Re: Openbsd firewall

[joe smith <joe () joesmith homeip net>]

Thanks for all of the suggestions,

I'm still getting bandwidth error when I try to load the pf.conf.  Maybe 
there is a low limit on bandwidth on openbsd 3.5 (I just haven't found 
the documantion on it yet). 

here is a snipet of my pf.conf

altq on $ext_if cbq(red) bandwidth 1.5Mb queue {std hpot}
queue std bandwidth 1.49Mb cbq(default red)
queue hpot bandwidth 5.6Kb cbq(red)  <-------- if I set this below 
5.59Kb I'll get error message below

pass out on $ext_if from $my_hpot to any keep state (max 5, source-track 
rule, tcp.established 900, tcp.closing 90) queue hpot

error message
pfctl: queue bandwidth must be larger than 5.59Kb
cbq: queue hpot is too slow!


j


Alexandre Dulaunoy wrote:

> On Thu, 29 Jul 2004, joe smith wrote:
>
>  
>
> > I currently testing an openbsd gateway/firewall for my honeypot setup.  
> > I'm limiting the amount of bandwidth for each honey pot.  Does anyone 
> > know why I can not set it below 5.6 kilobits? 
> >
> >    
>
> I think  you already got a  reply regarding ALTQ but  this not trivial
> due to  the various type  of queueuing and  the inner working  of ALTQ
> too. 
>
> Another  approach  that   can  work  for  Honeynets  is   to  use  the
> max-src-states, max-src-nodes and max. Check stateful tracking options
> in pf.conf(5). 
>
> Hope this helps,
>
> adulau
>
>
>