar.net> Date: Thu, 26 Mar 2009 15:06:15 +0200 From: =?UTF-8?B?0JDQu9C10LrRgdC10Lk=?= User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 090325-0, 25.03.2009), Outbound message X-Antivirus-Status: Clean X-Spam-Status: No, score=-91.6 required=6.0 tests=AWL,BAYES_99,RDNS_NONE, USER_IN_WHITELIST autolearn=no version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blackbox.kar.net X-Virus-Scanned: ClamAV 0.92.1/9169/Thu Mar 26 06:13:48 2009 on blackbox.kar.net X-Virus-Status: Clean Subject: nat and filtering rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2009 13:23:29 -0000 Hi, I'm running FreeBSD 7.1-RC1 and Packet Filter as the firewall. I have the following setup: A LAN using private address range behind the gateway that is doing NAT. I want to use PF with ALTQ on the gateway to limit bandwidth by IP addresses for the computers in the LAN. Here are the relevant parts of the configuration file file: ############################## #Translation # ############################## nat on $ext_if from $internal_net to any -> ($ext_if) ############################## #Queueing # ############################## #Download ... altq on $int_if cbq bandwidth 10Mb queue { me_d, comp_d, mach_d, dd} queue comp_d bandwidth 2Mb cbq queue me_d bandwidth 5Mb cbq(borrow) queue mach_d bandwidth 2Mb cbq queue dd bandwidth 1Mb cbq(default borrow) #Upload... altq on $ext_if cbq bandwidth 10Mb queue { me_u, comp_u, mach_u, du} queue comp_u bandwidth 2Mb cbq queue me_u bandwidth 5Mb cbq(borrow) queue mach_u bandwidth 2Mb cbq queue du bandwidth 1Mb cbq(default borrow) ############################## #Filtering # ############################## # setup a default deny policy block all #Here $me, $comp and $mach are IPs from the LAN #upload #me pass in on $int_if from $me to any queue me_u #comp pass in on $int_if from $comp to any queue comp_u #mach pass in on $int_if from $mach to any queue mach_u #download #me pass out log on $int_if from any to $me queue me_d #comp pass out on $int_if from any to $comp queue comp_d #mach pass out on $int_if from any to $mach queue mach_d Right now all the traffic coming from the Internet to the LAN is assigned to the default queue "dd". I may be wrong here, but judging from the blank output of the log, the rule pass out log on $int_if from any to $me queue me_d is not catching anything. Even if this rule is commented out I am still able to access the Internet from this host in the LAN. I assume that it is the implicit keep state in this rule: pass in on $int_if from $me to any queue me_u that takes care of both the packets originating from the LAN and returning there. Is it really so, or did I misunderstand something? How is it possible to assign the traffic coming from the Internet to the LAN through the NAT to the correct queues? -- Regards, Alex