[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF strange problem.

Subject: PF strange problem.
From: max at love2party.net (Max Laier)
Date: Mon Nov 29 11:01:46 2004

On Sunday 28 November 2004 22:51, mzk wrote:
> First sorry my English and sorry my other mistakes, but that is my first
> post in mailing list ever. :-) Today i understood my pf doesn't work
> properly. For each host of my network i have 4 rules, 2 out (from int_if)
> and 2 in like:
>
> pass out quick on $int_if from <peering> to $host queue peering_host_in
> pass out quick on $int_if from any to $host queue host_in
> pass in quick on $int_if proto { tcp, udp } from $host to <peering> port
> $ports
> pass in quick on $int_if proto { tcp, udp } from $host to any port 
> $ports

Okay, first of all some generic notes:
1) Consider stateful rules. It will not only make the firewall faster but will 
also make sure that all outgoing traffic of a "connection" is enqueued to the 
same queue. This simplifies the ruleset a lot.
2) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the table really 
contains what you think it does.

> The problem is, that the first `peering` rule works like the second one ->
> it pass everything from anyone using the peering_host_in queue. If i
> comment it, the second rule works, but that's not the idea. So my
> international connection (the second rules) is overloaded and i could not
> make good QoS. I am using GENERIC with these options, added by me ->

I don't really get what you are saying here. Sorry. Can you try to rephrase, 
please? Maybe you can also include the rules in question with match-counters: 
"$pfctl -vvsr" and the queue stats: "$pfctl -vsq" Both are also good tools 
for debugging the ruleset.

I hope these pointers help, and am really sorry that I don't fully understand 
what the problem is.

-- 
/"\  Best regards,                      | mlaier_(_at_)_freebsd_(_dot_)_org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier_(_at_)_EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041129/e36608de/attachment.bin

Follow-Ups:
- PF strange problem.
  - From: mzk

References:
- PF strange problem.
  - From: mzk

Prev by Date: PF strange problem.
Next by Date: [pf4freebsd] Re: pfsync
Previous by thread: PF strange problem.
Next by thread: PF strange problem.
Index(es):
- Date
- Thread

Visit your host, monkey.org