mas_raka
September 1st, 2003, 07:20
after follow solarfluz tutorial i get altq and pf installed on my freebsd 5.1
bejita# strings /boot/kernel/kernel | grep -c altq_lookup
1
bejita# kldstat | grep pf
3 1 0xc2844000 23000 pf.ko
4 2 0xc1343000 2000 pflog.ko
5 2 0xc260d000 3000 pfsync.ko
6 1 0xc26e0000 c000 pfaltq.ko
then i try some example on solarflux repository:
pf.conf ::
=========
# pf.conf from insomnia.benzedrine.cx
#
# Default gateway doing NAT for my home network, IPv6 tunnel endpoint, using
# queues for extended ackpri (so I can work while being /., for instance).
#
# The external interface is kue0, with a single routable address 62.65.145.30.
# The internal interface is gem0, address 10.1.1.1 in network 10.0.0.0/8.
#
# The IPv6 tunnel is explained in more detail on
# http://www.benzedrine.cx/gif.txt
#
# ACK prioritizing is explained on
# http://www.benzedrine.cx/ackpri.html
# macros
#
ext_if = "fxp0"
int_if = "fxp1"
kami = "192.168.0.0/16"
dotcom = "192.168.1.0/24"
unfiltered = "{ lo0, fxp1 }"
unroutable = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32 }"
services_tcp = "{ ssh, smtp, ftp, submission, domain, auth, www, pop3, > 1024 }"
# options
#
set loginterface $ext_if
set loginterface $int_if
set limit states 10000
set limit frags 500
# normalization
#
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble
# queues
#
#altq on fxp0 priq bandwidth 100Kb queue { q_max, q_hig, q_def, q_low }
#queue q_max priority 7
#queue q_hig priority 5
#queue q_def priority 3
#queue q_low priority 1 priq(default)
altq on $ext_if cbq bandwidth 128Kb queue { q_std }
queue q_std bandwidth 100% cbq \
{ q_def, q_pri, q_web, q_msc, q_dat, q_gms }
queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn)
queue q_dat bandwidth 10% priority 0 cbq(red)
queue q_web bandwidth 25% priority 5 cbq(borrow)
queue q_msc bandwidth 15% priority 4 cbq(borrow)
queue q_gms bandwidth 25% priority 6 cbq(borrow)
queue q_pri priority 7
# translations
#
no nat on $unfiltered from any to any
no rdr on $unfiltered from any to any
#rdr on $unfiltered from any to any -> $int_if
# nat private network to single routable address
#
nat on $ext_if inet from $kami to any -> $ext_if
# ================================================== ===========================
# filter rules (default block/pass)
# ================================================== ===========================
#melok oi palcom neh
#pass in on $int_if inet proto tcp from 192.168.1.0/24 to any
# pass on unfiltered interfaces
#
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A
# block and log everything by default
#
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp
# ================================================== ===========================
# external interface (all external IPv4 traffic)
# ================================================== ===========================
# silently drop broadcasts (ADSL noise)
#
block in quick on $ext_if inet from any to { 255.255.255.255, 62.65.145.31 }
# block unwanted peers
#
block in quick on $ext_if inet from <quickblock> to any
# block some known-bad ports without logging
#
block return-rst in quick on $ext_if proto tcp from any to any \
port { 111, 443, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if proto udp from any to any \
port { 137, 138, 139, 1434 }
#
block in log quick on $ext_if inet from $unroutable to any
# block and log outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to any
# ICMP
#
#gue komenkan dulu neh
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type 8 code 0 keep state queue (q_max)
pass in on $ext_if inet proto icmp from any to $ext_if \
icmp-type 8 code 0 keep state (max 32) queue (q_low)
# UDP
#
pass out on $ext_if inet proto udp from any to any \
keep state queue (q_def)
pass out on $ext_if inet proto udp from any to any port domain \
keep state queue (q_hig)
pass in on $ext_if inet proto udp from any to $ext_if \
port domain keep state (max 512) queue (q_hig)
pass in on $ext_if inet proto udp from 62.65.145.29 to $ext_if \
port syslog keep state (max 2)
# TCP
#
pass out on $ext_if inet proto tcp from $ext_if to any \
flags S/SA keep state queue (q_def, q_max)
pass out on $ext_if inet proto tcp from $ext_if to any port www \
flags S/SA keep state queue (q_hig, q_max)
pass in on $ext_if inet proto tcp from any to $ext_if port $services_tcp \
flags S/SA keep state (max 1024, tcp.first 10, tcp.opening 10) \
queue (q_low, q_max)
pass in on $ext_if inet proto tcp from any to 127.0.0.1 port 8025 \
keep state queue (q_low, q_def)
# Allow DNS lokal
pass in quick on $int_if proto udp from any to any port = 53 keep state
==================
my rc.conf
kern_securelevel_enable="YES"
quota_enable="YES"
check_quotas="YES"
gateway_enable="YES"
portmap_enable="NO"
sshd_enable="YES"
usbd_enable="NO"
log_in_vain="YES"
pf_enable="YES"
pf_logd="YES"
pf_conf="/etc/pf.conf"
ifconfig_fxp1="inet 192.168.2.1 netmask 255.255.0.0"
ifconfig_fxp0="inet 202.159.31.198 netmask 255.255.255.128"
defaultrouter="202.159.31.129"
hostname="bejita.pct.com"
===========================>
then i try to flush :
bejita# pfctl -Fr
rules cleared
then try to load :
bejita# pfctl -e -f /etc/pf.conf
pfctl: fopen(/etc/pf.os): No such file or directory
altq not defined on fxp0
altq not defined on fxp0
/etc/pf.conf:49: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:50: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:51: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:52: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:53: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:54: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:55: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded
i have read openbsd faq on queueing section but then i got confused , any suggestion on fixing that error?
bejita# strings /boot/kernel/kernel | grep -c altq_lookup
1
bejita# kldstat | grep pf
3 1 0xc2844000 23000 pf.ko
4 2 0xc1343000 2000 pflog.ko
5 2 0xc260d000 3000 pfsync.ko
6 1 0xc26e0000 c000 pfaltq.ko
then i try some example on solarflux repository:
pf.conf ::
=========
# pf.conf from insomnia.benzedrine.cx
#
# Default gateway doing NAT for my home network, IPv6 tunnel endpoint, using
# queues for extended ackpri (so I can work while being /., for instance).
#
# The external interface is kue0, with a single routable address 62.65.145.30.
# The internal interface is gem0, address 10.1.1.1 in network 10.0.0.0/8.
#
# The IPv6 tunnel is explained in more detail on
# http://www.benzedrine.cx/gif.txt
#
# ACK prioritizing is explained on
# http://www.benzedrine.cx/ackpri.html
# macros
#
ext_if = "fxp0"
int_if = "fxp1"
kami = "192.168.0.0/16"
dotcom = "192.168.1.0/24"
unfiltered = "{ lo0, fxp1 }"
unroutable = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \
192.168.0.0/16, 255.255.255.255/32 }"
services_tcp = "{ ssh, smtp, ftp, submission, domain, auth, www, pop3, > 1024 }"
# options
#
set loginterface $ext_if
set loginterface $int_if
set limit states 10000
set limit frags 500
# normalization
#
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble
# queues
#
#altq on fxp0 priq bandwidth 100Kb queue { q_max, q_hig, q_def, q_low }
#queue q_max priority 7
#queue q_hig priority 5
#queue q_def priority 3
#queue q_low priority 1 priq(default)
altq on $ext_if cbq bandwidth 128Kb queue { q_std }
queue q_std bandwidth 100% cbq \
{ q_def, q_pri, q_web, q_msc, q_dat, q_gms }
queue q_def bandwidth 25% priority 1 cbq(borrow default red ecn)
queue q_dat bandwidth 10% priority 0 cbq(red)
queue q_web bandwidth 25% priority 5 cbq(borrow)
queue q_msc bandwidth 15% priority 4 cbq(borrow)
queue q_gms bandwidth 25% priority 6 cbq(borrow)
queue q_pri priority 7
# translations
#
no nat on $unfiltered from any to any
no rdr on $unfiltered from any to any
#rdr on $unfiltered from any to any -> $int_if
# nat private network to single routable address
#
nat on $ext_if inet from $kami to any -> $ext_if
# ================================================== ===========================
# filter rules (default block/pass)
# ================================================== ===========================
#melok oi palcom neh
#pass in on $int_if inet proto tcp from 192.168.1.0/24 to any
# pass on unfiltered interfaces
#
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A
# block and log everything by default
#
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp
# ================================================== ===========================
# external interface (all external IPv4 traffic)
# ================================================== ===========================
# silently drop broadcasts (ADSL noise)
#
block in quick on $ext_if inet from any to { 255.255.255.255, 62.65.145.31 }
# block unwanted peers
#
block in quick on $ext_if inet from <quickblock> to any
# block some known-bad ports without logging
#
block return-rst in quick on $ext_if proto tcp from any to any \
port { 111, 443, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if proto udp from any to any \
port { 137, 138, 139, 1434 }
#
block in log quick on $ext_if inet from $unroutable to any
# block and log outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !$ext_if to any
# ICMP
#
#gue komenkan dulu neh
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type 8 code 0 keep state queue (q_max)
pass in on $ext_if inet proto icmp from any to $ext_if \
icmp-type 8 code 0 keep state (max 32) queue (q_low)
# UDP
#
pass out on $ext_if inet proto udp from any to any \
keep state queue (q_def)
pass out on $ext_if inet proto udp from any to any port domain \
keep state queue (q_hig)
pass in on $ext_if inet proto udp from any to $ext_if \
port domain keep state (max 512) queue (q_hig)
pass in on $ext_if inet proto udp from 62.65.145.29 to $ext_if \
port syslog keep state (max 2)
# TCP
#
pass out on $ext_if inet proto tcp from $ext_if to any \
flags S/SA keep state queue (q_def, q_max)
pass out on $ext_if inet proto tcp from $ext_if to any port www \
flags S/SA keep state queue (q_hig, q_max)
pass in on $ext_if inet proto tcp from any to $ext_if port $services_tcp \
flags S/SA keep state (max 1024, tcp.first 10, tcp.opening 10) \
queue (q_low, q_max)
pass in on $ext_if inet proto tcp from any to 127.0.0.1 port 8025 \
keep state queue (q_low, q_def)
# Allow DNS lokal
pass in quick on $int_if proto udp from any to any port = 53 keep state
==================
my rc.conf
kern_securelevel_enable="YES"
quota_enable="YES"
check_quotas="YES"
gateway_enable="YES"
portmap_enable="NO"
sshd_enable="YES"
usbd_enable="NO"
log_in_vain="YES"
pf_enable="YES"
pf_logd="YES"
pf_conf="/etc/pf.conf"
ifconfig_fxp1="inet 192.168.2.1 netmask 255.255.0.0"
ifconfig_fxp0="inet 202.159.31.198 netmask 255.255.255.128"
defaultrouter="202.159.31.129"
hostname="bejita.pct.com"
===========================>
then i try to flush :
bejita# pfctl -Fr
rules cleared
then try to load :
bejita# pfctl -e -f /etc/pf.conf
pfctl: fopen(/etc/pf.os): No such file or directory
altq not defined on fxp0
altq not defined on fxp0
/etc/pf.conf:49: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:50: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:51: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:52: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:53: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:54: errors in queue definition
altq not defined on fxp0
/etc/pf.conf:55: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded
i have read openbsd faq on queueing section but then i got confused , any suggestion on fixing that error?