[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with PF



Abdul Rehman Gani writes:

Just had a customer report the same problem and I have the ruleset below installed. Our bandwidth usage at the moment is low (<50% in & < 33% out). TCP type connects to servers on our network work fine, trace/ping/DNS to external & internal servers work fine, but TCP connects to external servers fail and I see the SYN/ACK not being passed across from the external interface to the internal.

Is there anyway to get more information to help debug this?

Abdul


# Tables: similar to macros, but more flexible for many addresses.
table <dial> const { 196.35.86.0/24, 196.33.34.64/26 }
table <routers> const { 196.33.34.237/32, 196.33.34.246/32, 196.33.34.247/32, 196.33.34.248/32, 196.33.34.249/32, 196.33.34.250/32, 196.33.34.251/32, 196.33.34.252/
table <rfc1918> const { 10/8, 172.16/12, 192.168/16 }
table <scribe> const { 196.33.34.233/32 }
table <jamiat> const { 196.33.34.217/32 }
table <afriprod> const { 196.33.34.221/32 }


# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all


# Queueing: rule-based bandwidth control.
altq on $int_if bandwidth 3072Kb cbq (ecn) queue { dflt_i, mail_i, jamiat_i }
queue dflt_i bandwidth 2528Kb cbq (default, ecn)
queue mail_i bandwidth 512Kb cbq (borrow, ecn)
queue jamiat_i bandwidth 32Kb cbq (ecn)


altq on $ext_if bandwidth 3072Kb cbq (ecn) queue { dflt_o, mail_o, jamiat_o }
queue dflt_o bandwidth 2528Kb cbq (default, ecn)
queue mail_o bandwidth 512Kb cbq (borrow, ecn)
queue jamiat_o bandwidth 32Kb cbq (ecn)


# Filtering: the implicit first two rules are
pass in all
pass out all


# restrict access to our routers
block in quick on $ext_if from any to <routers>


# block rfc 1918 addresses in or out
block in quick from any to <rfc1918>
block in quick from <rfc1918> to any


# block smtp connects from our dial pool
block in log on $int_if proto tcp from <dial> to any port smtp


# block ms networking shit and mydoom
block in log proto { tcp, udp } from any to any port { 135, 137, 139, 3126><3199, 445, 1433 }


# assign traffic to queues
pass out on $int_if proto tcp from any to <scribe> port { smtp, pop3, imap } keep state queue mail_i
pass out on $int_if from any to <jamiat> keep state queue jamiat_i


pass out on $ext_if proto tcp from <scribe> to any port { smtp } keep state queue mail_o
pass out on $ext_if from <jamiat> to any keep state queue jamiat_o


Regards,

Abdul