pf.conf, queue zeigt keine wirkung

narozk

Well-Known Member
hallo,

endlich funktioniert meine fw die auf meine wlan/authpf/ovpn bedürfnisse angepasst ist. es gibt nur 1 problem - queue funktioniert nicht. wenn emule (mit max. 37k/sek upload) läuft reisst es mir die download-bandbreite auf ca. 80k/sek. runter. ich habe eine alice 6 mbit leitung (512 upstream).

kennt sich jemand gut genug aus und erkennt evtl. einen fehler?

danke!



/etc/authpf/authpf.rules
# wlan
wlan_if = "ral0"

# allow authenticated hosts to connect to openvpn daemon
pass in quick on $wlan_if proto udp from $user_ip to ($wlan_if) port 1194 keep state



/etc/pf.conf
# macros ============================================================
ext_if = "tun0"
int_if = "xl0"
wlan_if = "ral0"
vpn_if = "tun1"
tcp_flags = "flags S/SA keep state"
int_net = "192.168.0.0/24"


# emule ============================================================
mule_ip = "192.168.0.100"
mule_tcp = "{ 4661, 4662 }"
mule_udp = "{ 4665, 4672 }"


# abusers table =====================================================
table <abusers> persist
# authpf table
table <authpf_users> persist


# Options ===========================================================
set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 3600 }
set timeout { tcp.closing 120, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 20000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes


# traffic normalization =============================================
scrub in all random-id min-ttl 255 max-mss 1492 fragment reassemble
scrub out all max-mss 1300


# Queueing ==========================================================
altq on $ext_if priq bandwidth 580Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 2 priq (default)


# redirect =========================================================
rdr on $ext_if inet proto tcp from !$int_net to any port 4661:4662 -> $mule_ip port 4661:*
rdr on $ext_if inet proto udp from !$int_net to any port 4665 -> $mule_ip port 4665
rdr on $ext_if inet proto udp from !$int_net to any port 4672 -> $mule_ip port 4672


# nat ===============================================================
nat on $ext_if from !($ext_if) -> ($ext_if:0)


# authpf ============================================================
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"
anchor "authpf/*"


# Filtering =========================================================

# silently drop broadcasts cable modem noise
block in quick on $ext_if from any to 255.255.255.255


# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if inet proto tcp from any to any flags /S
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags A/A
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags SF/SF
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags SR/SR
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if inet proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags SFRAUP/SFRAUP


# Drop spoofed packets IP blocks
block in log quick on $ext_if from { <RFC1918> } to any
block out log quick on $ext_if from any to { <RFC1918> }


# block anything coming from source we have no back routes for
block in from no-route to any


# block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any


block log quick from <abusers>
block log all


### OUTGOING
pass out on $ext_if inet proto tcp all flags S/SA modulate state queue (q_def, q_pri)
pass out on $ext_if inet proto { udp, icmp } all keep state


### INCOMING
# wireless interface (allow limited ssh to avoid brute-force attacks)
pass in quick on $wlan_if inet proto tcp to ($wlan_if) port ssh $tcp_flags \
(max-src-conn 10, max-src-conn-rate 15/5, overload <abusers> flush global) queue (q_def, q_pri)

pass in quick on $ext_if inet proto tcp from any to any port $mule_tcp flags S/SAFR keep state label eMuleTCP
pass in quick on $ext_if inet proto udp from any to any port $mule_udp keep state label eMuleUDP


# allow everything from wired lan, vpn and loopback
pass quick on { lo, $int_if, $vpn_if }


# antispoof protection for all interfaces
antispoof quick for { lo, $int_if, $wlan_if, $vpn_if }
 
narozk schrieb:
Code:
# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if inet proto tcp from any to any flags /S
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags A/A
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags SF/SF
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags SR/SR
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if inet proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags SFRAUP/SFRAUP

OFFTOPIC:

Warum hast du denn diese ganzen Block-Regeln gegen nmap-Scans? Das wird doch schon durch ein einfaches scrub in (hast du ja weiter oben) geregelt. Nach der Regel scrub in bist du gegen alle nmap-Scans gefeit.
 
Zurück
Oben