[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: priq-queues for tcp_ack and p2p



On 21 Dec 2004 01:12:53 -0800, [email protected] (Alexander
Farber) wrote:
>> Read Jaceks chapter on hfsc and use it instead. 
>
>Ok, I was thinking of using hfsc already, but still:
>
>Why doesn't it work, when I switch the p2p client off?
Not 'work' as in ?
>Why does everything start to work, when I remove the
>rules for the queues?
You need to understand that queueing only works for packets leaving an
interface. 
for p2p, the queueing would need to be applied to the pass in, so the reply
traffic gets assigned to the correct queue. e.g
pass in log quick on $Ext $TCP from !$LAN port > 1024 to $PC port { $P2P }\
$KSF queue (q_p2p,q_pri)  label "ALLOW: P2P -> In "
I've had issues with synproxy state and p2p 'pass in', the 3 way handshake
happens on the gateway and one ends up with LOWIDs on the remote server.
Havent investigated the cause further. 
when debugging q's, pfctl -vsq and -vvsq are your best friend. 
>#pass out quick on $ext_if proto tcp from any to any \
>	#port {smtp pop3 imaps} synproxy state queue(mail, tcp_ack)
>
>#pass out quick on $ext_if proto tcp from any to any \
>	#port {http https} synproxy state queue(www, tcp_ack)
Synproxy state on a 'pass out' to the internet is pointless. 
Its there to protect servers you own and control. e.g you should use normal
keep state. 
pass out quick on $Ext $TCP to !<InsideNets> port domain user dnscache\
$KSF queue (q_def, q_pri)
or 
pass out log quick on $Ext $TCP from $Ext:0 to !<InsideNets> port nntp\
user news $KSF queue (q_def, q_pri)
greg
-- 
Yeah - straight from the top of my dome 
As I rock, rock, rock, rock, rock the microphone