Re: brute force voip QoS

[scott]

I think you'd be better served by the following pf.conf

Let pf & state --combination-- affect the queuing.

#-----start-----
ext_if="fxp0"
int_if="vr0"
lan_net=$int_if:network

icmp_types="echoreq"

table <voipservers> const { 200.184.77.145, 200.184.77.138 }
table <atas> const { 192.168.2.33, 192.168.2.100 }

set skip on lo
set loginterface $ext_if

scrub in

altq on $ext_if priq bandwidth 130Kb queue {std_out, voip_out}
queue std_out priority 4 priq(default)
queue voip_out priority 11
queue lowlat_out priority 12

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if int proto tcp \
 from ($int_if:network) to any port ftp \
 tag ftppkts -> 127.0.0.1 port 8021

anchor "ftp-proxy/*"
block in log

pass in quick on $int_if inet proto udp  \
 from <atas> to <voipservers> \
 keep state tag VoipPkts \
 queue (voip_out, lowlat_out)
#
pass in quick on $int_if inet proto tcp\
 tagged ftppkts \
 keep state queue(std_out, lowlat_out)

pass in quick on $int_if inet \
 from ($int_if:network) to any \
 keep state tag DfltPkts \
 queue(std_out, lowlat_out)
#
pass out quick on $ext_if inet \
 tagged VoipPkts \
 keep satte queue (voip_out, lowlat_out)
pass out quick on $ext_if inet proto tcp \
 tagged ftppkts \
 keep state queue (std_out, lowlat_out)
pass out quick on $ext_if inet \
 tagged DfltPkts \
 keep state queue (std_out, lowlat_out)
# icmp

pass in inet proto icmp all icmp-type $icmp_types keep state
# -----end----
-----Original Message-----
From: Jeff Santos <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Re: brute force voip QoS
Date: Thu, 7 Feb 2008 14:14:57 -0500
Delivered-To: [EMAIL PROTECTED]