[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: rule not matching



I'm not certain if it's related or not, but on a cursory review, your
{80,20,21} rule specifies flags and doesn't specify any flags...
jesse wrote:
> I'm trying to prioritize certain traffic. One of the rules (from any
> to domain.com) DOES work and takes up most of the pipe, as I would
> like. However, when I say that a certain set of IP's on the LAN
> should get priority for any ftp or www traffic the rule is rarely
> evaluated, and packets never match. The rules I'm talking about are
> at the end of my .conf file. If you have any ideas as to why the
> {80,20,21} rule isn't getting matched (and it ought to be) I would be
> very grateful. 
> 
> 
> -jesse
> 
> SOMETHING and ANOTHERTHING are IP's in the actual config.
> 
> #       $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between
> interfaces.
> ## Macros ###################################################
> #############################################################
> ext_if="fxp1"
> int_if="fxp0"
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
> }"
> mach_room = "{ 192.168.48.54, 192.168.48.68, 192.168.48.70 }"
> the_lan   = "192.168.48.0/24"
> ## Options ###################################################
> ##############################################################
> set block-policy drop
> scrub in all
> #Queues
> altq on $ext_if cbq bandwidth 1495Kb queue {std_q, hi_q}
>         queue std_q bandwidth 295Kb cbq (default borrow)
>         queue hi_q  bandwidth 1200Kb cbq (borrow red)
> ## Translation and Redirection#######################
> #####################################################
> # Network Address Translation rule
> # Doing 'inet' ipv4 only, maybe less rules?
> nat on $ext_if inet from $int_if:network to any -> $ext_if
> # Terminal services on John  computer
> rdr on $ext_if proto tcp from any   \
>     to SOMETHING port 3389 -> \
>        ANOTHERTHING   port 3389
> ## Filtering ########################################
> #####################################################
> # Default policy
> block all
> pass out keep state
> pass on lo
> antispoof quick for { lo $int_if }
> block drop in  quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
> # Allow LAN traffic to enter the firewall
> pass in on $int_if from $the_lan to any keep state
> # Allow fw to initiate connections into lan
> # (sounds bad, but is good)
> pass out on $int_if from any to $the_lan keep state
> # Allow icmp
> pass in inet proto icmp all icmp-type echoreq keep state
> ## Incoming pass #####################################
> ######################################################
> # Allow the redirected terminal services traffic
> pass in on $ext_if proto tcp from any to SOMETHING \
>    port 3389 flags S/SA keep state
> ## Outgoing pass #####################################
> ######################################################
> pass out on $ext_if proto tcp all flags S/SA keep state \
>    queue (std_q)
> pass out on $ext_if proto tcp from any to DOMAIN.com \
>    flags S/SA keep state \
>    queue (hi_q)
> pass out on $ext_if proto tcp from $mach_room to any \
>    port {80,20,21} flags keep state \
>    queue (hi_q)
> pass out on $ext_if proto {udp,icmp} all keep state \
>    queue (std_q)