freebsd stable - Dec 2005 - My ungodly PF config - am I sane and brilliant, or just deluded and dangerous?

My company is using FreeBSD for two major applications: our file servers 
(via Samba), which aren't the subject of this message; and the routers 
between branches. Some background follows.

We have essentially two types of branches - Type A, with thier own cable 
internet connections, and Type B, who have point-to-point T1 connections 
to Coprorate and use our internet connection for outside communication. 
The Type A branches have FreeBSD machines acting as firewall/NAT, and 
also providing gif endpoints for tunnels to our Corporate office, which 
also uses a FreeBSD machine to provide firewall/NAT for the Corporate 
Office and Type B branches.

With me so far?

Here's the fun part. Our traffic has gotten to the point where I've 
decided that some traffic shaping (ALTQ) is necessary. I've been 
experimenting with my home cable internet connection (and gif tunnel to 
work), and I believe I've come up with a workable solution. However, I'd
like to run it by some experts to see if I'm screwing up (or hitting any 
possible limits) before I try putting it in place live.

Here's the config, with some comments/questions

int_if = "bge1"   # obviously, the Internal interface of our firewall,
connected to the corporate internal network
ext_if = "bge0"  # again, obviously, the external interface, connected
to the DMZ, with a publicly routed IP
gif_if = "{" gif1 gif3 gif5 gif7 gif10 gif11 gif12 gif13 gif14 gif15 
gif19 gif20 gif21 gif25 "}"  # all of the gif tunnels to the various 
branches

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

altq on $ext_if priq bandwidth 4500Kb queue {std_out, ssh_out, mail_out, 
www_out, notes_out, asna_out, dns_out, gif_out, pri_out}
queue std_out priq(default) qlimit 150
queue mail_out priority 2
queue www_out priority 3
queue notes_out priority 4   # We use Notes primarily, so it gets higher 
priority than normal SMTP/POP3 traffic
queue dns_out priority 6
queue ssh_out priority 7
queue gif_out priority 8   # This gets any traffic encapsulated in a gif 
tunnel or ipsec.
queue pri_out priority 15

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if) # it occurs to 
me, as I post this, that I'll need to change this to account for the 
Type B branches that are on seperate subnets.

# filter rules
block all

pass quick on lo0 all
pass quick on $int_if all

pass in quick on $gif_if all

# Is there any reason to keep state on any of the following "in"
rules?
pass in quick on $ext_if proto ipencap all
pass in quick on $ext_if proto esp all
pass in quick on $ext_if proto tcp all
pass in quick on $ext_if proto udp all
pass in quick on $ext_if proto icmp all

pass out on $gif_if proto udp all keep state queue(std_out, pri_out)
pass out on $gif_if proto icmp all keep state queue(std_out, pri_out)
pass out on $gif_if proto tcp all modulate state flags S/SA 
queue(std_out, pri_out)
pass out on $gif_if proto tcp from any to any port 22 modulate state 
flags S/SA queue(ssh_out, pri_out)
pass out on $gif_if proto tcp from any to any port 25 modulate state 
flags S/SA queue(mail_out, pri_out)
pass out on $gif_if proto tcp from any to any port 110 modulate state 
flags S/SA queue(mail_out, pri_out)
pass out on $gif_if proto tcp from any to any port 80 modulate state 
flags S/SA queue(www_out, pri_out)
pass out on $gif_if proto tcp from any to any port 443  modulate state 
flags S/SA queue(www_out, pri_out)
pass out on $gif_if proto tcp from any to any port 1352 modulate state 
flags S/SA queue(notes_out, pri_out)
pass out on $gif_if proto udp from any to any port 53 keep state 
queue(dns_out, pri_out)

pass out on $ext_if proto { udp, icmp } all keep state queue(std_out, 
pri_out)
pass out on $ext_if proto tcp all modulate state flags S/SA 
queue(std_out, pri_out)
pass out on $ext_if proto tcp from any to any port 22 modulate state 
flags S/SA queue(ssh_out, pri_out)
pass out on $ext_if proto tcp from any to any port 25 modulate state 
flags S/SA queue(mail_out, pri_out)
pass out on $ext_if proto tcp from any to any port 110 modulate state 
flags S/SA queue(mail_out, pri_out)
pass out on $ext_if proto tcp from any to any port 1352 modulate state 
flags S/SA queue(notes_out, pri_out)
pass out on $ext_if proto tcp from any to any port 80 modulate state 
flags S/SA queue(www_out, pri_out)
pass out on $ext_if proto tcp from any to any port 443 modulate state 
flags S/SA queue(www_out, pri_out)
pass out on $ext_if proto udp from any to any port 53 keep state 
queue(dns_out, pri_out)
pass out on $ext_if proto ipencap all keep state queue(gif_out, pri_out) 
# Again - any point in keeping state for the gif tunnels or ipsec 
(below) packets?
pass out on $ext_if proto esp all keep state queue(gif_out, pri_out)

Believe it or not, pfctl -nv actually parses all of this out and seems 
to believe it makes sense. The other ends, which usually have only one 
or possibly two endpoints (branch->corporate and sometimes 
branch->sister branch) will be significantly simpler, but if the above 
works, it's easy to transpose to the smaller situation.

Something else I just noticed, since this is the "server end" - the 
point where most of the servers sit, as opposed to the clients - should 
I change those 'pass' lines from "from any to any port x" to
"from any
port x to any"? Is that valid?

My theory is that I want to first, prioritize the traffic going out on 
the gif tunnels, then promote the gif packet actually travelling out 
over the $ext_if above most other traffic. It LOOKS like this will 
happen, but I want to see if I'm missing anything obvious. In the past, 
I've used NetBSD and ipfilter, so I'm relitively new to PF and wanted a 
second opinion.

Thanks to anyone for answering, or for pointing to a more appropriate 
venue for the question!

-J. Buck Caldwell

On Dec 16, 2005, at 1:13 AM, J. Buck Caldwell wrote:
> Here's the fun part. Our traffic has gotten to the point where I've
> decided that some traffic shaping (ALTQ) is necessary. I've been  
> experimenting with my home cable internet connection (and gif  
> tunnel to work), and I believe I've come up with a workable  
> solution. However, I'd like to run it by some experts to see if I'm
> screwing up (or hitting any possible limits) before I try putting  
> it in place live.
You may wish to take a look at an embedded GUI based firewall system  
like pfSense to help you configure this.  It has a traffic shaping  
wizard and can do IPsec VPNs as well.  It is based on FreeBSD 6.0 so  
will run on whatever hardware you've got already.

See http://www.pfsense.com/