From owner-freebsd-pf@FreeBSD.ORG Tue Oct 31 11:14:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 352FE16A40F for ; Tue, 31 Oct 2006 11:14:28 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc3-s20.bay0.hotmail.com (bay0-omc3-s20.bay0.hotmail.com [65.54.246.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id E48D043D70 for ; Tue, 31 Oct 2006 11:14:27 +0000 (GMT) (envelope-from gloomygroup@hotmail.com) Received: from hotmail.com ([207.46.8.221]) by bay0-omc3-s20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 31 Oct 2006 03:14:27 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 31 Oct 2006 03:14:27 -0800 Message-ID: Received: from 207.46.8.251 by by118fd.bay118.hotmail.msn.com with HTTP; Tue, 31 Oct 2006 11:14:26 GMT X-Originating-IP: [202.79.53.71] X-Originating-Email: [gloomygroup@hotmail.com] X-Sender: gloomygroup@hotmail.com From: "Gloomy Group" To: freebsd-pf@freebsd.org Date: Tue, 31 Oct 2006 11:14:26 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 31 Oct 2006 11:14:27.0499 (UTC) FILETIME=[BA95CFB0:01C6FCDD] Subject: Rules passing through default queue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Oct 2006 11:14:28 -0000 why all of My uplink traffic is going through default queues? Below is my pf.conf configuration ------------------------------- #Download interface is rl1 and upload interface is rl0 ext_if="rl0" int_if="rl1" table { 201.xx.xx.0/24 } #Macros for Private network net_priv = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" #Define port for usual internet services ports_web = "{80 8080 443 25 110 143 993}" ssh_port = "{22}" #OPTIONS #Default response for block filter set block-policy drop #Statistics loggin on set loginterface $ext_if #TRAFFIC Normalization# #Filter traffic for unusual traffic scrub in all #--Define the parent queues #--First define upstream parent queue altq on $ext_if hfsc bandwidth 128Kb queue { up_def, up_usr1, up_usr2 } #--Define download parent queue altq on $int_if hfsc bandwidth 64Kb queue { dn_def, dn_usr1, dn_usr2 } #--UPSTREAM child queue #--Default upstream queue queue up_def bandwidth 20% { up_def_def, up_def_web, up_def_quick } queue up_def_def priority 1 bandwidth 50% hfsc (default ecn) queue up_def_web priority 3 bandwidth 25% hfsc (ecn) queue up_def_quick priority 6 bandwidth 25% hfsc (ecn) #--USR1 upstream queue queue up_usr1 bandwidth 51.2Kb { up_usr1_def, up_usr1_web, up_usr1_quick } queue up_usr1_def priority 2 bandwidth 50% hfsc (realtime 50% ecn) queue up_usr1_web priority 4 bandwidth 25% hfsc (realtime 25% ecn) queue up_usr1_quick priority 7 bandwidth 25% hfsc (realtime 25% ecn) #--USR2 upstream queue queue up_usr2 bandwidth 40% {up_usr2_def up_usr2_web up_usr2_quick} queue up_usr2_def priority 2 bandwidth 50% hfsc (ecn) queue up_usr2_web priority 4 bandwidth 25% hfsc (ecn) queue up_usr2_quick priority 7 bandwidth 25% hfsc (ecn) #--DOWNSTREAM child queue #--Default downstream queue queue dn_def bandwidth 20% {dn_def_def dn_def_web dn_def_quick} queue dn_def_def priority 1 bandwidth 50% hfsc (default ecn) queue dn_def_web priority 3 bandwidth 25% hfsc (ecn) queue dn_def_quick priority 6 bandwidth 25% hfsc (ecn) #--USR1 downstream queue queue dn_usr1 bandwidth 40% {dn_usr1_def dn_usr1_web dn_usr1_quick} queue dn_usr1_def priority 2 bandwidth 50% hfsc (realtime 50% ecn) queue dn_usr1_web priority 4 bandwidth 25% hfsc (realtime 50% ecn) queue dn_usr1_quick priority 7 bandwidth 25% hfsc (ecn) #--USR2 downstream queue queue dn_usr2 bandwidth 40% {dn_usr2_def dn_usr2_web dn_usr2_quick} queue dn_usr2_def priority 2 bandwidth 50% hfsc (ecn) queue dn_usr2_web priority 4 bandwidth 25% hfsc (ecn) queue dn_usr2_quick priority 7 bandwidth 25% hfsc (ecn) #---Default Filter----# block log all #--Allow all on loopback interface---# pass quick on lo0 all #Deny in and out of private networks block in quick on $ext_if from $net_priv to any block out quick on $ext_if from any to $net_priv #Allow incoming SSH traffic to this server pass in quick on $ext_if inet proto tcp from to $ext_if port 22 keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out quick on $ext_if proto {tcp, udp, icmp} all keep state #Allow icmp traffic from our network pass in quick on $ext_if inet proto icmp from to $ext_if icmp-type 8 keep state pass out quick on $ext_if proto {tcp udp} from any to any port domain keep state queue up_def_quick pass out quick on $ext_if proto {tcp udp} from 201.xx.xx.2 to any port $ports_web keep state queue up_usr1_web pass out quick on $ext_if from 201.xx.xx.2 to any keep state queue up_usr1_def pass out quick on $ext_if proto {tcp udp} from 201.xx.xx.3 to any port $ports_web queue up_usr2_web pass out quick on $ext_if from 201.xx.xx.3 to any queue up_usr2_def pass out on $ext_if keep state queue (up_def_def up_def_quick) pass out on $ext_if proto {tcp udp} from any to any port $ports_web keep state queue (up_def_web up_def_quick) #--Filter and queue internal interface traffic ##Allow other incoming traffic from internal network pass in on $int_if from $int_if:network to any #--Assign outgoing traffic from other interface to queue for downstream pass out quick on $int_if proto {tcp udp} from any port domain to any queue dn_quick pass out quick on $int_if proto {tcp udp} from any port $ports_web to 201.xx.xx.2 queue dn_usr1_web pass out quick on $int_if from any to 201.xx.xx.2 queue dn_usr1_def pass out quick on $int_if proto {tcp udp} from any port $ports_web to 201.xx.xx.3 queue dn_usr2_web pass out quick on $int_if from any to 201.xx.xx.3 queue dn_usr2_def pass out on $int_if queue (dn_def_def dn_def_quick) pass out on $int_if proto {tcp udp} from any port $ports_web to any queue (dn_def_web dn_def_quick) #--Deny spoofing antispoof for $ext_if antispoof for $int_if pfctl -sq -vv shows that my uplink traffic traffic is going through default queue rules while download is passing through correct queue and is working fine. ------------------------------ queue root_rl0 bandwidth 128Kb priority 0 {up_def, up_usr1, up_usr2} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_def bandwidth 25.60Kb {up_def_def, up_def_web, up_def_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_def_def bandwidth 12.80Kb hfsc( red ecn default ) [ pkts: 211 bytes: 131140 dropped pkts: 0 bytes: 0 ] [ qlength: 3/ 50 ] [ measured: 11.2 packets/s, 127.02Kb/s ] queue up_def_web bandwidth 6.40Kb priority 3 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_def_quick bandwidth 6.40Kb priority 6 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1 bandwidth 51.20Kb {up_usr1_def, up_usr1_web, up_usr1_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1_def bandwidth 25.60Kb priority 2 hfsc( red ecn realtime 25.60Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1_web bandwidth 12.80Kb priority 4 hfsc( red ecn realtime 12.80Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr1_quick bandwidth 12.80Kb priority 7 hfsc( red ecn realtime 12.80Kb ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2 bandwidth 51.20Kb {up_usr2_def, up_usr2_web, up_usr2_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2_def bandwidth 25.60Kb priority 2 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2_web bandwidth 12.80Kb priority 4 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue up_usr2_quick bandwidth 12.80Kb priority 7 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue root_rl1 bandwidth 64Kb priority 0 {dn_def, dn_usr1, dn_usr2} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def bandwidth 12.80Kb {dn_def_def, dn_def_web, dn_def_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def_def bandwidth 6.40Kb hfsc( red ecn default ) [ pkts: 2 bytes: 544 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def_web bandwidth 3.20Kb priority 3 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_def_quick bandwidth 3.20Kb priority 6 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr1 bandwidth 25.60Kb {dn_usr1_def, dn_usr1_web, dn_usr1_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr1_def bandwidth 12.80Kb priority 2 hfsc( red ecn realtime 12.80Kb ) [ pkts: 59 bytes: 20514 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 2.2 packets/s, 8.99Kb/s ] queue dn_usr1_web bandwidth 6.40Kb priority 4 hfsc( red ecn realtime 12.80Kb ) [ pkts: 174 bytes: 95677 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 5.6 packets/s, 2.42Kb/s ] queue dn_usr1_quick bandwidth 6.40Kb priority 7 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2 bandwidth 25.60Kb {dn_usr2_def, dn_usr2_web, dn_usr2_quick} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2_def bandwidth 12.80Kb priority 2 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2_web bandwidth 6.40Kb priority 4 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] queue dn_usr2_quick bandwidth 6.40Kb priority 7 hfsc( red ecn ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] [ measured: 0.0 packets/s, 0 b/s ] _________________________________________________________________ Try Search Survival Kits: Fix up your home and better handle your cash with Live Search! http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmtagline