strange "throttling" issue with pf on xDSL connection

Patrick Proniewski patpro at patpro.net
Wed Aug 1 15:32:27 UTC 2007 

On 01 août 2007, at 15:37, Greg Hennessy wrote:

> Posting a copy of your pf.conf

here we go :

# macros
int_if = "em0"
int_if_sec = "em1"
ext_if = "fxp0"
wif_if = "ath0"

tcp_services = "{ 22, 113, 80, 443, 25, 53, 554 }"
udp_services = "{ 53 }"
admin_tcp_services = "{ 311, 625, 5900, 5988 }"
admin_udp_services = "{ 3283 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

table <admin_nets> persist { --few IPs-- }
table <friends> persist { --few IPs-- }
table <spammers> persist file "/etc/pf.liste_ip_spamer"
table <sshscan> persist file "/etc/pf.liste_ip_ssh_scan"
table <webspam> persist file "/etc/pf.liste_ip_webspam"
table <openarena> persist { --few IPs-- }

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $int_if_sec:network to any -> ($ext_if)

# filter rules
block log all
block in log quick proto tcp from <spammers> to any port smtp
block in log quick proto tcp from <sshscan> to any port ssh
block in log quick proto tcp from <webspam> to any port http

pass quick on lo0 all

block drop in  log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) port  
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port  
$udp_services keep state

##### admin
pass in log on $ext_if inet proto tcp from { <admin_nets>,  
<friends> } to { ($ext_if), 192.168.0.2 } port $admin_tcp_services  
flags S/SA keep state
pass in log on $ext_if inet proto udp from { <admin_nets>,  
<friends> } to { ($ext_if), 192.168.0.2 } port $admin_udp_services  
keep state
##### OpenArena
pass in on $ext_if inet proto tcp from <openarena> to ($ext_if) port  
56789 flags S/SA keep state
pass in on $ext_if inet proto udp from <openarena> to ($ext_if) port  
56789 keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass in  on $int_if_sec from $int_if_sec:network to any keep state
pass out on $int_if_sec from any to $int_if_sec:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


> and trawling the logs for drops around the
> same time as the transfers are underway would be useful.

Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0`
Only a bunch of blocks for rule "0":

000000 rule 0/0(match): block in on fxp0: 82.235.245.158 >  
82.235.12.223: [|tcp]
507955 rule 0/0(match): block in on fxp0: 82.235.245.158 >  
82.235.12.223: [|tcp]
689510 rule 0/0(match): block in on fxp0: 82.235.245.158 >  
82.235.12.223: [|tcp]
41. 432770 rule 0/0(match): block in on fxp0: 82.235.85.225 >  
82.235.12.223: [|tcp]
584629 rule 0/0(match): block in on fxp0: 82.235.85.225 >  
82.235.12.223: [|tcp]
2. 251236 rule 0/0(match): block in on fxp0: 82.235.228.221 >  
82.235.12.223: [|tcp]
506420 rule 0/0(match): block in on fxp0: 82.235.225.106 >  
82.235.12.223: [|tcp]
5. 288575 rule 0/0(match): block in on fxp0: 82.235.225.106 >  
82.235.12.223: [|tcp]
12. 352415 rule 0/0(match): block in on fxp0: 82.235.245.158 >  
82.235.12.223: [|tcp]


I've found this in /var/log/debug.log:

../..
Aug  1 14:00:01 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG  
received
Aug  1 16:00:02 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG  
received
../..

But I believe it's not related to my problem at all.


regards,
patpro

More information about the freebsd-pf mailing list