PF strange problem.

mzk mzk at anti-offline.net
Tue Nov 30 06:25:43 PST 2004 

> On Sunday 28 November 2004 22:51, mzk wrote:
>> First sorry my English and sorry my other mistakes, but that is
>> my first post in mailing list ever. :-) Today i understood my pf
>> doesn't work properly. For each host of my network i have 4
>> rules, 2 out (from int_if) and 2 in like:
>>
>> pass out quick on $int_if from <peering> to $host queue
>> peering_host_in pass out quick on $int_if from any to $host queue
>> host_in pass in quick on $int_if proto { tcp, udp } from $host to
>> <peering> port $ports
>> pass in quick on $int_if proto { tcp, udp } from $host to any
>> port $ports
>>
>
> Okay, first of all some generic notes:
> 1) Consider stateful rules. It will not only make the firewall
> faster but will also make sure that all outgoing traffic of a
> "connection" is enqueued to the same queue. This simplifies the
> ruleset a lot.
> 2) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the
> table really contains what you think it does.

I tried these notes, thanks!
1) stateful rules should speed up my firewall
2) i understood my peering table (pf actually) works correctly

>
>> The problem is, that the first `peering` rule works like the
>> second one -> it pass everything from anyone using the
>> peering_host_in queue. If i comment it, the second rule works,
>> but that's not the idea. So my international connection (the
>> second rules) is overloaded and i could not make good QoS. I am
>> using GENERIC with these options, added by me ->
>>
>
> I don't really get what you are saying here. Sorry. Can you try to
> rephrase, please? Maybe you can also include the rules in question
> with match-counters: "$pfctl -vvsr" and the queue stats: "$pfctl -
> vsq" Both are also good tools for debugging the ruleset.

The upper supposition is almost wrong. I found the problem, which was: my peering table consist of hundreds of networks. One of these networks is mine. When ftp-proxy is running (so i can run ftp for my users), it is with `peering` ip (ip of the internal interface or some another router interface ip), so client of my network does not actually download from ftp host somewhere in the net, it downloads from the router's internal interface ip. For the router's internal ip i have no queue definitions, no shape. Therefore everybody can download without speed limit from ftp sites. ;).

>
> I hope these pointers help, and am really sorry that I don't fully
> understand what the problem is.

These pointers were very very useful for me! Thank you! I have to get some English courses ;)

More information about the freebsd-pf mailing list