PF strange problem.
mzk
mzk at anti-offline.net
Sun Nov 28 13:49:39 PST 2004
First sorry my English and sorry my other mistakes, but that is my first post in mailing list ever. :-)
Today i understood my pf doesn't work properly. For each host of my network i have 4 rules, 2 out (from int_if) and 2 in like:
pass out quick on $int_if from <peering> to $host queue peering_host_in
pass out quick on $int_if from any to $host queue host_in
pass in quick on $int_if proto { tcp, udp } from $host to <peering> port $ports
pass in quick on $int_if proto { tcp, udp } from $host to any port $ports
The problem is, that the first `peering` rule works like the second one -> it pass everything from anyone using the peering_host_in queue. If i comment it, the second rule works, but that's not the idea. So my international connection (the second rules) is overloaded and i could not make good QoS. I am using GENERIC with these options, added by me ->
# custom options;
# pf support;
device pf
device pflog
device pfsync
# ALTQ options;
options ALTQ #alternate queueing
options ALTQ_CBQ #class based queueing
##options ALTQ_WFQ #weighted fair queueing
##options ALTQ_FIFOQ #fifo queueing
options ALTQ_RED #random early detection
##options ALTQ_FLOWVALVE #flowvalve for RED (needs RED)
options ALTQ_RIO #triple red for diffserv (needs RED)
##options ALTQ_LOCALQ #local use
options ALTQ_HFSC #hierarchical fair service curve
##options ALTQ_ECN #ecn extention to tcp (needs RED)
##options ALTQ_IPSEC #check ipsec in IPv4
options ALTQ_CDNR #diffserv traffic conditioner
##options ALTQ_BLUE #blue by wu-chang feng
options ALTQ_PRIQ #priority queue
options ALTQ_NOPCC #don't use processor cycle counter
#options ALTQ_DEBUG #for debugging
#options IPDIVERT
options IPSTEALTH
#options IPFILTER
My pf.conf is abot 600 lines, so i will not paste it here. If you request it i can upload it somewhere. Thanks in advance and sorry for every my mistake!
More information about the freebsd-pf
mailing list