Hi,
I'm trying to update my pf.conf to prioritize Ooma VoIP packets. My OpenBSD
firewall sits between my Ooma on my internal network and the outside world.
It's hard to Google for this info, since the pf FAQ has so many mirrors out
there, it's hard to separate the noise from the signal. I own The Book of PF,
but it doesn't cover this specific issue.
First I need a pf rule from my firewall to the outside world:
pass out quick on $ext_if proto udp from $ooma to any set prio 5 nat to
($ext_if)
That rule is fine, it will prioritize Ooma outgoing packets from my firewall
ahead of my other outgoing packets to the Internet.
My problem is with my other pf rule(s), which is how my Ooma packets get from
my internal network to my firewall. I can make a rule like this:
pass in quick on $int_if proto udp from $ooma to any set prio 5
This rule allows packets into the firewall, but the 'set prio' in the rule
doesn't do anything (at least not immediately) since 'set prio' is intended for
outgoing packets. However, this rule does create state. Once state is created,
there is no further way to influence the priority of a returning packet, since
it will no longer be subject to additional rules in pf.conf.
I.e. I can add an additional rule like this:
pass out quick on $int_if proto udp from any to $ooma set prio 5
but, since state has already been created, that rule will never apply.
I can think of three ways to 'set prio 5' on packets from my firewall to my
internal network:
1) Is the 'set prio 5' on incoming packets sticky to outgoing packets? I.e. is
it unidirectional or is it bidirectional? If I have a rule like this for the
internal interface:
pass in quick on $int_if proto udp from $ooma to any set prio 5
will the 'set prio' be part of the state created by the incoming packet? Does
pf work that way? If so, would the return outgoing packets automatically have
the higher priority?
or 2) I can write rules with no state for the internal interface. Something
like this:
pass in quick on $int_if proto udp from $ooma to any no state
pass out quick on $int_if proto udp from any to $ooma set prio 5 no state
But using 'no state' seems so inefficient. The pf rules need to be evaluated
for every packet.
or 3) I can write rules like this for the internal interface:
pass in quick on $int_if proto udp from $ooma to any no state
pass out quick on $int_if proto udp from any to $ooma set prio 5 keep state
What I think happens here is that the very first packet from Ooma to the
firewall is 'no state'. But shortly thereafter there will be a return packet
from the outside world to Ooma, and that return packet will create state. From
that point on, all further Ooma packets on the internal interface will have
state. Am I correct in that conclusion?
Is this all too confusing? Have I been able to explain myself clearly enough?
Thanks in advance for any help.
