Dear All,
I'm using OpenBSD 4.1 on i386 and I'm trying to limit traffic from my
webserver to the internet. I'm using default state-policy.
As far as I understand I should put (if-bound) in the end my rule which
responsible for assigning http traffic to the queue, so it will match state
on interface where traffic is coming into.
pfctl is complaning about syntax error in line :
pass in quick on $int_if inet proto tcp from 196.218.2xx.x port 80 to any
(if-bound) queue www_out
Also www_in, pop3_in and ftp_in queues doesn't work.
Please note I have 2mbit/512kbit ADSL connection. Is tcp_ack prio configured
correct in my ruleset?
>From my pf.conf :
ext_if = "vr0"
int_if = "rl0"
### External interface - UPLOAD ###
altq on $ext_if hfsc bandwidth 480Kb queue { std_out, tcp_ack_out, ssh_out,
www_out, smtp_out }
queue std_out bandwidth 50Kb hfsc(default)
queue tcp_ack_out bandwidth 10Kb priority 7 hfsc(ecn)
queue ssh_out bandwidth 120Kb priority 3 hfsc(realtime 100Kb
upperlimit 200Kb)
queue www_out bandwidth 200Kb priority 2 hfsc(upperlimit 300Kb)
queue smtp_out bandwidth 100Kb priority 1 hfsc(upperlimit 200Kb)
### Internal interface - DOWNLOAD ###
altq on $int_if hfsc bandwidth 100Mb queue { local_in, internet_in }
queue local_in bandwidth 97Mb hfsc(default)
queue internet_in bandwidth 2048Kb { www_in, pop3_in, ftp_in }
queue www_in bandwidth 1548Kb priority 5 hfsc(realtime 1148Kb)
queue pop3_in bandwidth 400Kb priority 3 hfsc(realtime 500Kb upperlimit
50%)
queue ftp_in bandwidth 100Kb priority 1 hfsc(realtime 100Kb upperlimit
50%)
# Block all by default
block log all
################
## External Interface ##
###############
# allow outgoing TCP
pass out on $ext_if inet proto tcp from any to any queue(std_out,
tcp_ack_out)
# queue outgoing ftp
pass out on $ext_if inet proto { tcp udp } from any to port { 20, 21 }
queue(ssh_out, tcp_ack_out)
# queue outoing ssh and scp
pass out quick log on $ext_if inet proto { tcp udp } from any port 22 to any
queue(ssh_out, tcp_ack_out)
# queue outgoing smtp
pass out quick on $ext_if inet proto { tcp udp } from any to any port 25
queue(smtp_out, tcp_ack_out)
# queue outgoing dns queries
pass out quick on $ext_if inet proto { tcp udp } from any to any port 53
queue(ssh_out, tcp_ack_out)
# queue outgoing UDP and ICMP
pass out quick on $ext_if inet proto { udp, icmp } from any to any
# rules for servers
anchor servers-rules
load anchor servers-rules from "/etc/pf/servers.rules"
################
## Internal Interface ##
###############
# queues per service
pass out quick on $int_if inet proto { tcp, udp } from any port { 110, 143,
220, 993, 995 } to any queue pop3_in
pass out quick on $int_if inet proto { tcp, udp } from any port { 80, 81, 443,
8080 } to any queue www_in
pass out quick on $int_if inet proto { tcp, udp } from any port { 20, 21 } to
any queue ftp_in
pass out on $int_if from any to any
pass out on $int_if inet from $int_if to $lan keep state queue local_in
pass in quick on $int_if inet proto tcp from 196.218.2xx.x port 80 to any
(if-bound) queue www_out
pass in on $int_if from any to any
>From anchor servers-rules :
ext_if = "vr0"
pass in on $ext_if from $servers to any
pass in quick on $ext_if inet proto { tcp, udp } from any to 196.218.2xx.x
port { 80, 443, 389, 636, 3690, 5223 } synproxy state
Any comments are welcome :)
Thank you in advance,
Dominik
