My employer has allowed me to work from home one day per week. As part of
the agreement I had to take home a VoIP phone that connects me to work. This
seemed like a good excuse to setup AltQ on my OBSD box. I read the man page,
the FAQ and Jacek Artymiak's book. I built the queues and loaded the new
ruleset. However when I run "pfctl -vv -sq" the only queues catching packets
are the general queue and my tcp_ack queue, nothing else. Could someone with
some AltQ experience take a look at these rules and help me understand what
I'm missing?
#pfctl -vv -sq
queue voip on fxp0 priority 14 priq( red )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue stream on fxp0 priority 12 priq( red )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue web on fxp0 priority 10 priq( red )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue email on fxp0 priority 8 priq( red )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue tcp_ack on fxp0 priority 5 priq( red )
[ pkts: 11657 bytes: 629610 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 13.9 packets/s, 6.02Kb/s ]
queue general on fxp0 priq( default )
[ pkts: 953 bytes: 403051 dropped pkts: 0 bytes: 0
]
[ qlength: 0/ 50 ]
[ measured: 0.3 packets/s, 1.45Kb/s ]
#cat /etc/pf.conf
## Macros ##
## Interfaces ##
ext_if = "fxp0"
wire_if = "fxp1"
## Global Variables ##
ext_ip = "x.x.x.x"
wire_network = "192.168.1.0/24"
wire_gw = "192.168.1.1/32"
icmp_types = "echoreq"
netbios = "{ epmap, netbios-ns, netbios-dgm, netbios-ssn,
microsoft-ds }"
## Tables ##
## SSH Hackers - blocked IPs
table <ssh-bruteforce> persist file "/etc/tables/ssh-bruteforce"
## VoIP Servers
table <voipservers> const file "/etc/tables/voipservers"
## Options ##
set block-policy return
set optimization normal
set skip on lo0
set skip on enc0
## Traffic Normalization ##
scrub out on $ext_if all random-id
scrub in on $ext_if all no-df fragment reassemble
## Queueing ##
altq on $ext_if priq bandwidth 768Kb queue { voip, stream, web, email,
general, tcp_ack }
queue voip priority 14 priq(red)
queue stream priority 12 priq(red)
queue web priority 10 priq(red)
queue email priority 8 priq(red)
queue tcp_ack priority 5 priq(red)
queue general priority 1 priq(default)
## Translation (NAT/RDR) ##
nat on $ext_if inet proto { tcp, udp, icmp } from $wire_if:network to any ->
$ext_if
## Packet Filtering ##
block drop in quick inet6 all
block drop out quick inet6 all
block drop in quick on $ext_if from <ssh-bruteforce>
block in all
## Block NetBios/Samba ports from external access ##
block drop in log quick on $ext_if inet proto { tcp,udp } from any to any
port $netbios label "Netbios"
block out quick on $ext_if proto { tcp,udp } from any to any port $netbios
## Block OSPF Multicast traffic ##
block in log on $ext_if inet proto icmp from any to 224.0.0.5 label "OSPF"
## Pass ICMP traffic ##
pass in inet proto icmp all icmp-type $icmp_types keep state (if-bound)
## Pass SSH traffic ##
pass in quick on $ext_if proto tcp from any to $ext_if port ssh flags S/SA
modulate state (max-src-conn-rate 3/30, overload <s
sh-bruteforce> flush global) label "SSH"
## Wired LAN rules ##
pass in quick on $wire_if from $wire_if:network to any
pass out on $wire_if inet proto tcp from any to $wire_if:network
## allow internally generated traffic to pass ##
pass out on $ext_if inet proto { tcp udp } from $ext_if to <voipservers>
flags S/SA keep state queue voip
pass out on $ext_if inet proto tcp from $ext_if to any port { 8001, 8008,
8070, 9991 } keep state queue ( stream, tcp_ack )
pass out on $ext_if inet proto tcp from $ext_if to any port { 80, 443}
synproxy state queue ( web, tcp_ack )
pass out on $ext_if inet proto tcp from $ext_if to any port {25, 110 }
synproxy state queue ( email, tcp )
pass out on $ext_if inet proto tcp from $ext_if to any flags S/SA keep state
queue ( general, tcp_ack )
pass in on $ext_if inet proto tcp from any to $ext_if flags S/SA keep state
pass in on $ext_if inet from $wire_if:network to any
pass out on $ext_if inet proto { udp, icmp } all keep state (if-bound)
## Anti-spoofing measures ##
antispoof for fxp0 inet
antispoof for fxp1 inet
