Screaming Electron Forums

Go Back   Screaming Electron Forums > General Discussions > Firewall Forums > PF Firewall Forum
Reload this Page altq not work ?
FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old September 1st, 2003
mas_raka mas_raka is offline
Kaon
  
Join Date: Aug 2003
Posts: 6
mas_raka has disabled reputation
Default
after follow solarfluz tutorial i get altq and pf installed on my freebsd 5.1

bejita# strings /boot/kernel/kernel | grep -c altq_lookup
1

bejita# kldstat | grep pf
3 1 0xc2844000 23000 pf.ko
4 2 0xc1343000 2000 pflog.ko
5 2 0xc260d000 3000 pfsync.ko
6 1 0xc26e0000 c000 pfaltq.ko

then i try some example on solarflux repository:

pf.conf ::
=========
# pf.conf from insomnia.benzedrine.cx
#
# Default gateway doing NAT for my home network, IPv6 tunnel endpoint, using
# queues for extended ackpri (so I can work while being /., for instance).
#
# The external interface is kue0, with a single routable address 62.65.145.30.
# The internal interface is gem0, address 10.1.1.1 in network 10.0.0.0/8.
#
# The IPv6 tunnel is explained in more detail on
# http://www.benzedrine.cx/gif.txt
#
# ACK prioritizing is explained on
# http://www.benzedrine.cx/ackpri.html

# macros
#
ext_if = "fxp0"
int_if = "fxp1"
kami = "192.168.0.0/16"
dotcom = "192.168.1.0/24"
unfiltered = "{ lo0, fxp1 }"
unroutable = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32 }"
services_tcp = "{ ssh, smtp, ftp, submission, domain, auth, www, pop3, > 1024 }"

# options
#
set loginterface $ext_if
set loginterface $int_if
set limit states 10000
set limit frags 500

# normalization
#
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble


# queues
#
#altq on fxp0 priq bandwidth 100Kb queue { q_max, q_hig, q_def, q_low }
#queue q_max priority 7
#queue q_hig priority 5
#queue q_def priority 3
#queue q_low priority 1 priq(default)

altq on $ext_if cbq bandwidth 128Kb queue { q_std }
queue q_std bandwidth 100% cbq \
{ q_def, q_pri, q_web, q_msc, q_dat, q_gms }
queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn)
queue q_dat bandwidth 10% priority 0 cbq(red)
queue q_web bandwidth 25% priority 5 cbq(borrow)
queue q_msc bandwidth 15% priority 4 cbq(borrow)
queue q_gms bandwidth 25% priority 6 cbq(borrow)
queue q_pri priority 7

# translations
#

no nat on $unfiltered from any to any
no rdr on $unfiltered from any to any
#rdr on $unfiltered from any to any -> $int_if


# nat private network to single routable address
#
nat on $ext_if inet from $kami to any -> $ext_if


# ================================================== ===========================
# filter rules (default block/pass)
# ================================================== ===========================

#melok oi palcom neh
#pass in on $int_if inet proto tcp from 192.168.1.0/24 to any


# pass on unfiltered interfaces
#
pass quick on $unfiltered

# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A

# block and log everything by default
#
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp

# ================================================== ===========================
# external interface (all external IPv4 traffic)
# ================================================== ===========================

# silently drop broadcasts (ADSL noise)
#
block in quick on $ext_if inet from any to { 255.255.255.255, 62.65.145.31 }

# block unwanted peers
#
block in quick on $ext_if inet from <quickblock> to any

# block some known-bad ports without logging
#
block return-rst in quick on $ext_if proto tcp from any to any \
port { 111, 443, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if proto udp from any to any \
port { 137, 138, 139, 1434 }

#
block in log quick on $ext_if inet from $unroutable to any

# block and log outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to any

# ICMP
#

#gue komenkan dulu neh


pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type 8 code 0 keep state queue (q_max)

pass in on $ext_if inet proto icmp from any to $ext_if \
icmp-type 8 code 0 keep state (max 32) queue (q_low)


# UDP
#
pass out on $ext_if inet proto udp from any to any \
keep state queue (q_def)
pass out on $ext_if inet proto udp from any to any port domain \
keep state queue (q_hig)

pass in on $ext_if inet proto udp from any to $ext_if \
port domain keep state (max 512) queue (q_hig)
pass in on $ext_if inet proto udp from 62.65.145.29 to $ext_if \
port syslog keep state (max 2)

# TCP
#
pass out on $ext_if inet proto tcp from $ext_if to any \
flags S/SA keep state queue (q_def, q_max)
pass out on $ext_if inet proto tcp from $ext_if to any port www \
flags S/SA keep state queue (q_hig, q_max)

pass in on $ext_if inet proto tcp from any to $ext_if port $services_tcp \
flags S/SA keep state (max 1024, tcp.first 10, tcp.opening 10) \
queue (q_low, q_max)
pass in on $ext_if inet proto tcp from any to 127.0.0.1 port 8025 \
keep state queue (q_low, q_def)

# Allow DNS lokal
pass in quick on $int_if proto udp from any to any port = 53 keep state


==================
my rc.conf

kern_securelevel_enable="YES"
quota_enable="YES"
check_quotas="YES"

gateway_enable="YES"
portmap_enable="NO"
sshd_enable="YES"
usbd_enable="NO"
log_in_vain="YES"

pf_enable="YES"
pf_logd="YES"
pf_conf="/etc/pf.conf"

ifconfig_fxp1="inet 192.168.2.1 netmask 255.255.0.0"
ifconfig_fxp0="inet 202.159.31.198 netmask 255.255.255.128"
defaultrouter="202.159.31.129"
hostname="bejita.pct.com"

===========================>


then i try to flush :

bejita# pfctl -Fr
rules cleared

then try to load :

bejita# pfctl -e -f /etc/pf.conf
pfctl: fopen(/etc/pf.os): No such file or directory
altq not defined on fxp0
altq not defined on fxp0
/etc/pf.conf:49: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:50: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:51: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:52: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:53: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:54: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:55: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded


i have read openbsd faq on queueing section but then i got confused , any suggestion on fixing that error?
Reply With Quote
 

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 03:24.

Contact Us - Screaming Electron - Archive - Top

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
This Page hosted by Network Synapse