If your web server is serving up pages, it's likely the pass in rule
that's being hit first and creating state--and since you're not
assigning a queue to that rule, it's being dumped to bulk.
Chris Zakelj wrote:
> Trying to figure out what's going wrong here, and at this point, I'm
> stumped. I'm trying to place traffic being served from apache above
> that of bulk transfers (BitTorrent, primarily), yet according to pfctl
> -vvsq, they're both ending up in the 'bulk' queue as defined by my
> rules. Since the 'user www' rule comes AFTER the default queue, I
> would think all traffic originated by the server would get the higher
> priority, but it isn't. Suggestions?
>
> # cat /etc/pf.conf
> # Define interfaces
> int_if = "sis1"
> dmz_if = "sis2"
> ext_if = "pppoe0"
> laptop = "192.168.0.3"
> xp = "192.168.0.4"
> priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
> }"
>
> set optimization aggressive
> scrub in all
> scrub out on $ext_if max-mss 1440
>
> # Queueing
> # TCP/ACK frames get first dibs, followed by DNS, surfing, webserver,
> and # the unwashed masses.
> altq on $ext_if priq bandwidth 768Kb queue { bulk, server, web_req,
> dns_out, tcp_ack_out }
> queue bulk priq(default)
> queue server priority 2
> queue web_req priority 4
> queue dns_out priority 5
> queue tcp_ack_out priority 6
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> nat on $ext_if from !($ext_if) -> ($ext_if:0) static-port
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> rdr pass on $ext_if proto { tcp, udp } from any to any port 9980:9989
> -> $xp port 9980:*
> rdr pass on $ext_if proto { tcp, udp } from any to any port 6081 ->
> $xp port 6081
> rdr pass on $ext_if proto tcp from any to any port 9990:9999 ->
> $laptop port 9990:*
> rdr pass on $ext_if proto tcp from any to any port 9000 -> 192.168.0.2
> port 80
>
> # Filtering begins
> anchor "ftp-proxy/*"
> pass quick on $int_if all keep state
> pass quick on $dmz_if all keep state
> pass quick on 127.0.0.1 all keep state
> block drop on $ext_if all
>
> # Microsoft has pissed me off for the last time
> block quick from any to 207.46.0.0/12
>
> # Clean invalid SRC/DST packets
> block in quick on $ext_if from $priv_nets to any
> block out quick on $ext_if from any to $priv_nets
>
> # Pass in allowed servers/proxies
> pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA
> keep state
> pass in on $ext_if proto tcp from any to ($ext_if) port www flags S/SA
> keep state
> pass in on $ext_if proto tcp from any to ($ext_if) port smtp flags
> S/SA keep state
>
> # Out to the 'net
> pass out on $ext_if from ($ext_if) to any modulate state queue(bulk,
> tcp_ack_out)
> pass out on $ext_if proto tcp from ($ext_if) to any user www modulate
> state queue server
> pass out on $ext_if proto { tcp, udp } from ($ext_if) to any port {
> http, https } modulate state queue (web_req, tcp_ack_out
> )
> pass out on $ext_if proto { tcp, udp } from ($ext_if) to any port
> domain modulate state queue dns_out
> # End
