* Theron ZORBAS <[email protected]> [2012-03-25 19:38]:
> My question is about using prio keyword. Can anyone help me with this
> little pf.conf below. Is it smart/advisable config or just a time
> wasting expectation?
it does make sense.
two gotchas:
1) priority queueing really only has an effect when you see a lot of
traffic and/or your box is very loaded.
2) please consider prio experimental for now until I am done with the
rest of the new queueing subsystem. foremost, and this is the really
big gotcha, "prio 5" will likely match on packets with priority 5
instead of setting it. yes, i know, sorry guys, sometimes it takes a
while to get a really clear picture on where we want to head.
> #Macros
> int_if="re1"
one thing i almost always do these days and recommend:
ifconfig re1 group int (aka "group int" in hostname.re1)
and then just use "int" whereever you have $int_if now.
> #Tables
> table <Loosers> { 192.168.1.11 192.168.1.12 192.168.1.13 192.168.1.14 }
> table <Users> { 192.168.1.21 192.168.1.22 192.168.1.23 192.168.1.24 }
> table <Admins> { 192.168.1.100 192.168.1.101 }
> #NAT private Networks
> match out on egress inet from $int_if:network to any nat-to (egress)
> #Default FW policy
> block log all
> #Always pass from my house
> pass log quick from 194.30.xxx.YYY prio 7
> #Loosers with very low priority
> pass in log quick on $int_if from <Loosers> prio 0
> #Users with a standart priority
> pass in log quick on $int_if from <Users> prio 3
> #Admins have the highest priority
> pass in log quick on $int_if from <Admins> prio 7
that might be a bit excessive logging :)
> #pass out from "the" interfaces
> pass out from ($int_if)
> pass out from (egress)
--
Henning Brauer, [email protected], [email protected]
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
