From owner-freebsd-pf@FreeBSD.ORG Fri Jul 25 07:23:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2995106567B for ; Fri, 25 Jul 2008 07:23:41 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbmarshal.mweb.com (mwbmarshal.mweb.com [196.2.141.6]) by mx1.freebsd.org (Postfix) with ESMTP id 2C5338FC2A for ; Fri, 25 Jul 2008 07:23:39 +0000 (UTC) (envelope-from rkramer@mweb.com) Received: from mwbfes2.mweb.com (Not Verified[196.2.141.74]) by mwbmarshal.mweb.com with NetIQ MailMarshal 6.0 Service Pack 1 (v6, 0, 3, 28) id ; Fri, 25 Jul 2008 09:23:36 +0200 Received: from MWBEXCH.mweb.com ([196.2.141.75]) by mwbfes2.mweb.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 25 Jul 2008 09:23:36 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 25 Jul 2008 09:23:36 +0200 Message-ID: <39DC135F7F0571489196E0B6F5D58B4A03B45F35@MWBEXCH.mweb.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: PF+ALTQ+PRIQ Thread-Index: AcjtlRjWtktch+TwTQqfH1zfJ72ujgAhjw8w References: <48876DAD.9080100@optiksecurite.com><488780A6.4010807@radel.com><48879B35.1060905@gibfest.dk> <488889EA.8000306@optiksecurite.com> From: "Rudi Kramer - MWEB" To: X-OriginalArrivalTime: 25 Jul 2008 07:23:36.0702 (UTC) FILETIME=[5A59A9E0:01C8EE27] Subject: PF+ALTQ+PRIQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2008 07:23:41 -0000 Hello, I wanted to play around with ALTQ and PRIQ queuing and I came up with the following pf config. My goal was to have TCP ACKs that have no payload having the highest priority and then cod, dns, ssh in their own queues and everything else falling in to the default queue. ################################################## #Macros ext_if =3D "tun0" cod_ports =3D "{28960:29000}" ##Tables table { 192.168.0.0/24 } ##Options ##Normalization scrub in all ##Queueing altq on $ext_if priq bandwidth 400Kb queue { q_pri, q_def, q_cod, q_domain, q_ssh } queue q_pri priority 10 queue q_cod priority 9 queue q_domain priority 8 queue q_ssh priority 7 queue q_def priority 1 priq(default) #default to deny block in log all #allow loopback pass quick on lo0 all #Setup PRIQ Rules pass out on $ext_if proto tcp from ($ext_if) to any queue (q_pri, q_def) pass in on $ext_if proto tcp from any to ($ext_if) queue (q_pri, q_def) pass out quick on $ext_if proto udp from ($ext_if) to any port $cod_ports queue q_cod pass in quick on $ext_if proto udp from any to ($ext_if) port $cod_ports queue q_cod pass out quick on $ext_if proto udp from ($ext_if) to any port domain queue q_domain pass in quick on $ext_if proto udp from any to ($ext_if) port domain queue q_domain pass out quick on $ext_if proto tcp from ($ext_if) to any port ssh queue q_ssh pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh queue q_ssh #allow from fw to ext pass out quick log on $ext_if proto tcp all pass out quick log on $ext_if proto { udp, icmp } all #allow from internal network out pass quick log on $int_if proto tcp from to any pass quick log on $int_if proto {udp, icmp } from to any ######################################### As far as I can see it is working but I was hoping to get some input from the list. Thanks Rudi