PF traffic management on two devices + VPN
assetburned
freebsd at assetburned.de
Fri Aug 22 18:10:32 UTC 2008
Hi,
I use PF to manage the traffic going through a VPN connection (ng0 to
ng1). I am also able to manage the traffic on the device where I
expect the VPN traffic (ed1 and ed2).
But now my problems starts I also want to manage the outgoing traffic
on ed0 to the WAN side.
On my router s Squid installed, so I thought that all packages
generated by my FreeBSD machine could be put into a queue for ed0.
If i check the settings with pftop than everything looks fine. But it
looks like the limits for the upper limit are totally ignored.
So I did a check from the other side. I installed an Apache on that
server and tried to download a file from that server. And hey there is
my bandwidth management.
So I am confused. How can I handle the traffic generated by the squid
on the router on the WAN interface?
cu assetburned
---- my pf.config ----
#
# Version 2008-08-22-014
# based on https://calomel.org/pf_config.html
# manual at: http://www.openbsd.org/faq/pf/
### some basics ###
# following line is onlz possible if the two variables are defined
before these line!
# IntIF = "{" $IntIF1 $IntIF2 "}"
#
# following line is not possible. there have to be at least two
variables!
# ExtIF = "{" $ExtIF1 "}"
#
# following line is not possible because there would be {something
{something, something}}
# Whatever = "{" $ExtIF1 $IntIF "}"
##### Interfaces #####
ExtIF1 = "ed0" # this is the WAN connection
IntIF1 = "ed1" # this is the real connection to all
192.168.4.x
IntIF2 = "ed2" # this is the real connection to all
192.168.3.x
LocIF = "lo0"
ExtIF = "ed0"
IntIF = "{" $IntIF1 $IntIF2 "}"
VPNIF0 = "ng0"
VPNIF1 = "ng1"
# keep in mind this is only usable for nat and rdr and not for the
pass rules because of the different queues!
VPNIF = "{" $VPNIF0 $VPNIF1 "}"
##### Speeds ####
### Interface ###
E1_speed = "1Mb"
IntIF1_speed = "10Mb"
IntIF2_speed = "10Mb"
VPN_speed = "3Mb"
### Protocol ###
VPN_green = "1Mb"
VPN_yello = "512Kb"
VPN_red = "256Kb"
##### Hosts #####
# for the case there are internel servers
H_squid = "192.168.5.5"
H_sshd = "192.168.4.5"
H_vpnd = "192.168.4.5"
H_apache = "192.168.4.5"
H_apacheV = "192.168.5.5" # the proxy where the PAC file is
hosted inside the VPN
H_mail = "10.10.98.217" # have to check that, this is
another lab computer!
# spechial LSBU server (green listed)
H_LOVE_MA = "10.10.60.60" # mail.
H_LOVE_BB = "10.10.76.13" #
H_LOVE_EC = "10.10.98.146" #
H_LOVE_PB = "10.10.109.128" #
H_LOVE_WW = "10.10.109.120" #
H_LOVE_LB = "10.10.109.180" #
H_LOVE_LP = "10.10.109.178" #
H_LOVE_LR = "10.10.109.181" #
H_LOVE_DH = "any" # the DHCP server
H_LOVE = "{" $H_LOVE_MA $H_LOVE_BB $H_LOVE_EC $H_LOVE_PB
$H_LOVE_WW $H_LOVE_LB $H_LOVE_LP $H_LOVE_LR "}"
#### Protocols ####
# Well known ports
P_squid = "3128"
P_msproxy = "8080"
P_proxy = "{" $P_squid $P_msproxy "}"
P_http = "80"
P_https = "443"
P_brows = "{" $P_http $P_https "}"
P_pop3 = "110"
P_pop3s = "995"
P_imaps = "993"
P_imap = "143"
P_smtp = "25"
P_smtps = "465"
P_mail = "{" $P_pop3 $P_pop3s $P_imaps $P_imap $P_smtp
$P_smtps "}"
P_ssh = "22"
P_dns = "53"
P_vpnd = "1723"
P_samba = "{ 137, 138, 139 }"
## Low Priority Squid ##
P_LPS = "31280"
#### Host & Port combinations ####
HP_squid = $H_squid " port " $P_squid
HP_LPS = $H_squid " port " $P_LPS
HP_apache = $H_apache " port " $P_http
HP_apacheV = $H_apacheV " port " $P_http
HP_vpnd = $H_vpnd " port " $P_vpnd
HP_mail = $H_mail " port {" $P_pop3 $P_pop3s $P_imaps $P_imap
$P_smtp $P_smtps "}"
#### Networks ####
N_ExtIF1 = "10.10.0.0/16"
N_IntIF1 = "192.168.4.0/24"
N_IntIF2 = "192.168.3.0/24"
N_VPN = "192.168.5.0/24"
# I don't know why it isn't possible to use the variables from above.
N_intern = "{ 192.168.4.0/24 , 192.168.3.0/24 }"
N_priv1 = "127.0.0.0/8"
N_priv2 = "172.16.0.0/12"
N_priv3 = "169.254.0.0/16"
N_priv4 = "192.168.0.0/16"
N_privat = "{ 127.0.0.0/8 , 172.16.0.0/12 , 169.254.0.0/16 ,
192.168.0.0/16 }"
### States & Queues ###
SynState = "flags S/SAFR synproxy state"
TcpState = "flags S/SAFR modulate state"
UdpState = "keep state"
### Stateful Tracking Options ###
ExtIfSTO = "(max 9000, source-track rule, max-src-conn 2000,
max-src-nodes 254)"
IntIfSTO = "(max 250, source-track rule, max-src-conn 100,
max-src-nodes 254, max-src-conn-rate 75/20)"
### Options ###
set optimization aggressive
set block-policy drop
set ruleset-optimization basic
##### Normalization #####
# to hide what is going on in the LAN
# and to be sure that an optimum of payload is send by each packet.
scrub log on $ExtIF all random-id min-ttl 254 max-mss 1452
reassemble tcp fragment reassemble
#### queueing ####
# check for exampe: http://www.probsd.net/pf/index.php/Hednod%27s_HFSC_explained
# check for more: http://puffer.sru.ac.th/OpenBSD/firewall page 213ff
# check also : https://calomel.org/pf_config.html
## physical interfaces ##
altq on $ExtIF1 bandwidth $E1_speed hfsc(linkshare $E1_speed
upperlimit $E1_speed) queue {E1_Imp, E1_LSB, E1_Ext, E1_def }
queue E1_Imp bandwidth 10% qlimit 500 priority 9
hfsc( linkshare
10% ) {E1_ICM, E1_DNS}
queue E1_ICM bandwidth 2% priority 8
hfsc(realtime
2% )
queue E1_DNS bandwidth 8% priority 8
hfsc(realtime
8% )
queue E1_LSB bandwidth 50% priority 8
hfsc( linkshare
50% ) {E1_LSS, E1_PUB, E1_OTH}
queue E1_LSS bandwidth 5% qlimit 500 priority 7
hfsc(realtime
5% ) {E1_SLO,
E1_SBU}
queue E1_SLO bandwidth 1% priority 6 hfsc
queue E1_SBU bandwidth 4% priority 6 hfsc
queue E1_PUB bandwidth 30% qlimit 500 priority 7
hfsc(realtime
30% ) {E1_PCO,
E1_PBU}
queue E1_PCO bandwidth 10% priority 6 hfsc
queue E1_PBU bandwidth 20% priority 6 hfsc
queue E1_OTH bandwidth 15% qlimit 500 priority 6
hfsc(realtime
15% ) {E1_OCO,
E1_OBU}
queue E1_OCO bandwidth 10% priority 5 hfsc
queue E1_OBU bandwidth 5% priority 5 hfsc
queue E1_Ext bandwidth 35% priority 7
hfsc( linkshare
35% ) {E1_GOO, E1_BAD}
queue E1_GOO bandwidth 30% qlimit 500 priority 6
hfsc(realtime
30% ) {E1_GCO,
E1_GBU}
queue E1_GCO bandwidth 10% priority 5 hfsc
queue E1_GBU bandwidth 20% priority 5 hfsc
queue E1_BAD bandwidth 5% priority 5
hfsc(realtime
5% ) {E1_BCO,
E1_BBU}
queue E1_BCO bandwidth 2% priority 4 hfsc
queue E1_BBU bandwidth 3% priority 4 hfsc
queue E1_def bandwidth 5% priority 1
hfsc(realtime 5% upperlimit 20%
default)
altq on $IntIF1 bandwidth $IntIF1_speed hfsc(linkshare $IntIF1_speed
upperlimit $IntIF1_speed) queue {I1_VPN, I1_non, I1_def}
queue I1_VPN bandwidth 80% priority 9
hfsc( linkshare
80% )
queue I1_non bandwidth 19% priority 5
hfsc( linkshare
18% )
queue I1_def bandwidth 1% priority 1
hfsc(realtime 1% linkshare 2%
default)
altq on $IntIF2 bandwidth $IntIF2_speed hfsc(linkshare $IntIF2_speed
upperlimit $IntIF2_speed) queue {I2_VPN, I2_non, I2_def}
queue I2_VPN bandwidth 80% priority 9
hfsc( linkshare
80% )
queue I2_non bandwidth 19% priority 5
hfsc( linkshare
18% )
queue I2_def bandwidth 1% priority 1
hfsc(realtime 1% linkshare 2%
default)
## vpn interfaces ##
altq on $VPNIF0 bandwidth $VPN_speed hfsc(linkshare $VPN_speed
upperlimit $VPN_speed) queue {VPNIF0_green, VPNIF0_yello, VPNIF0_red}
queue VPNIF0_green bandwidth $VPN_green priority 9
hfsc( linkshare
$VPN_green )
queue VPNIF0_yello bandwidth $VPN_yello priority 5
hfsc( linkshare
$VPN_yello )
queue VPNIF0_red bandwidth $VPN_red priority 1
hfsc(realtime $VPN_red linkshare $VPN_red upperlimit $VPN_red
default)
altq on $VPNIF1 bandwidth $VPN_speed hfsc(linkshare $VPN_speed
upperlimit $VPN_speed) queue {VPNIF1_green, VPNIF1_yello, VPNIF1_red}
queue VPNIF1_green bandwidth $VPN_green priority 9
hfsc( linkshare
$VPN_green )
queue VPNIF1_yello bandwidth $VPN_yello priority 5
hfsc( linkshare
$VPN_yello )
queue VPNIF1_red bandwidth $VPN_red priority 1
hfsc(realtime $VPN_red linkshare $VPN_red upperlimit $VPN_red
default)
##### Translation #####
## NAT ##
nat on $ExtIF from $N_intern to $N_ExtIF1 port $P_dns -> ($ExtIF1)
nat on $ExtIF from $N_VPN to $N_ExtIF1 port $P_brows -> ($ExtIF1)
nat on $ExtIF from $N_VPN to $H_mail/32 port $P_mail -> ($ExtIF1)
## RDR ##
no rdr on $LocIF from any to any
# all local traffic to proxies or webpages should be redirected to the
local Apache
rdr on $IntIF1 inet proto tcp from any to any port $P_brows ->
$H_apache port 80
rdr on $IntIF2 inet proto tcp from any to any port $P_brows ->
$H_apache port 80
rdr on $IntIF3 inet proto tcp from any to any port $P_brows ->
$H_apache port 80
rdr on $IntIF4 inet proto tcp from any to any port $P_brows ->
$H_apache port 80
## first global blocking rules ##
# remember because there is no quick in this rule this rule can be
overwritten! #
block on $ExtIF
block on $IntIF
block on $VPNIF
# block some bad ssh hacker #
table <denyhosts> persist file "/var/db/denyhosts"
block drop in quick from
<denyhosts> to any
## do not send or recive LAN traffic on the WAN ##
block in quick on $ExtIF1 inet from
any to $N_privat
block in quick on $ExtIF1 inet from
$N_privat to any
block out quick on $ExtIF1 inet from
any to $N_privat
block out quick on $ExtIF1 inet from
$N_privat to any
# now let the blocking rules more precise #
# i know it is useless, but nice to see in the pftop and maybe
somewhen this should be converted to pass rules #
## Samba is not allowed ##
block in inet proto tcp from any port
$P_samba to any
block in inet proto udp from any port
$P_samba to any
block out inet proto tcp from
any to any port $P_samba
block out inet proto udp from
any to any port $P_samba
## Pass rules for physical interfaces ##
# allow users without an VPN connection to see the VPN servers login
page
pass in quick on $IntIF1 inet proto tcp from
$IntIF1:network to $HP_apache keep
state queue (I1_non, I1_VPN)
pass in quick on $IntIF2 inet proto tcp from
$IntIF2:network to $HP_apache keep
state queue (I2_non, I2_VPN)
pass in quick on $IntIF3 inet proto tcp from
$IntIF3:network to $HP_apache keep
state queue (I3_non, I3_VPN)
pass in quick on $IntIF4 inet proto tcp from
$IntIF4:network to $HP_apache keep
state queue (I4_non, I4_VPN)
# put the VPN traffic in it's own queue on the right interface
pass out quick on $IntIF1 inet proto gre from
$H_vpnd to
$IntIF1:network queue I1_VPN
pass out quick on $IntIF2 inet proto gre from
$H_vpnd to
$IntIF2:network queue I2_VPN
pass out quick on $IntIF3 inet proto gre from
$H_vpnd to
$IntIF3:network queue I3_VPN
pass out quick on $IntIF4 inet proto gre from
$H_vpnd to
$IntIF4:network queue I4_VPN
## Pass rules for VPN interfaces ##
pass in quick on $VPNIF0 inet proto tcp from
($VPNIF0:peer) to
$HP_apacheV queue
VPNIF0_green
pass in quick on $VPNIF0 inet proto tcp from
($VPNIF0:peer) to
$HP_squid queue
VPNIF0_green
pass in quick on $VPNIF0 inet proto tcp from
($VPNIF0:peer) to
$HP_LPS queue
(VPNIF0_yello, VPNIF0_green)
pass in quick on $VPNIF0 inet proto udp from
($VPNIF0:peer) to any port
$P_dns queue VPNIF0_green
pass in quick on $VPNIF0 inet proto tcp from
($VPNIF0:peer) to $H_LOVE port
$P_brows queue VPNIF0_green
pass in quick on $VPNIF0 inet proto tcp from
($VPNIF0:peer) to
$HP_mail queue
(VPNIF0_yello, VPNIF0_green)
pass in quick on $VPNIF0 inet proto tcp from
($VPNIF0:peer) to $N_ExtIF1 port
$P_brows queue (VPNIF0_yello, VPNIF0_green)
pass in quick on $VPNIF0 inet proto icmp from
($VPNIF0:peer) to $N_ExtIF1 icmp-type 8 code
0 queue (VPNIF0_yello, VPNIF0_green)
pass out quick on $VPNIF0 inet proto icmp from
any to ($VPNIF0:peer) icmp-type 8 code
0 queue (VPNIF0_yello, VPNIF0_green)
pass in quick on $VPNIF1 inet proto tcp from
($VPNIF0:peer) to
$HP_apacheV queue
VPNIF1_green
pass in quick on $VPNIF1 inet proto tcp from
($VPNIF1:peer) to
$HP_squid queue
VPNIF1_green
pass in quick on $VPNIF1 inet proto tcp from
($VPNIF1:peer) to
$HP_LPS queue
(VPNIF1_yello, VPNIF1_green)
pass in quick on $VPNIF1 inet proto udp from
($VPNIF1:peer) to any port
$P_dns queue VPNIF1_green
pass in quick on $VPNIF1 inet proto tcp from
($VPNIF1:peer) to $H_LOVE port
$P_brows queue VPNIF1_green
pass in quick on $VPNIF1 inet proto tcp from
($VPNIF1:peer) to
$HP_mail queue
(VPNIF1_yello, VPNIF1_green)
pass in quick on $VPNIF1 inet proto tcp from
($VPNIF1:peer) to $N_ExtIF1 port
$P_brows queue (VPNIF1_yello, VPNIF1_green)
pass in quick on $VPNIF1 inet proto icmp from
($VPNIF1:peer) to $N_ExtIF1 icmp-type 8 code
0 queue (VPNIF1_yello, VPNIF1_green)
pass out quick on $VPNIF1 inet proto icmp from
any to ($VPNIF1:peer) icmp-type 8 code
0 queue (VPNIF1_yello, VPNIF1_green)
pass in on $ExtIF1 inet proto tcp from
$N_ExtIF1 to ($ExtIF1) $TcpState
$ExtIfSTO queue (E1_OBU, E1_OCO)
pass in on $ExtIF1 inet proto tcp from
$H_LOVE to ($ExtIF1) port $P_brows $TcpState
$ExtIfSTO queue (E1_PBU, E1_PCO)
pass in on $ExtIF1 inet proto tcp from
$N_ExtIF1 to ($ExtIF1) port $P_ssh $TcpState
$ExtIfSTO queue (E1_SLO, E1_SBU)
pass in on $ExtIF1 inet proto udp from
$N_ExtIF1 to ($ExtIF1) port $P_dns $UdpState
$ExtIfSTO queue E1_DNS
pass in on $ExtIF1 inet proto icmp from
$N_ExtIF1 to ($ExtIF1) icmp-type 8 code 0 $UdpState
$ExtIfSTO queue E1_ICM
pass in on $ExtIF1 inet proto tcp from !
$N_ExtIF1 to ($ExtIF1) $TcpState
$ExtIfSTO queue (E1_BBU, E1_BCO)
pass in on $ExtIF1 inet proto tcp from !
$N_ExtIF1 to ($ExtIF1) port $P_brows $TcpState
$ExtIfSTO queue (E1_GBU, E1_GCO)
pass in on $ExtIF1 inet proto udp from !
$N_ExtIF1 to ($ExtIF1) port $P_dns $UdpState
$ExtIfSTO queue E1_DNS
pass out on $ExtIF1 inet proto tcp from
($ExtIF1) to $N_ExtIF1 $TcpState
$ExtIfSTO queue (E1_OBU, E1_OCO)
pass out on $ExtIF1 inet proto tcp from
($ExtIF1) to $H_LOVE port $P_brows $TcpState
$ExtIfSTO queue (E1_PBU, E1_PCO)
pass out on $ExtIF1 inet proto tcp from
($ExtIF1) to $N_ExtIF1 port $P_ssh $TcpState
$ExtIfSTO queue (E1_SLO, E1_SBU)
pass out on $ExtIF1 inet proto udp from
($ExtIF1) to $N_ExtIF1 port $P_dns $UdpState
$ExtIfSTO queue E1_DNS
pass out on $ExtIF1 inet proto icmp from
($ExtIF1) to $N_ExtIF1 icmp-type 8 code 0 $UdpState
$ExtIfSTO queue E1_ICM
pass out on $ExtIF1 inet proto tcp from
($ExtIF1) to !$N_ExtIF1 $TcpState
$ExtIfSTO queue (E1_BBU, E1_BCO)
pass out on $ExtIF1 inet proto tcp from
($ExtIF1) to !$N_ExtIF1 port $P_brows $TcpState
$ExtIfSTO queue (E1_GBU, E1_GCO)
pass out on $ExtIF1 inet proto udp from
($ExtIF1) to !$N_ExtIF1 port $P_dns $UdpState
$ExtIfSTO queue E1_DNS
#
# still to optimize
#
pass in on $IntIF1 queue I1_non
pass in on $IntIF2 queue I2_non
pass in on $IntIF3 queue I3_non
pass in on $IntIF4 queue I4_non
pass in on lo0
pass out on lo0
pass out on $IntIF1 queue I1_non
pass out on $IntIF2 queue I2_non
pass out on $IntIF3 queue I3_non
pass out on $IntIF4 queue I4_non
## EOF ##
More information about the freebsd-questions
mailing list