Rules passing through default queue
Gloomy Group
gloomygroup at hotmail.com
Tue Oct 31 11:14:28 UTC 2006
why all of My uplink traffic is going through default queues? Below is my
pf.conf configuration
-------------------------------
#Download interface is rl1 and upload interface is rl0
ext_if="rl0"
int_if="rl1"
table <mynet> { 201.xx.xx.0/24 }
#Macros for Private network
net_priv = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
#Define port for usual internet services
ports_web = "{80 8080 443 25 110 143 993}"
ssh_port = "{22}"
#OPTIONS
#Default response for block filter
set block-policy drop
#Statistics loggin on
set loginterface $ext_if
#TRAFFIC Normalization#
#Filter traffic for unusual traffic
scrub in all
#--Define the parent queues
#--First define upstream parent queue
altq on $ext_if hfsc bandwidth 128Kb queue { up_def, up_usr1, up_usr2 }
#--Define download parent queue
altq on $int_if hfsc bandwidth 64Kb queue { dn_def, dn_usr1, dn_usr2 }
#--UPSTREAM child queue
#--Default upstream queue
queue up_def bandwidth 20% { up_def_def, up_def_web, up_def_quick }
queue up_def_def priority 1 bandwidth 50% hfsc (default ecn)
queue up_def_web priority 3 bandwidth 25% hfsc (ecn)
queue up_def_quick priority 6 bandwidth 25% hfsc (ecn)
#--USR1 upstream queue
queue up_usr1 bandwidth 51.2Kb { up_usr1_def, up_usr1_web, up_usr1_quick }
queue up_usr1_def priority 2 bandwidth 50% hfsc (realtime 50% ecn)
queue up_usr1_web priority 4 bandwidth 25% hfsc (realtime 25% ecn)
queue up_usr1_quick priority 7 bandwidth 25% hfsc (realtime 25% ecn)
#--USR2 upstream queue
queue up_usr2 bandwidth 40% {up_usr2_def up_usr2_web up_usr2_quick}
queue up_usr2_def priority 2 bandwidth 50% hfsc (ecn)
queue up_usr2_web priority 4 bandwidth 25% hfsc (ecn)
queue up_usr2_quick priority 7 bandwidth 25% hfsc (ecn)
#--DOWNSTREAM child queue
#--Default downstream queue
queue dn_def bandwidth 20% {dn_def_def dn_def_web dn_def_quick}
queue dn_def_def priority 1 bandwidth 50% hfsc (default ecn)
queue dn_def_web priority 3 bandwidth 25% hfsc (ecn)
queue dn_def_quick priority 6 bandwidth 25% hfsc (ecn)
#--USR1 downstream queue
queue dn_usr1 bandwidth 40% {dn_usr1_def dn_usr1_web dn_usr1_quick}
queue dn_usr1_def priority 2 bandwidth 50% hfsc (realtime 50% ecn)
queue dn_usr1_web priority 4 bandwidth 25% hfsc (realtime 50% ecn)
queue dn_usr1_quick priority 7 bandwidth 25% hfsc (ecn)
#--USR2 downstream queue
queue dn_usr2 bandwidth 40% {dn_usr2_def dn_usr2_web dn_usr2_quick}
queue dn_usr2_def priority 2 bandwidth 50% hfsc (ecn)
queue dn_usr2_web priority 4 bandwidth 25% hfsc (ecn)
queue dn_usr2_quick priority 7 bandwidth 25% hfsc (ecn)
#---Default Filter----#
block log all
#--Allow all on loopback interface---#
pass quick on lo0 all
#Deny in and out of private networks
block in quick on $ext_if from $net_priv to any
block out quick on $ext_if from any to $net_priv
#Allow incoming SSH traffic to this server
pass in quick on $ext_if inet proto tcp from <bhwnet> to $ext_if port 22
keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if proto {tcp, udp, icmp} all keep state
#Allow icmp traffic from our network
pass in quick on $ext_if inet proto icmp from <mynet> to $ext_if icmp-type 8
keep state
pass out quick on $ext_if proto {tcp udp} from any to any port domain keep
state queue up_def_quick
pass out quick on $ext_if proto {tcp udp} from 201.xx.xx.2 to any port
$ports_web keep state queue up_usr1_web
pass out quick on $ext_if from 201.xx.xx.2 to any keep state queue
up_usr1_def
pass out quick on $ext_if proto {tcp udp} from 201.xx.xx.3 to any port
$ports_web queue up_usr2_web
pass out quick on $ext_if from 201.xx.xx.3 to any queue up_usr2_def
pass out on $ext_if keep state queue (up_def_def up_def_quick)
pass out on $ext_if proto {tcp udp} from any to any port $ports_web keep
state queue (up_def_web up_def_quick)
#--Filter and queue internal interface traffic
##Allow other incoming traffic from internal network
pass in on $int_if from $int_if:network to any
#--Assign outgoing traffic from other interface to queue for downstream
pass out quick on $int_if proto {tcp udp} from any port domain to any queue
dn_quick
pass out quick on $int_if proto {tcp udp} from any port $ports_web to
201.xx.xx.2 queue dn_usr1_web
pass out quick on $int_if from any to 201.xx.xx.2 queue dn_usr1_def
pass out quick on $int_if proto {tcp udp} from any port $ports_web to
201.xx.xx.3 queue dn_usr2_web
pass out quick on $int_if from any to 201.xx.xx.3 queue dn_usr2_def
pass out on $int_if queue (dn_def_def dn_def_quick)
pass out on $int_if proto {tcp udp} from any port $ports_web to any queue
(dn_def_web dn_def_quick)
#--Deny spoofing
antispoof for $ext_if
antispoof for $int_if
pfctl -sq -vv shows that my uplink traffic traffic is going through default
queue rules while download is passing through correct queue and is working
fine.
------------------------------
queue root_rl0 bandwidth 128Kb priority 0 {up_def, up_usr1, up_usr2}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_def bandwidth 25.60Kb {up_def_def, up_def_web, up_def_quick}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_def_def bandwidth 12.80Kb hfsc( red ecn default )
[ pkts: 211 bytes: 131140 dropped pkts: 0 bytes: 0
]
[ qlength: 3/ 50 ]
[ measured: 11.2 packets/s, 127.02Kb/s ]
queue up_def_web bandwidth 6.40Kb priority 3 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_def_quick bandwidth 6.40Kb priority 6 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr1 bandwidth 51.20Kb {up_usr1_def, up_usr1_web, up_usr1_quick}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr1_def bandwidth 25.60Kb priority 2 hfsc( red ecn realtime
25.60Kb )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr1_web bandwidth 12.80Kb priority 4 hfsc( red ecn realtime
12.80Kb )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr1_quick bandwidth 12.80Kb priority 7 hfsc( red ecn realtime
12.80Kb )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr2 bandwidth 51.20Kb {up_usr2_def, up_usr2_web, up_usr2_quick}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr2_def bandwidth 25.60Kb priority 2 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr2_web bandwidth 12.80Kb priority 4 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue up_usr2_quick bandwidth 12.80Kb priority 7 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue root_rl1 bandwidth 64Kb priority 0 {dn_def, dn_usr1, dn_usr2}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_def bandwidth 12.80Kb {dn_def_def, dn_def_web, dn_def_quick}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_def_def bandwidth 6.40Kb hfsc( red ecn default )
[ pkts: 2 bytes: 544 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_def_web bandwidth 3.20Kb priority 3 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_def_quick bandwidth 3.20Kb priority 6 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_usr1 bandwidth 25.60Kb {dn_usr1_def, dn_usr1_web, dn_usr1_quick}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_usr1_def bandwidth 12.80Kb priority 2 hfsc( red ecn realtime
12.80Kb )
[ pkts: 59 bytes: 20514 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 2.2 packets/s, 8.99Kb/s ]
queue dn_usr1_web bandwidth 6.40Kb priority 4 hfsc( red ecn realtime
12.80Kb )
[ pkts: 174 bytes: 95677 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 5.6 packets/s, 2.42Kb/s ]
queue dn_usr1_quick bandwidth 6.40Kb priority 7 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_usr2 bandwidth 25.60Kb {dn_usr2_def, dn_usr2_web, dn_usr2_quick}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_usr2_def bandwidth 12.80Kb priority 2 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_usr2_web bandwidth 6.40Kb priority 4 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue dn_usr2_quick bandwidth 6.40Kb priority 7 hfsc( red ecn )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
_________________________________________________________________
Try Search Survival Kits: Fix up your home and better handle your cash with
Live Search!
http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmtagline
More information about the freebsd-pf
mailing list