Why Does This Packet Match This Rule?

Drew Tomlinson drew at mykitchentable.net
Thu Mar 29 17:17:35 UTC 2007 

On 3/28/2007 12:58 PM Greg Hennessy wrote:
>> (and the rest).  What am I missing?
>>     
>
> From the rule snippets posted, 'keep state' & 'keep state flags S/SA' comes
> to mind. 
>
> You should endeavour to keep state on each and every rule and only establish
> tcp state on the 3 way handshake. 
>   
Thank you for your reply. 

I have been unsuccessful in getting queuing to work the way I want.  I 
want to queue outbound traffic to the ADSL modem so I can prioritize my 
packets.  Specifically, I have a VoIP phone from SunRocket.  It's 
traffic should be able to use bandwidth before any other.  Then beyond 
that, I'd like second priority to go to interactive traffic such as http 
and ssh.  Third priority would be a standard queue where most traffic 
ends up.  Finally I'd like to have a low priority queue for file 
transfers like FTP and bittornet.

To this end, I attempted to queue only traffic leaving my router on dc1 
and keep state there so the queue will continue to be used.  When I add 
keep state to traffic entering the router, it seems that state is 
matched there and thus the traffic never gets queued.  Thus this is why 
only rule 84 has keep state as it's the rule that should match packets 
as they leave the router destined for the Internet.

But I must admit that I am quite confused about how all of this should 
work.  Thus I am very open to suggestions on better ways to accomplish 
my goals.   I am willing to rewrite my whole conf file to get it right.  
In fact I'm working on my latest rewrite now.  :)

>> If it helps, I also posted my complete pf.conf and the rules to which
>> it
>> expands at http://drew.mykitchentable.net/Temp/pf.conf.htm
>>     
>
> Not seeing this, connection times out. 
>   

My apologies.  You can see it now as I reverted to my old conf file (not 
the one on which I am currently working).

> What exactly are you trying to do with what looks like a SoHo policy
> expanding into > 80 rules ? 
>   
Basically:

1.  Allow all outbound traffic from my internal net (dc0) to the 
Internet (dc1).

2.  Allow traffic from the Internet to services hosted on my internal net.

3.  Allow traffic between a OpenVPN connection on tun0 and my internal net

4. Prioritize traffic as described above.

5.  And if possible, get pf to work with Snort to block packets matching 
Snort rules I specify.  However I am trying to just get pf working to my 
liking at this point.  I will investigate Snort integration later.

Thanks,

Drew

-- 
Be a Great Magician!
Visit The Alchemist's Warehouse

http://www.alchemistswarehouse.com

More information about the freebsd-pf mailing list