pf rules question

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Scott Bennett <bennett_at_sdf.org>
Date: Tue, 30 Aug 2022 08:33:17 UTC
     In my main rules (/etc/pf.conf) I have a simple "pass out" rule:

pass out keep state

which is called rule 8 in the main rules as displayed by pftop.  And
in an anchor called outrules (/etc/pf.outrules) I have:

pass out on nfe0 proto tcp from nfe0 to any prio 2 user _tor label "_tor reduce out prio"

which is called rule 0 in the outrules anchor.  The purpose for the
latter rule is to reduce the packet priority from the default of 3
to 2 for outbound connections made by my tor relay.  There are some
"pass in" rules for the ORPort and DirPort that seem to be working
okay to make the same packet priority reduction for inbound connections
to the tor relay.
     However, since instituting the second "pass out" rule shown above,
all outbound connections are being allowed by the general rule shown
first above.  *None* are being made under the second rule, and thus
the priority change is not occurring for outbound connections.
     Because of some recurring attacks upon tor relays lately, the
relay is blasting out data at very high rates (relative to my WAN
connection's capacity), while the input data rates remain at only a
fraction of the output rate, and this goes on for extended periods of
time until the attack subsides.  That frequently results in the loss
of my ssh connection to a remote system because small output packets
get stuck in the output queue for the interface behind thousands of
output packets from tor until the ssh session times out.
     My question is, what am I doing wrong in the latter rule shown
above that results in it not being applied to any of tor's outbound
connections?
     Thanks in advance for any suggestions.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************