[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Prioritizing empty TCP ACKs



Henning Brauer wrote:
that's interesting. I have no tun/pppoe setup to test myself - mind sharing pf.conf/pfctl -gvsq/other relevant setup?

I'm not the OP, but I'm an extra datapoint:


pfctl -gvsq:
queue q_pri priority 7
[ pkts:      42600  bytes:    2043621  dropped pkts:      0 bytes: 0 ]
[ qlength:   0/ 50 ]
[ qid=8 ifname=tun0 ifbandwidth=1.35Mb ]
queue q_def priq( default )
[ pkts:      17382  bytes:    6848389  dropped pkts:      0 bytes: 0 ]
[ qlength:   0/ 50 ]
[ qid=2 ifname=tun0 ifbandwidth=1.35Mb ]

Setup:
i386, OpenBSD 3.3-stable, GENERIC kernel - serving as gateway + firewall
for internal wired & wireless networks.  Connection to the Internet is
ADSL (1.5Mbps down, 384Kbps up).  I'm using pppoe to connect to my ISP;
external_if is rl0 (I know, I know...), and I'm filtering/queueing on
tun0.

pf.conf:
# Macros: define common values, so they can be referenced and changed
# easily.
ext_if="tun0"   # ADSL on rl0 uses pppoe to connect to the Internet
int_if="dc0"    # private wired    network
wlan_if="wi0"   # private wireless network
unfilt_if="{ lo0," $int_if "}"  # don't filter traffic on these
                                # interfaces

# Tables: define large lists of host or network addresses for efficiency
table <private> persist const { 10/8, 172.16/12, 192.168/16 } # RFC 1918
table <doubleclick> persist const { 216.73.80.0/20 } # nasty hobbitses

# Options: control the behavior of the pf engine
set loginterface  $ext_if  # Collect statistics on external net usage
set block-policy  return   # Don't hide the fact that we exist
set require-order yes      # Be anal about parsing pf rulesets

# Normalization: reassemble fragments and resolve or reduce traffic
# ambiguities.
scrub in  all no-df           fragment reassemble
scrub out all no-df random-id fragment reassemble

# Queueing: rule-based bandwidth control.
altq on $ext_if priq bandwidth 1350Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address
# $internal_net will get translated as coming from the address of
# $ext_if, a state is created for such packets, and incoming packets
# will be redirected to the internal address.
nat on $ext_if inet from { $int_if:network, $wlan_if:network } \
        to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination $external_addr:1234
# will be redirected to 10.1.1.1:5678. A state is created for such
# packets, and outgoing packets will be translated as coming from the
# external address.
rdr on $int_if  inet proto tcp from $int_if:network  to any \
        port 21 -> 127.0.0.1 port 8021
rdr on $wlan_if inet proto tcp from $wlan_if:network to any \
        port 21 -> 127.0.0.1 port 8021

# =============================================
# UNFILTERED INTERFACES
# =============================================
pass in  quick on $unfilt_if all
pass out quick on $unfilt_if all

# =============================================
# BIG, BAD, HOSTILE INTERNET
# =============================================

# BLOCK

# block and log all Internet traffic by default
block log on $ext_if all

# block outgoing packets that do not have our address as source
block out quick on $ext_if inet from !($ext_if) to any

# block incoming/outgoing packets with address from private address
# space
block in  quick on $ext_if inet from <private> to any
block out quick on $ext_if inet from ($ext_if) to <private>

# silently drop broadcasts (cable modem noise, dhcp requests, etc.)
block in  quick on $ext_if from any       to 255.255.255.255
block out quick on $ext_if from ($ext_if) to 255.255.255.255

# block doubleclick fuckers
block in  quick on $ext_if inet from <doubleclick> to any
block out quick on $ext_if inet from ($ext_if) to <doubleclick>

# ICMP

# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# UDP

# pass out all UDP connections and keep state
pass out on $ext_if inet proto udp from ($ext_if) to any keep state

# TCP (using ALTQ to prioritize empty TCP acks)

# only allow certain incoming TCP traffic (ssh, by default), but allow
# all outgoing TCP traffic; modulate state on all TCP connections
pass in  on $ext_if inet proto tcp from any to ($ext_if) \
        port { ssh } flags S/SA modulate state queue (q_def, q_pri)
pass out on $ext_if inet proto tcp from ($ext_if) to any \
        flags S/SA modulate state queue (q_def, q_pri)

# allow incoming traffic for ftp-proxy(8)
pass in on $ext_if inet proto tcp from any to ($ext_if) user proxy \
        flags S/SA modulate state queue (q_def, q_pri)

# =============================================
# PRIVATE WIRELESS NETWORK
# =============================================

# BLOCK

# block and log all wireless traffic by default
block log on $wlan_if all

# ICMP

# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass on $wlan_if inet proto icmp all icmp-type 8 code 0 keep state

# UDP

# only allow dhcp udp traffic from the wireless network
pass in  on $wlan_if inet proto udp from $wlan_if:network to $wlan_if \
       port { bootps } keep state
pass out on $wlan_if inet proto udp from $wlan_if to $wlan_if:network \
       port { bootpc } keep state

# TCP

# only allow the wireless network to ssh to us (for authpf)
pass in on $wlan_if inet proto tcp from $wlan_if:network to $wlan_if \
      port { ssh } flags S/SA modulate state

# ESP

# allow all ipsec traffic from the wireless network to us
pass in  on $wlan_if inet proto esp from $wlan_if:network to $wlan_if \
      keep state
pass out on $wlan_if inet proto esp from $wlan_if to $wlan_if:network \
      keep state


# ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224 rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 00:a0:4b:05:42:ca media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::2a0:4bff:fe05:42ca%rl0 prefixlen 64 scopeid 0x1 dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 00:04:5a:7c:68:a8 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 inet6 fe80::204:5aff:fe7c:68a8%dc0 prefixlen 64 scopeid 0x2 wi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 address: 00:04:e2:36:6a:bc nwid notforyoureyes powersave off media: IEEE802.11 autoselect hostap (DS2) status: active inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 inet6 fe80::204:e2ff:fe36:6abc%wi0 prefixlen 64 scopeid 0x3 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 pfsync0: flags=0<> mtu 2020 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1454 inet 64.105.104.82 --> 64.105.104.1 netmask 0xffffffff tun1: flags=10<POINTOPOINT> mtu 3000 enc0: flags=0<> mtu 1536 bridge0: flags=0<> mtu 1500 bridge1: flags=0<> mtu 1500 vlan0: flags=0<> mtu 1500 address: 00:00:00:00:00:00 vlan1: flags=0<> mtu 1500 address: 00:00:00:00:00:00 gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280


HTH,


-Kent
--
Kent R. Spillner
"They that can give up essential liberty to obtain a little
 temporary safety deserve neither liberty nor safety."
                                       - Benjamin Franklin