[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with PF


Thanks for your time.

On Apr 11, 2005, at 10:20 PM, Kimi Ostro wrote:

On Apr 11, 2005 1:04 PM, Abdul Rehman Gani <[email protected]> wrote:
# uname -a
OpenBSD rubberband.eastcoast.co.za 3.6 RUBBERBAND#0 i386
# cd /usr/src/sys/arch/i386/conf/

does this problem manifest it self from a real GENERIC kernel? http://www.openbsd.org/faq/faq5.html#Why

This is the same apart from the name. It used to be different - I had trouble with it dying because of the USB stuff and so removed all of it in the kernel. But when the problem started I simply copied GENERIC to RUBBERBAND and rebuilt.

are these static Tables? you might like to place a const between "> {"

Will do.

Do not need ECN + RED, as stated in pf.conf(5), ECN implies RED.

Will change

# Filtering: the implicit first two rules are
pass in all
pass out all

Having a default block drop all followed by a pass on $interface1 $interface2 etc.. maybe be a better solution, would also make alot of the block rules redundant, plus a few antispoof rules might be a good idea?

Egress router - we disallow as little as possible at this point. We have rules further down the network for clients who require additional protection. The main function of this machine is to manage bandwidth (limiting/sharing/etc) to ensure that they get some kind of minimum service. This is not meant to be a firewall, although MS did make me rethink that....

Rather think of it as a bandwidth manager

Do you REALLY need all those quick keywords in there? to be quite

I had a much larger ruleset but reduced it to a bare minimum to try and solve this problem. The quick keywords were put in place so that I had a first match rather than last match - I wanted didn't want the matching engine to traverse the entire ruleset each time. I will take them out as they should not make a difference in this ruleset.

honest I am suprised if this ruleset worked as you intended. The
OpenBSD pf will pass all traffic out because in 99.999% of the case,
all of the packets match these two rules:

# Filtering: the implicit first two rules are
pass in all
pass out all

Quite right. That is the intention.

I know what an "egress unit" is supposed to do but the above fails to meet the target, un-intentionally.

This is meant to manage bandwidth with ALTQ. I assign the traffic to queues, then a perl script runs pfctl -vsq every 10 minutes and adds the extracted data to rrdtool. With a complete ruleset each customer/server has a queue and this allows me to manage bandwidth to from each as well as to graph their consumption of bandwidth.

If anyone can suggest a better way of doing this with pf I am all ears.

Here is the current pf.conf (after changes mentioned above):-

# Tables: similar to macros, but more flexible for many addresses.
table <dial> const {, }
table <routers> const {,,,,,,,
table <rfc1918> const { 10/8, 172.16/12, 192.168/16 }
table <scribe> const { }
table <jamiat> const { }
table <afriprod> const { }

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# Queueing: rule-based bandwidth control.
altq on $int_if bandwidth 3072Kb cbq (ecn) queue { dflt_i, mail_i, jamiat_i }
queue dflt_i bandwidth 2528Kb cbq (default, ecn)
queue mail_i bandwidth 512Kb cbq (borrow, ecn)
queue jamiat_i bandwidth 32Kb cbq (ecn)

altq on $ext_if bandwidth 3072Kb cbq (ecn) queue { dflt_o, mail_o, jamiat_o }
queue dflt_o bandwidth 2528Kb cbq (default, ecn)
queue mail_o bandwidth 512Kb cbq (borrow, ecn)
queue jamiat_o bandwidth 32Kb cbq (ecn)

# Filtering: the implicit first two rules are
pass in all
pass out all

# restrict access to our routers
block in quick on $ext_if from any to <routers>

# block rfc 1918 addresses in or out
block in quick from any to <rfc1918>
block in quick from <rfc1918> to any

# block smtp connects from our dial pool
block in log on $int_if proto tcp from <dial> to any port smtp

# block ms networking shit and mydoom
block in log proto { tcp, udp } from any to any port { 135, 137, 139, 3126><3199, 445, 1433 }

# assign traffic to queues
pass out on $int_if proto tcp from any to <scribe> port { smtp, pop3, imap } keep state queue mail_i
pass out on $int_if from any to <jamiat> keep state queue jamiat_i

pass out on $ext_if proto tcp from <scribe> to any port { smtp } keep state queue mail_o
pass out on $ext_if from <jamiat> to any keep state queue jamiat_o



Kimi -- spamassassinexception

East Coast Access
Tel: 031-566-8080
Fax: 031-566-8010
Web: http://www.eastcoast.co.za