Confused With pf Rule Evaluation
Drew Tomlinson
drew at mykitchentable.net
Sun Feb 18 18:43:45 UTC 2007
I have used ipfw2 on FBSD for about 6 years now. Then I started using a
VoIP phone and began to fiddle with dummynet to shape the traffic. I
had limited success and instead of fiddling further, I decided to
migrate to pf and ALTQ.
My network is fairly simple. I have a FreeBSD 6.1 box with two NICs.
dc1 is attached to a DSL modem that is bridged so it looks like a direct
Internet connection. dc0 is connected to my internal LAN. I have a few
PCs and the "gizmo" (as the SunRocket VoIP provider calls it) behind my
firewall on the internal LAN.
My basic goal is to allow all outbound traffic from my internal LAN and
only replies to that traffic back in. I also have a few services
running (http, smtp, etc.) and I want to allow connections in to those
services. And above all, traffic from the "gizmo" should have first
priority over all other traffic because when the phone doesn't work, my
wife complains LOUDLY. :) I followed the guide at
http://www.bgnett.no/~peter/pf/en/index.html to set up my pf.conf file.
From my reading, it is my understanding that unlike ipfw2, pf is "last
match wins" unless the rule has the "quick" modifier. However I'm
seeing behavior that I don't understand. In my rule set, I have these
rules to allow inbound traffic to one of my services:
pass proto udp to bigdaddy port $bigdaddy_ip_services keep state
pass proto tcp to bigdaddy port $bigdaddy_ip_services flags S/SA \
keep state
Then further down, I have this rule to place traffic to one of the
specific services in the $bigdaddy_ip_services macro in a low priority
queue:
pass in on $int_if proto { tcp, udp } from bigdaddy port 49143 \
keep state queue (low_out, ack_out)
After loading this rule set, 'pftcl -vvs queue' shows very little
traffic in the 'low_out' queue. Most of it ends up in the default
queue. However if I remove this rule and change the ones above to:
pass proto udp to bigdaddy port $bigdaddy_ip_services keep state \
queue (low_out, ack_out)
pass proto tcp to bigdaddy port $bigdaddy_ip_services flags S/SA \
keep state queue (low_out, ack_out)
Then I see the results I expect with 'pftcl -vvs queue'. The 'low_out'
queue has lots of traffic passing through it. I don't understand why.
I have to admit there's a lot I don't understand about pf. If someone
has the time to help me get a rule set that acheives my goals, I'd
really appreciate it. I've posted my complete rule set at
http://drew.mykitchentable.net/Temp/pf.conf.htm. Please note that in
some cases I replaced actual port lists with letters. Thus if you see a
list such as "{ a, b, c, d }", you'll know why.
Thanks,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
More information about the freebsd-pf
mailing list