Trying to figure out what's going wrong here, and at this point, I'm
stumped. I'm trying to place traffic being served from apache above
that of bulk transfers (BitTorrent, primarily), yet according to pfctl
-vvsq, they're both ending up in the 'bulk' queue as defined by my
rules. Since the 'user www' rule comes AFTER the default queue, I would
think all traffic originated by the server would get the higher
priority, but it isn't. Suggestions?
# cat /etc/pf.conf
# Define interfaces
int_if = "sis1"
dmz_if = "sis2"
ext_if = "pppoe0"
laptop = "192.168.0.3"
xp = "192.168.0.4"
priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
set optimization aggressive
scrub in all
scrub out on $ext_if max-mss 1440
# Queueing
# TCP/ACK frames get first dibs, followed by DNS, surfing, webserver, and
# the unwashed masses.
altq on $ext_if priq bandwidth 768Kb queue { bulk, server, web_req,
dns_out, tcp_ack_out }
queue bulk priq(default)
queue server priority 2
queue web_req priority 4
queue dns_out priority 5
queue tcp_ack_out priority 6
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0) static-port
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto { tcp, udp } from any to any port 9980:9989 ->
$xp port 9980:*
rdr pass on $ext_if proto { tcp, udp } from any to any port 6081 -> $xp
port 6081
rdr pass on $ext_if proto tcp from any to any port 9990:9999 -> $laptop
port 9990:*
rdr pass on $ext_if proto tcp from any to any port 9000 -> 192.168.0.2
port 80
# Filtering begins
anchor "ftp-proxy/*"
pass quick on $int_if all keep state
pass quick on $dmz_if all keep state
pass quick on 127.0.0.1 all keep state
block drop on $ext_if all
# Microsoft has pissed me off for the last time
block quick from any to 207.46.0.0/12
# Clean invalid SRC/DST packets
block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets
# Pass in allowed servers/proxies
pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA
keep state
pass in on $ext_if proto tcp from any to ($ext_if) port www flags S/SA
keep state
pass in on $ext_if proto tcp from any to ($ext_if) port smtp flags S/SA
keep state
# Out to the 'net
pass out on $ext_if from ($ext_if) to any modulate state queue(bulk,
tcp_ack_out)
pass out on $ext_if proto tcp from ($ext_if) to any user www modulate
state queue server
pass out on $ext_if proto { tcp, udp } from ($ext_if) to any port {
http, https } modulate state queue (web_req, tcp_ack_out
)
pass out on $ext_if proto { tcp, udp } from ($ext_if) to any port domain
modulate state queue dns_out
# End
