Hi I have some problems with FreeBSD 5.4 Stable using pf and altq
Agus Riant
who.kill.the.blind.dogs at gmail.com
Mon Jan 30 09:29:35 PST 2006
Hi I have some problems with FreeBSD 5.4 Stable using pf and altq
This my kernconf
============
machine i386
cpu I686_CPU
ident JOSS
maxusers 512
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for devices.
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
##options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APIC
# Bus support. Do not remove isa, even if you have no isa slots
device isa
device eisa
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID # Static device numbering
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Floating point support - do not disable.
device npx
# Add suspend/resume support for the i8254.
device pmtimer
# Serial (COM) ports
device sio # 8250, 16[45]50 based serial ports
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device bge # Broadcom BCM570xx Gigabit Ethernet
# Pseudo devices.
device loop # Network loopback
device mem # Memory and kernel memory devices
device io # I/O device
device random # Entropy device
device ether # Ethernet support
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
##device gif # IPv6 and IPv4 tunneling
##device faith # IPv6-to-IPv4 relaying (translation)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# SMP
options SMP
# snooop
device snp
## PF
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options QUOTA
pf.conf + altq config
==============
## set macros
ext_if="bge0"
main_ip="xx.xx.xx" < i remove :)
http_ports="{ 43, 80 }"
sec_ports="{ 22 }"
tcp_serv="{ 20, 21, 25, 53 }"
dns_ports="{ 43, 53, 123 }"
irc_ports="{ 113, 2000 >< 8005, 8300 >< 9000, 30000 >< 40000 }"
icmp_t="echoreq"
tracert="33434 >< 33450"
## main set options
set timeout { frag 30, interval 10 }
set limit { frags 5000, states 3000 }
set loginterface $ext_if
set block-policy drop
set optimization normal
scrub in all
## QUEUES - ALTQ rules
altq on bge0 cbq bandwidth 100Mb queue { q_all }
queue q_all bandwidth 100% cbq { q_def, q_pri, q_misc, q_web, q_dns, q_irc }
queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn)
queue q_misc bandwidth 10% priority 0 cbq(red)
queue q_web bandwidth 15% priority 4 cbq(borrow)
queue q_dns bandwidth 25% priority 5 cbq(borrow)
queue q_irc bandwidth 25% priority 6 cbq(borrow)
queue q_pri priority 7
## Default Block
block in all
block out all
#=- Table
table <spoof> persist file "/etc/pftable/spoof.conf"
table <ddos> persist file "/etc/pftable/ddos.conf"
table <sindo> persist file "/etc/pftable/servindo.conf"
table <bfd> persist file "/etc/pftable/bfd.conf"
table <int> persist file "/etc/pftable/int.conf"
table <igh> persist file "/etc/pftable/joss.conf"
block in quick on $ext_if from { <spoof>, <ddos>, <sindo>, <bfd>, <int> } to any
pass quick on lo0 all
pass inet proto icmp from <joss> to any icmp-type $icmp_t keep state
queue q_misc
pass out quick proto udp from any to any port $tracert keep state queue q_def
pass quick proto tcp from any to any port $tcp_serv keep state queue q_def
pass in quick proto tcp from <igh> to any port 22 keep state
pass quick proto tcp from any to any port $sec_ports keep state queue q_pri
pass quick proto udp from any to any port $dns_ports keep state queue q_dns
pass out quick proto { tcp, udp } from <igh> to any port { 161, 162 }
keep state queue q_dns
pass in quick proto tcp from any to $main_ip port $http_ports flags
S/SA synproxy state queue q_web
pass out quick proto tcp from $main_ip to any port $http_ports keep
state queue q_web
pass quick proto tcp from any to any port $irc_ports keep state queue q_irc
============================
i try to load the configuration conf,
# pfctl -f /etc/pf.conf.altq
pfctl: bge0: driver does not support altq
any one can help me to resolv this problem.
Nb: no error messege if the altq disabled.
Thank's
More information about the freebsd-pf
mailing list