On 3/28/2007 12:58 PM Greg Hennessy wrote:
(and the rest). What am I missing?
From the rule snippets posted, 'keep state' & 'keep state flags S/SA' comes
to mind.
You should endeavour to keep state on each and every rule and only establish
tcp state on the 3 way handshake.
Thank you for your reply.
I have been unsuccessful in getting queuing to work the way I want. I
want to queue outbound traffic to the ADSL modem so I can prioritize my
packets. Specifically, I have a VoIP phone from SunRocket. It's
traffic should be able to use bandwidth before any other. Then beyond
that, I'd like second priority to go to interactive traffic such as http
and ssh. Third priority would be a standard queue where most traffic
ends up. Finally I'd like to have a low priority queue for file
transfers like FTP and bittornet.
To this end, I attempted to queue only traffic leaving my router on dc1
and keep state there so the queue will continue to be used. When I add
keep state to traffic entering the router, it seems that state is
matched there and thus the traffic never gets queued. Thus this is why
only rule 84 has keep state as it's the rule that should match packets
as they leave the router destined for the Internet.
But I must admit that I am quite confused about how all of this should
work. Thus I am very open to suggestions on better ways to accomplish
my goals. I am willing to rewrite my whole conf file to get it right.
In fact I'm working on my latest rewrite now. :)
If it helps, I also posted my complete pf.conf and the rules to which
it
expands at http://drew.mykitchentable.net/Temp/pf.conf.htm
Not seeing this, connection times out.
My apologies. You can see it now as I reverted to my old conf file (not
the one on which I am currently working).
What exactly are you trying to do with what looks like a SoHo policy
expanding into > 80 rules ?
Basically:
1. Allow all outbound traffic from my internal net (dc0) to the
Internet (dc1).
2. Allow traffic from the Internet to services hosted on my internal net.
3. Allow traffic between a OpenVPN connection on tun0 and my internal net
4. Prioritize traffic as described above.
5. And if possible, get pf to work with Snort to block packets matching
Snort rules I specify. However I am trying to just get pf working to my
liking at this point. I will investigate Snort integration later.
Thanks,
Drew
--
Be a Great Magician!
Visit The Alchemist's Warehouse
http://www.alchemistswarehouse.com
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
