Date: Fri, 16 Dec 2005 00:13:19 -0600 From: "J. Buck Caldwell" <freebsd@bitparts.org> To: freebsd-stable@freebsd.org Subject: My ungodly PF config - am I sane and brilliant, or just deluded and dangerous? Message-ID: <43A25AFF.2090501@bitparts.org>
next in thread | raw e-mail | index | archive | help
My company is using FreeBSD for two major applications: our file servers
(via Samba), which aren't the subject of this message; and the routers
between branches. Some background follows.
We have essentially two types of branches - Type A, with thier own cable
internet connections, and Type B, who have point-to-point T1 connections
to Coprorate and use our internet connection for outside communication.
The Type A branches have FreeBSD machines acting as firewall/NAT, and
also providing gif endpoints for tunnels to our Corporate office, which
also uses a FreeBSD machine to provide firewall/NAT for the Corporate
Office and Type B branches.
With me so far?
Here's the fun part. Our traffic has gotten to the point where I've
decided that some traffic shaping (ALTQ) is necessary. I've been
experimenting with my home cable internet connection (and gif tunnel to
work), and I believe I've come up with a workable solution. However, I'd
like to run it by some experts to see if I'm screwing up (or hitting any
possible limits) before I try putting it in place live.
Here's the config, with some comments/questions
int_if = "bge1" # obviously, the Internal interface of our firewall,
connected to the corporate internal network
ext_if = "bge0" # again, obviously, the external interface, connected
to the DMZ, with a publicly routed IP
gif_if = "{" gif1 gif3 gif5 gif7 gif10 gif11 gif12 gif13 gif14 gif15
gif19 gif20 gif21 gif25 "}" # all of the gif tunnels to the various
branches
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
altq on $ext_if priq bandwidth 4500Kb queue {std_out, ssh_out, mail_out,
www_out, notes_out, asna_out, dns_out, gif_out, pri_out}
queue std_out priq(default) qlimit 150
queue mail_out priority 2
queue www_out priority 3
queue notes_out priority 4 # We use Notes primarily, so it gets higher
priority than normal SMTP/POP3 traffic
queue dns_out priority 6
queue ssh_out priority 7
queue gif_out priority 8 # This gets any traffic encapsulated in a gif
tunnel or ipsec.
queue pri_out priority 15
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if) # it occurs to
me, as I post this, that I'll need to change this to account for the
Type B branches that are on seperate subnets.
# filter rules
block all
pass quick on lo0 all
pass quick on $int_if all
pass in quick on $gif_if all
# Is there any reason to keep state on any of the following "in" rules?
pass in quick on $ext_if proto ipencap all
pass in quick on $ext_if proto esp all
pass in quick on $ext_if proto tcp all
pass in quick on $ext_if proto udp all
pass in quick on $ext_if proto icmp all
pass out on $gif_if proto udp all keep state queue(std_out, pri_out)
pass out on $gif_if proto icmp all keep state queue(std_out, pri_out)
pass out on $gif_if proto tcp all modulate state flags S/SA
queue(std_out, pri_out)
pass out on $gif_if proto tcp from any to any port 22 modulate state
flags S/SA queue(ssh_out, pri_out)
pass out on $gif_if proto tcp from any to any port 25 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $gif_if proto tcp from any to any port 110 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $gif_if proto tcp from any to any port 80 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $gif_if proto tcp from any to any port 443 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $gif_if proto tcp from any to any port 1352 modulate state
flags S/SA queue(notes_out, pri_out)
pass out on $gif_if proto udp from any to any port 53 keep state
queue(dns_out, pri_out)
pass out on $ext_if proto { udp, icmp } all keep state queue(std_out,
pri_out)
pass out on $ext_if proto tcp all modulate state flags S/SA
queue(std_out, pri_out)
pass out on $ext_if proto tcp from any to any port 22 modulate state
flags S/SA queue(ssh_out, pri_out)
pass out on $ext_if proto tcp from any to any port 25 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $ext_if proto tcp from any to any port 110 modulate state
flags S/SA queue(mail_out, pri_out)
pass out on $ext_if proto tcp from any to any port 1352 modulate state
flags S/SA queue(notes_out, pri_out)
pass out on $ext_if proto tcp from any to any port 80 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $ext_if proto tcp from any to any port 443 modulate state
flags S/SA queue(www_out, pri_out)
pass out on $ext_if proto udp from any to any port 53 keep state
queue(dns_out, pri_out)
pass out on $ext_if proto ipencap all keep state queue(gif_out, pri_out)
# Again - any point in keeping state for the gif tunnels or ipsec
(below) packets?
pass out on $ext_if proto esp all keep state queue(gif_out, pri_out)
Believe it or not, pfctl -nv actually parses all of this out and seems
to believe it makes sense. The other ends, which usually have only one
or possibly two endpoints (branch->corporate and sometimes
branch->sister branch) will be significantly simpler, but if the above
works, it's easy to transpose to the smaller situation.
Something else I just noticed, since this is the "server end" - the
point where most of the servers sit, as opposed to the clients - should
I change those 'pass' lines from "from any to any port x" to "from any
port x to any"? Is that valid?
My theory is that I want to first, prioritize the traffic going out on
the gif tunnels, then promote the gif packet actually travelling out
over the $ext_if above most other traffic. It LOOKS like this will
happen, but I want to see if I'm missing anything obvious. In the past,
I've used NetBSD and ipfilter, so I'm relitively new to PF and wanted a
second opinion.
Thanks to anyone for answering, or for pointing to a more appropriate
venue for the question!
-J. Buck Caldwell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43A25AFF.2090501>