From owner-freebsd-pf@FreeBSD.ORG Thu Oct 4 20:32:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C904816A46E for ; Thu, 4 Oct 2007 20:32:42 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp802.mail.ird.yahoo.com (smtp802.mail.ird.yahoo.com [217.146.188.62]) by mx1.freebsd.org (Postfix) with SMTP id 5A15513C494 for ; Thu, 4 Oct 2007 20:32:41 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 1954 invoked from network); 4 Oct 2007 19:35:17 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@217.44.142.35 with plain) by smtp802.mail.ird.yahoo.com with SMTP; 4 Oct 2007 19:35:17 -0000 X-YMail-OSG: zICG1rEVM1lSsPH7_iTlXi248.mOOQa6MdEro4EiXJHmyw6f7xjXVAz5mao4XHMAfy_F2ceUbLefx.eiloTxM1aFE4eDF1UCCm34qHJhuUFPFgCZ7vtvcGdA5PbbLFNrTXBw Message-ID: <47054F99.5090001@tomjudge.com> Date: Thu, 04 Oct 2007 21:39:53 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Umar References: <13046989.post@talk.nabble.com> In-Reply-To: <13046989.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: altq within anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 20:32:42 -0000 Umar wrote: > Dear members! > > I want to include altq anchor within my pf.conf but i got error. > > here is the altqrule file /home/anchor-altq > > altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 } > queue default bandwidth 90Mb cbq (default) > queue ip bandwidth 90Kb > queue ip5 bandwidth 90Kb > queue ip6 bandwidth 90Kb > queue ip7 bandwidth 90Kb > anchor altqrules > > here is my /etc/pf.conf file > > <-------snip--------> > > int_if = "fxp0" > ext_if = "rl0" > lan_net = "192.168.1.0/24" > > # Options: tune the behavior of pf, default values are given. > set timeout { interval 10, frag 30 } > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > set timeout { icmp.first 20, icmp.error 10 } > set timeout { other.first 60, other.single 30, other.multiple 60 } > set timeout { adaptive.start 0, adaptive.end 0 } > set limit { states 10000, frags 5000 } > > set loginterface none > set optimization normal > set block-policy drop > set require-order yes > set fingerprints "/etc/pf.os" > > # Normalization: reassemble fragments and resolve or reduce traffic > ambiguities. > scrub in all > > # Bandwidth Shapping > anchor altqrules > load anchor altqrules from "/home/anchor-altq" > > # Translation: specify how addresses are to be mapped or redirected. > nat on $ext_if from { $lan_net } to any -> ($ext_if) > > pass in quick on lo0 all > pass in quick on $int_if from $lan_net to any keep state > pass out on $int_if from any to any keep state > pass out on $ext_if from any to any keep state > > # default deny > block in log on $ext_if > > <-------snip--------> > > but when i reload my pf i got the error > > Reloading pf rules. > /etc/pf.conf:36: Rules must be in order: options, normalization, queueing, > translation, filtering > /etc/pf.conf:37: Rules must be in order: options, normalization, queueing, > translation, filtering > /etc/pf.conf:38: Rules must be in order: options, normalization, queueing, > translation, filtering > /etc/pf.conf:39: Rules must be in order: options, normalization, queueing, > translation, filtering > > > Please help what should i do? > > Regards, > > Umar Draz Hi, As the above messages state the rules must be present in the rules file in a fixed order: 1) Options 2) Normalization 3) Queueing (Aka ALTQ) 4) Translation (Aka NAT) 5) Filtering Quote from pf.conf(5): With the exception of macros and tables, the types of statements should be grouped and appear in pf.conf in the order shown above, as this matches the operation of the underlying packet filtering engine. By default pfctl(8) enforces this order (see set require-order below). And again from pf.conf(5) set require-order By default pfctl(8) enforces an ordering of the statement types in the ruleset to: options, normalization, queueing, translation, filtering. Setting this option to no disables this enforcement. There may be non-trivial and non-obvious implications to an out of order ruleset. Consider carefully before disabling the order enforcement. Tom