Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Nov 2004 20:01:59 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: PF strange problem.
Message-ID:  <200411292002.10067.max@love2party.net>
In-Reply-To: <20041128235145.942843@mzk>
References:  <20041128235145.942843@mzk>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Sunday 28 November 2004 22:51, mzk wrote:
> First sorry my English and sorry my other mistakes, but that is my first
> post in mailing list ever. :-) Today i understood my pf doesn't work
> properly. For each host of my network i have 4 rules, 2 out (from int_if)
> and 2 in like:
>
> pass out quick on $int_if from <peering> to $host queue peering_host_in
> pass out quick on $int_if from any to $host queue host_in
> pass in quick on $int_if proto { tcp, udp } from $host to <peering> port
> $ports
> pass in quick on $int_if proto { tcp, udp } from $host to any port 
> $ports

Okay, first of all some generic notes:
1) Consider stateful rules. It will not only make the firewall faster but will 
also make sure that all outgoing traffic of a "connection" is enqueued to the 
same queue. This simplifies the ruleset a lot.
2) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the table really 
contains what you think it does.

> The problem is, that the first `peering` rule works like the second one ->
> it pass everything from anyone using the peering_host_in queue. If i
> comment it, the second rule works, but that's not the idea. So my
> international connection (the second rules) is overloaded and i could not
> make good QoS. I am using GENERIC with these options, added by me ->

I don't really get what you are saying here. Sorry. Can you try to rephrase, 
please? Maybe you can also include the rules in question with match-counters: 
"$pfctl -vvsr" and the queue stats: "$pfctl -vsq" Both are also good tools 
for debugging the ruleset.

I hope these pointers help, and am really sorry that I don't fully understand 
what the problem is.

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQBBq3IxXyyEoT62BG0RAphcAJwJIUhWbJtXUXt/NfDI483nCH8ZeQCdGfhI
xKW7rkZARD1QNgDQ1q+mG3U=
=PzFK
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411292002.10067.max>