Scribd Logo
Carica

Benvenuto in Scribd!

  • PF NAT Based Firewall Queues Done The Easy Way

    Caricato da

    Ian
    236 visualizzazioni5 pagine
    Building NAT based PF firewall queues quickly and easily.

    Titolo originale

    PF NAT Based Firewall Queues Done the Easy Way

    Copyright

    © Public Domain

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Building NAT based PF firewall queues quickly and easily.

    Copyright:

    Public Domain
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    236 visualizzazioni5 pagine

    PF NAT Based Firewall Queues Done The Easy Way

    Caricato da

    Ian
    Building NAT based PF firewall queues quickly and easily.

    Copyright:

    Public Domain
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 5

    Getting OpenBSD PF firewall queues to work with NAT traffic

    Ian Evans
    4/27/2011
    Revision History
    Author Date Revision
    Ian Evans 4/27/2011 1.0
    Introduction

    The aim of this quick reference is to step you through the process of creating ALTQ queues for NAT
    traffic in FreeBSD using PF firewall. As you may have noticed, getting queues to work with NAT
    traffic can be a very difficult and time consuming process. To make the process easier, I will highlight
    how tags can be used to effectively queue random port NAT traffic.

    Step 1

    If you do not already have PF firewall setup on your BSD box, you can do so by adding the following
    options into a copy of the GENERIC kernel file.

    1) Navigate to /usr/src/sys/amd64/conf and open the GENERIC kernel file for editing and add the
    options and devices below for PF. Save the file under a different name (e.g. ENHANCED).

    2) Compile the new kernel by navigating to /usr/src. After you are in /usr/src, run the following
    command: make buildkernel KERNCONF=ENHANCED && make installkernel
    KERNCONF=ENHANCED. Depending on your machine this may take awhile. Reboot your
    system and run the following command to verify the new kernel is installed and running: uname
    -a. If everything installed properly, you should see your new kernel installed.

    3) Now you need create the pf configuration file. To make the process a bit easier, you can use this
    one as a template. You will of course have to change the interface names to match what is
    installed on your system. If you look at the configuration file, setting up the queues is very
    straightforward.

    For the purposes of this guide, I will only be discussing the ALTQ portion. As you can see, I
    created three queues: uploads, httpftp and other. The uploads queue, is for upload traffic only.
    This sets a hard limit of 4MB. The next queues httpftp and other are going to be key in
    controlling your download bandwidth for users using NAT connections.

    For http (port 80, 21 and 8021), I created one queue that is designed to “feed” off of the larger
    queue called “other”. You will notice it has a “(borrow ecn”) next to it. This simply means that
    the queue is going to use what is has allocated (in this case it is 15MB of a 100MB) and then
    use more bandwidth from the other queue, which has the remaining 85MB of the 100MB pipe if
    needed.
    After the queue definitions have been established, you can now “tag” them to the necessary
    ports. In this case, we will be doing this for http and ftp traffic. All other traffic automatically
    gets dumped into the “other” queue. You will see that I opted to create rules some of the traffic
    that will be using the “other” queue just to ensure it is in the right place.

    Adding the “tags” to your traffic is very easy. If you look at the example below, you can see
    where I added the tags for various rules. If you want to add more ports, simply add them into
    the rule set. In regards to controlling the NAT connections, just make sure you put a tag on the
    actual nat rule. You will also want to put the tag on any rdr rules that may used for ftp-proxy
    type connections as well.

    4) Now that we are done with the basic ALTQ config, we need to load the pf configuration and test
    to ensure things are working as intended. To enable pf, run: pfctl -e. To load the configuration
    file, run: pfctl -f /etc/<yourpfconfigfile>. Verify it is loaded by running: pfctl -s rules. You
    should see all of the loaded rules. To ensure the firewall is passing traffic, run: pfctl -s info.

    5) Now let's check to make sure the tagged queues are working. Simply run: pfctl -s queue -v. You
    should see traffic being passes through all of the queues. Be sure to look specifically at the
    borrowed queue to ensure it pulling from the default queue when needed. If it has a zero
    counter, you need to go back and look at your config. If all is well, you should see output
    similar to this:
    6) Now let's make sure the PF settings and config's stick on boot. Add the following into your
    /etc/rc.conf. You will of course need to change the pf_config to reflect your configuration file. It
    should look like this:

    7) Now, you should run a quick security test to ensure everything is sealed up. I recommend
    running the test from Gibson's Research Shields Up at: www.grc.com

    Conclusion

    Hopefully this guide made the process of setting up NAT based queues easier. Happy PF'ing!

    - Ian

    Potrebbero piacerti anche