From owner-freebsd-pf@FreeBSD.ORG Thu Oct 4 21:32:29 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33F9A16A417 for ; Thu, 4 Oct 2007 21:32:29 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp802.mail.ird.yahoo.com (smtp802.mail.ird.yahoo.com [217.146.188.62]) by mx1.freebsd.org (Postfix) with SMTP id BC34F13C45A for ; Thu, 4 Oct 2007 21:32:28 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 65542 invoked from network); 4 Oct 2007 21:32:27 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@217.44.142.35 with plain) by smtp802.mail.ird.yahoo.com with SMTP; 4 Oct 2007 21:32:27 -0000 X-YMail-OSG: SZt9efcVM1kneobVmVMFJf5CDBio66gUOV2ZVoWUKrHlBxsLFInRwi2AOlXgzCnyuO1kMRjmIaYKPVSeEGm06FNrA0o9ZjM8_Gv5PaNdsYj8D3dmuq1yXaudOAXcHbCgqQI6 Message-ID: <47056B10.5040700@tomjudge.com> Date: Thu, 04 Oct 2007 23:37:04 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.13 (X11/20070824) MIME-Version: 1.0 To: Umar References: <13046989.post@talk.nabble.com> <47054F99.5090001@tomjudge.com> In-Reply-To: <47054F99.5090001@tomjudge.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: altq within anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 21:32:29 -0000 Tom Judge wrote: > Umar wrote: >> Dear members! >> >> I want to include altq anchor within my pf.conf but i got error. >> >> here is the altqrule file /home/anchor-altq >> >> altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 } >> queue default bandwidth 90Mb cbq (default) >> queue ip bandwidth 90Kb >> queue ip5 bandwidth 90Kb >> queue ip6 bandwidth 90Kb >> queue ip7 bandwidth 90Kb >> anchor altqrules >> >> here is my /etc/pf.conf file >> <-------snip--------> >> >> int_if = "fxp0" >> ext_if = "rl0" >> lan_net = "192.168.1.0/24" >> >> # Options: tune the behavior of pf, default values are given. >> set timeout { interval 10, frag 30 } >> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } >> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } >> set timeout { udp.first 60, udp.single 30, udp.multiple 60 } >> set timeout { icmp.first 20, icmp.error 10 } >> set timeout { other.first 60, other.single 30, other.multiple 60 } >> set timeout { adaptive.start 0, adaptive.end 0 } >> set limit { states 10000, frags 5000 } >> >> set loginterface none >> set optimization normal >> set block-policy drop >> set require-order yes >> set fingerprints "/etc/pf.os" >> >> # Normalization: reassemble fragments and resolve or reduce traffic >> ambiguities. >> scrub in all >> >> # Bandwidth Shapping >> anchor altqrules >> load anchor altqrules from "/home/anchor-altq" >> >> # Translation: specify how addresses are to be mapped or redirected. >> nat on $ext_if from { $lan_net } to any -> ($ext_if) >> >> pass in quick on lo0 all >> pass in quick on $int_if from $lan_net to any keep state >> pass out on $int_if from any to any keep state >> pass out on $ext_if from any to any keep state >> >> # default deny >> block in log on $ext_if >> >> <-------snip--------> >> >> but when i reload my pf i got the error >> >> Reloading pf rules. >> /etc/pf.conf:36: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> /etc/pf.conf:37: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> /etc/pf.conf:38: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> /etc/pf.conf:39: Rules must be in order: options, normalization, >> queueing, >> translation, filtering >> >> >> Please help what should i do? >> >> Regards, >> >> Umar Draz > Hi, > > As the above messages state the rules must be present in the rules file > in a fixed order: > > 1) Options > > 2) Normalization > > 3) Queueing (Aka ALTQ) > > 4) Translation (Aka NAT) > > 5) Filtering > > Quote from pf.conf(5): > > With the exception of macros and tables, the types of statements should > be grouped and appear in pf.conf in the order shown above, as this > matches the operation of the underlying packet filtering engine. By > default pfctl(8) enforces this order (see set require-order below). > > > And again from pf.conf(5) > > set require-order > By default pfctl(8) enforces an ordering of the statement types in > the ruleset to: options, normalization, queueing, translation, > filtering. Setting this option to no disables this enforcement. There > may be non-trivial and non-obvious implications to an out of order > ruleset. Consider carefully before disabling the order enforcement. > > > > Tom Further to my original reply, having realised I have not given a complete answer, there are four types of anchor available in PF nat-anchor - Holds nat rules rdr-anchor - Holds rdr rules binat-anchor - Holes binat riles anchor - Holds filter rules And referring to my last post from this it can be seen that by using a standard filter anchor you start the filter section of the configuration which in turn violates the rule ordering rules. Tom PS: All of the above information was taken from the pf.conf man page.