Hosting Provided By

Re: altq/packet filtering interfere

From: Mark Bojara <mark(at)mics.co.za>
Date: Sat Jul 19 2003 - 06:01:49 EDT

Hello Erblichs,

Attached is my pf.conf.. I do not mind showing it but I didnt not want to flood the mailing list.

Regards
Mark

Wesley Crusher, please report to airlock 5!

On Fri, 18 Jul 2003, Erblichs wrote:

>Mark,
>
>	For me, what you are trying to do is a bit vague
>	in your description.
>
>	Assuming your code is long or that you don't want
>	to show it, then maybe giving a pseudo code example
>	may help?
>
>	Mitchell Erblich
>	Sr, Software Engineer
>	--------------------------
>
>
>
>
>Mark Bojara wrote:
>>
>> Hello All,
>>
>> I have two sets of rules on define my ALTQ queue's and the other do packet
>> filtering with keep states. However when I enable the filtering/keepstate
>> rules it overwrites my altq queue's. Ive tried using quick on the ALTQ
>> rules and putting them below my filter rules but it does not help. Do any
>> of you have advice on what I could try?
>>
>> Have a great weekend,
>>
>> Regards
>> Mark


# Interface Variables


i01="fxp0"	# uplink
i02="dc0" 	# hosting 
i03="dc1"	# access00
i04="dc2"	# shell

localbw="512Kb"
internationalbw="192Kb"

icmp="{ !196.34.165.210 }"

table <mics> { 196.34.165.0/24, 196.23.168.0/24 } table <za> file "/usr/local/etc/zaip"

set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }

set limit { states 100000, frags 15000 } set loginterface none
set optimization normal
set block-policy drop
set require-order yes

scrub in on fxp0 all random-id no-df fragment reassemble

####### ALTQ
#### Uplink Interface - Peering

altq on $i01 bandwidth 10Mb hfsc queue { std_01, lan_01, local_01 } queue std_01 bandwidth 32Kb hfsc(default upperlimit 512Kb) # change this queue lan_01 bandwidth 2Mb
# Uplink - Local Bandwidth

queue local_01 bandwidth $localbw hfsc(upperlimit $localbw) { ssh_01, opium_01_l, jobsd_01_l }

	queue ssh_01 bandwidth 16Kb hfsc(realtime 16Kb) 
	queue opium_01_l bandwidth 128Kb hfsc(upperlimit 32Kb) 
	queue jobsd_01_l bandwidth 128Kb hfsc(realtime 128Kb)

Do you need help?

# Uplink - International Bandwidth
#queue intl_01 bandwidth $internationalbw hfsc(upperlimit $internationalbw) \
# { opium_01_i, \
# jobsd_01_i }
# queue opium_01_i bandwidth 64Kb hfsc(realtime 64Kb)
# queue jobsd_01_i bandwidth 64Kb hfsc(realtime 16Kb)

#### Hosting Interface

altq on $i02 bandwidth 100Mb hfsc queue { std_02, lan_02, local_02, intl_02 } queue std_02 bandwidth 32Kb hfsc(default upperlimit 512Kb) # change this queue lan_02 bandwidth 2Mb
# Hosting - Local Bandwidth

queue local_02 bandwidth $localbw hfsc(upperlimit $localbw) \

				{ ssh_02, \
				joxp_02_l, \
				jobsd_02_l }
	queue ssh_02 bandwidth 16Kb hfsc(realtime 16Kb) 
	queue joxp_02_l bandwidth 128Kb hfsc(realtime 128Kb) 
	queue jobsd_02_l bandwidth 128Kb hfsc(realtime 128Kb)

# Hosting - International Bandwidth

queue intl_02 bandwidth $internationalbw hfsc(upperlimit $internationalbw) \

				{ joxp_02_i, \
				jobsd_02_i }
	queue joxp_02_i bandwidth 64Kb hfsc(realtime 64Kb) 
	queue jobsd_02_i bandwidth 64Kb hfsc(realtime 64Kb)

#### Access00 Interface

altq on $i03 bandwidth 10Mb hfsc queue { std_03, lan_03, local_03, intl_03 } queue std_03 bandwidth 32Kb hfsc(default upperlimit 512Kb) # change this queue lan_03 bandwidth 2Mb
# Access00 - Local Bandwidth

queue local_03 bandwidth $localbw hfsc(upperlimit $localbw) \

				{ ssh_03, \
				opium_03_l, \
				jobsd_03_l }
	queue ssh_03 bandwidth 16Kb hfsc(realtime 16Kb) 
	queue opium_03_l bandwidth 128Kb hfsc(upperlimit 32Kb) 
	queue jobsd_03_l bandwidth 128Kb hfsc(realtime 128Kb)

# Access00 - International Bandwidth

queue intl_03 bandwidth $internationalbw hfsc(upperlimit $internationalbw) \

				{ opium_03_i, \
				jobsd_03_i }
	queue opium_03_i bandwidth 64Kb hfsc(realtime 16Kb) 
	queue jobsd_03_i bandwidth 64Kb hfsc(realtime 64Kb)

#
####### /ALTQ

#rdr on dc1 proto tcp from any to any port 31337 -> 196.23.168.2 port 23

#block in on fxp0 from no-route to any

###### ALTQ/Host firewall definers
# unlimited lan

pass out quick on $i01 from  to  keep state queue lan_01
pass out quick on $i02 from  to  keep state queue lan_02
pass out quick on $i03 from  to  keep state queue lan_03

# priority definers

pass out quick on $i01 proto { tcp, udp } from any to any port 22 keep state queue ssh_01
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
pass out quick on $i01 proto { tcp, udp } from any port 22 to any keep state queue ssh_01
pass out quick on $i02 proto { tcp, udp } from any port 22 to any keep state queue ssh_02
pass out quick on $i02 proto { tcp, udp } from any to any port 22 keep state queue ssh_02
pass out quick on $i03 proto { tcp, udp } from any port 22 to any keep state queue ssh_03
pass out quick on $i03 proto { tcp, udp } from any to any port 22 keep state queue ssh_03

pass out on $i01 from 196.34.165.210 to any keep state queue opium_01_i
pass out on $i03 from any to 196.34.165.210 keep state queue opium_03_i
pass out on $i01 from 196.34.165.210 to  keep state queue opium_01_l
pass out on $i03 from  to 196.34.165.210 keep state queue opium_03_l

#pass out on $i01 from 196.34.165.210 to <za> keep state queue opium_01_l

#pass out on $i01 from <za> to 196.34.165.210 keep state queue opium_01_l

#pass out on $i03 from <za> to 196.34.165.210 keep state queue opium_03_l
#pass out on $i03 from 196.34.165.210 to <za> keep state queue opium_03_l
########

#### Firewall
#block in log on fxp0 all

Can we help you?

# Allow Ping/Traceroute

pass	on fxp0 inet proto icmp from any to $icmp icmp-type 0 keep state
pass	on fxp0 inet proto icmp from any to $icmp icmp-type 8 keep state
pass	in on fxp0 proto udp from any to $icmp port 33433><33466

# Incoming keepstates

#pass	in  on fxp0 proto tcp from any to any port 22 keep state

#temp

#pass	in on fxp0 proto tcp all flags S/SAFR keep state


pass	in on fxp0 proto tcp from any to 196.34.165.210 port 80 keep state
pass	in on fxp0 proto udp from any to any port 33434<>33465 keep state


# Outgoing keepstates


pass	out on fxp0 proto tcp all flags S/SAFR keep state
pass	out on fxp0 proto udp all keep state

#### /Firewall

### Anti-Spoofing

antispoof for fxp0 inet
#antispoof for dc0 inet

antispoof for dc1 inet
#antispoof for dc2 inet
#antispoof for dc3 inet
#antispoof for dc4 inet
###
Received on Sat Jul 19 06:24:07 2003

This message: [ Message body ]
Next message: rumman ahmed: "boot code pls"
Previous message: Mark Bojara: "Re: altq/packet filtering interfere - *update*"
In reply to: Erblichs: "Re: altq/packet filtering interfere"
Next in thread: Mark Bojara: "Re: altq/packet filtering interfere"
Reply: Mark Bojara: "Re: altq/packet filtering interfere"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:48:43 EDT