PF strange problem.

Max Laier max at love2party.net
Mon Nov 29 11:01:40 PST 2004 

On Sunday 28 November 2004 22:51, mzk wrote:
> First sorry my English and sorry my other mistakes, but that is my first
> post in mailing list ever. :-) Today i understood my pf doesn't work
> properly. For each host of my network i have 4 rules, 2 out (from int_if)
> and 2 in like:
>
> pass out quick on $int_if from <peering> to $host queue peering_host_in
> pass out quick on $int_if from any to $host queue host_in
> pass in quick on $int_if proto { tcp, udp } from $host to <peering> port
> $ports
> pass in quick on $int_if proto { tcp, udp } from $host to any port 
> $ports

Okay, first of all some generic notes:
1) Consider stateful rules. It will not only make the firewall faster but will 
also make sure that all outgoing traffic of a "connection" is enqueued to the 
same queue. This simplifies the ruleset a lot.
2) Use "$pfctl -vv -tpeering -Ttest [someip]" to verify that the table really 
contains what you think it does.

> The problem is, that the first `peering` rule works like the second one ->
> it pass everything from anyone using the peering_host_in queue. If i
> comment it, the second rule works, but that's not the idea. So my
> international connection (the second rules) is overloaded and i could not
> make good QoS. I am using GENERIC with these options, added by me ->

I don't really get what you are saying here. Sorry. Can you try to rephrase, 
please? Maybe you can also include the rules in question with match-counters: 
"$pfctl -vvsr" and the queue stats: "$pfctl -vsq" Both are also good tools 
for debugging the ruleset.

I hope these pointers help, and am really sorry that I don't fully understand 
what the problem is.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041129/e36608de/attachment.bin

More information about the freebsd-pf mailing list