Date: Sun, 18 Feb 2007 10:17:08 -0800 From: Drew Tomlinson <drew@mykitchentable.net> To: freebsd-pf@freebsd.org Subject: Confused With pf Rule Evaluation Message-ID: <45D89824.8070802@mykitchentable.net>
next in thread | raw e-mail | index | archive | help
I have used ipfw2 on FBSD for about 6 years now. Then I started using a VoIP phone and began to fiddle with dummynet to shape the traffic. I had limited success and instead of fiddling further, I decided to migrate to pf and ALTQ. My network is fairly simple. I have a FreeBSD 6.1 box with two NICs. dc1 is attached to a DSL modem that is bridged so it looks like a direct Internet connection. dc0 is connected to my internal LAN. I have a few PCs and the "gizmo" (as the SunRocket VoIP provider calls it) behind my firewall on the internal LAN. My basic goal is to allow all outbound traffic from my internal LAN and only replies to that traffic back in. I also have a few services running (http, smtp, etc.) and I want to allow connections in to those services. And above all, traffic from the "gizmo" should have first priority over all other traffic because when the phone doesn't work, my wife complains LOUDLY. :) I followed the guide at http://www.bgnett.no/~peter/pf/en/index.html to set up my pf.conf file. From my reading, it is my understanding that unlike ipfw2, pf is "last match wins" unless the rule has the "quick" modifier. However I'm seeing behavior that I don't understand. In my rule set, I have these rules to allow inbound traffic to one of my services: pass proto udp to bigdaddy port $bigdaddy_ip_services keep state pass proto tcp to bigdaddy port $bigdaddy_ip_services flags S/SA \ keep state Then further down, I have this rule to place traffic to one of the specific services in the $bigdaddy_ip_services macro in a low priority queue: pass in on $int_if proto { tcp, udp } from bigdaddy port 49143 \ keep state queue (low_out, ack_out) After loading this rule set, 'pftcl -vvs queue' shows very little traffic in the 'low_out' queue. Most of it ends up in the default queue. However if I remove this rule and change the ones above to: pass proto udp to bigdaddy port $bigdaddy_ip_services keep state \ queue (low_out, ack_out) pass proto tcp to bigdaddy port $bigdaddy_ip_services flags S/SA \ keep state queue (low_out, ack_out) Then I see the results I expect with 'pftcl -vvs queue'. The 'low_out' queue has lots of traffic passing through it. I don't understand why. I have to admit there's a lot I don't understand about pf. If someone has the time to help me get a rule set that acheives my goals, I'd really appreciate it. I've posted my complete rule set at http://drew.mykitchentable.net/Temp/pf.conf.htm. Please note that in some cases I replaced actual port lists with letters. Thus if you see a list such as "{ a, b, c, d }", you'll know why. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45D89824.8070802>