[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple configuration



On Sun, May 01, 2005 at 07:32:35PM -0500, Brian John wrote:
> ext_if="vr0"
> 
> altq on $ext_if cbq bandwidth 2Mb queue { web , p2p , ssh }
> queue web bandwidth 40% priority 6 cbq(borrow)
> queue ssh bandwidth 40% priority 6 cbq(borrow)
> queue p2p bandwidth 20% cbq(borrow default)
> 
> #pass in on $ext_if proto tcp all
> pass in on $ext_if proto tcp from any to any port 22 keep state queue ssh
> pass in on $ext_if proto tcp from any to any port 80 keep state queue web
> 
> #pass out on $ext_if all
> pass out on $ext_if proto tcp from any to any port 22 keep state queue ssh
> pass out on $ext_if proto tcp from any to any port 80 keep state queue web
This is basically what your ruleset boils down to.  Its difficult to
diagnose whats going on here without a better description of the
network(s) this box is on.  Is this box NATing for you, etc?
Three problems I see off the bat which may or may not be related to your
problem.
One, while good for debugging, this ruleset is a bit too simple.  Unless
I missed something, you default policy is drop, yet there are only pass
rules for 22/tcp and 80/tcp on your external interface.  What about your
loopback interface, and you LAN interface if it exists?  
Next, you should almost certainly specify what TCP flags are allowed to
match those four pass rules and subsequently create state and get
queued.  "S/SA" is the most common, but others are possible too.  Also,
do you really want to allow in all TCP packets to port 22 regardless of
their destination address?  Probably not.
Finally, remember that while you can assign packets to queues whenever
you like, assigning traffic to queues *inbound* is pointless, as the
packets have already arrived:
http://openbsd.org/faq/pf/queueing.html#queueing
To better debug this, tighten up those rules, only assign packets to
queues on outbound traffic, and get pftop from ports and watch traffic
get assigned to queues.
Additionally, you should definitely look at TCP ack prioritization which
will definitely help with your ssh issues:
http://openbsd.org/faq/pf/queueing.html#example1
-jon