OpenBSD's pf and Queueing

nospam@example.com (Robert Amos) — Tue, 30 May 2006 17:32:11 +1000

Hi all,

Back before I moved in with my Fiancé I lived with a bunch of my mates in a house. I figured bandwidth prioritisation would be vital, as we were all heavy leachers. Two of us happened to have contracts with ADSL companies and there was a second phone line into the house so I built an OpenBSD box and used pf to load balance over the two, and provide some basic prioritisation of traffic to avoid having the links flattened

My approach to solving the torrent problem was to tag torrent traffic on the way into the LAN side of the gateway box, and queue it using that tag on its way out the WAN side. This worked great, and allowed me to assign it the lowest priority, beneath the "default" queue and the rest of the traffic...

However, when moving I went to reconfigure it for a single link, and now it suddenly didn't work. I gave up on it for a while, until tonight. The problem is that while it correctly tags the torrents and assigns them to the right queue, about 90% of the torrent traffic still goes through the default queue, screwing up web browsing. So I ended up making the torrents the default lowest priority, and selectively increased the priority of everything else.

This seems to be working a treat, with the occasional bug (why are my ssh sessions still laggy? ) but I'll post what I have so far for any interested readers. Non queueing bits won't be posted for security reasons, they're not relevant to the queueing anyway.

Click on a comment to hide it. Click here to show all comments.


# Make pretty port macros

torrents        = "6881 37001 37002 37003 37000"

p2p             = "1214 5000 5555 6346 777 8331 8875 8888 6257 6699"

cvsup           = "5999"



# Instant Messaging Clients

msn             = "1863"

jabber          = "5222"

icqaim          = "5190"

irc             = "6667"



# VPN / Terminal Stuff / Remote Desktop

rdp             = "3389"

pptp            = "1723"

l2tp            = "1701"                                                                       

vnc             = "5900"



# Web Traffic

web             = "80 443"

mail            = "110 25"



# Groups

ssh_im_ports    = "{ ssh " $msn $jabber $icqaim $irc "}"

tunnel_ports    = "{" $rdp $pptp $l2tp $vnc "}"

download_ports  = "{" $torrents $p2p $cvsup "}"

web_ports       = "{" $web $mail "}"





# Control for outgoing connections

altq on $ext_if priq bandwidth 256Kb queue { downloads, web, tunnels, interactive, voip, control }

queue downloads priority 3 priq(default)

queue web priority 6 priq(red)

queue tunnels priority 9 priq(red)

queue interactive priority 12 priq(red)

queue voip priority 14 priq(red)

queue control priority 15



# NAT all traffic on the internal network back out to the big bad interweb

nat on $ext_if from $int_subnet to any -> $ext_addr



# Default deny everything

block in log all



# Tag torrents on the way in

pass in on $int_if proto {tcp,udp} from any port $download_ports to any tag torrents keep state

pass in on $int_if proto {tcp,udp} from any to any port $download_ports tag torrents keep state



# Pass out queue stuff

block out on $ext_if all

pass out on $ext_if proto tcp from any to any flags S/SA modulate state queue (downloads, control)

pass out on $ext_if proto { udp, icmp } from any to any keep state queue downloads

pass out on $ext_if proto { tcp, udp } from any to any port $web_ports keep state queue web

pass out on $ext_if proto { tcp, udp } from any to any port { domain, ntp } keep state queue
control

pass out on $ext_if proto tcp from any to any port $ssh_im_ports keep state queue interactive

pass out on $ext_if proto tcp from any to any port $ssh_im_ports flags S/SA keep state queue
interactive

pass out on $ext_if proto { tcp, udp } from any port $download_ports to any keep state queue
downloads

pass out on $ext_if tagged torrents keep state queue downloads

pass out on $ext_if proto { tcp, udp } from any to any port $tunnel_ports keep state queue tunnels



# Services we host here

pass in on $ext_if proto tcp from <australia> to any port ssh



# Banned Hosts!  

block in on $ext_if from <china> to any

block in on $ext_if from <korea> to any

block in on $ext_if from <blacklist> to any

If anyone has any ideas as to why the torrent traffic would still be going out (the original rules were basically the same except for the default queue) please drop me a line. Any other comments or questions are welcome also.

Note the last 4 rules too, pf's tables are extremely handy at times

-bok

Odynia.org Blog - Unix / BSD

OpenBSD's pf and Queueing