Date: Thu, 29 Mar 2007 10:17:20 -0700 From: Drew Tomlinson <drew@mykitchentable.net> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: freebsd-pf@freebsd.org Subject: Re: Why Does This Packet Match This Rule? Message-ID: <460BF4A0.1090502@mykitchentable.net> In-Reply-To: <000301c77173$8265dd00$87319700$@Hennessy@nviz.net> References: <460AA59C.2000704@mykitchentable.net> <000301c77173$8265dd00$87319700$@Hennessy@nviz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/28/2007 12:58 PM Greg Hennessy wrote: >> (and the rest). What am I missing? >> > > From the rule snippets posted, 'keep state' & 'keep state flags S/SA' comes > to mind. > > You should endeavour to keep state on each and every rule and only establish > tcp state on the 3 way handshake. > Thank you for your reply. I have been unsuccessful in getting queuing to work the way I want. I want to queue outbound traffic to the ADSL modem so I can prioritize my packets. Specifically, I have a VoIP phone from SunRocket. It's traffic should be able to use bandwidth before any other. Then beyond that, I'd like second priority to go to interactive traffic such as http and ssh. Third priority would be a standard queue where most traffic ends up. Finally I'd like to have a low priority queue for file transfers like FTP and bittornet. To this end, I attempted to queue only traffic leaving my router on dc1 and keep state there so the queue will continue to be used. When I add keep state to traffic entering the router, it seems that state is matched there and thus the traffic never gets queued. Thus this is why only rule 84 has keep state as it's the rule that should match packets as they leave the router destined for the Internet. But I must admit that I am quite confused about how all of this should work. Thus I am very open to suggestions on better ways to accomplish my goals. I am willing to rewrite my whole conf file to get it right. In fact I'm working on my latest rewrite now. :) >> If it helps, I also posted my complete pf.conf and the rules to which >> it >> expands at http://drew.mykitchentable.net/Temp/pf.conf.htm >> > > Not seeing this, connection times out. > My apologies. You can see it now as I reverted to my old conf file (not the one on which I am currently working). > What exactly are you trying to do with what looks like a SoHo policy > expanding into > 80 rules ? > Basically: 1. Allow all outbound traffic from my internal net (dc0) to the Internet (dc1). 2. Allow traffic from the Internet to services hosted on my internal net. 3. Allow traffic between a OpenVPN connection on tun0 and my internal net 4. Prioritize traffic as described above. 5. And if possible, get pf to work with Snort to block packets matching Snort rules I specify. However I am trying to just get pf working to my liking at this point. I will investigate Snort integration later. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?460BF4A0.1090502>