Getting AltQ working in pf.conf (limiting inbound Tor traffic)

Question

I'm trying to learn the ropes on packet queuing, so I thought I'd set up a limitation on traffic coming into port 80 from known Tor Exit nodes. This is on FreeBSD 9, so OpenBSD-specific solutions might not apply (syntax/etc).

# Snipped to mainly the relevant parts
table <torlist> persist file "/var/db/torlist"

# ...

set block-policy return 

scrub in all
scrub out on $ext_if all

# What I *want* to do is create a cue for known tor exit nodes
# no single one IP should be able to do more than 56k/sec
# but the combined bandwidth of all tor visitors should not
# exceed 512k/sec, basically limiting Tor visitors to something
# like dialup

altq on $ext_if cbq bandwidth 512k queue { qin-tor }
queue qin-tor bandwidth 56Kb cbq ( default rio )

# ...

block in log all

antispoof for { $ext_if, $tun_if }
antispoof quick for $int_if inet

### inbound web rules
# Main Jail ($IP4_PUB3 is my webserver IP)

pass in on $ext_if inet proto tcp from <torlist> to $IP4_PUB3 port www synproxy state queue qin-tor
pass in on $ext_if inet proto  tcp to $IP4_PUB3 port www synproxy state

The problem is, when the altq, queue, and pass line specific for torlist are enabled, all connections are extremely slow. I've even tested my own IP against pfctl -t torlist -T test , and got back "0/1 addresses match", and if I test one from the list it's "1/1 addresses match"

So I'm not really educated in the matter of what exactly I'm doing wrong, I was assuming the pass in line with in it would only be applied to the IPs listed in that table, as such my own IP wouldn't validate on that rule and would pass onto the next one.

Getting it working isn't urgent, but any help in understanding where I'm failing would be greatly appreciated.

Answer 1

Turns out that I didn't quite understand how altq works. When I created a queue on my external interface with only one queue I created a default for all connections. As a result I had to define my top speed plus create a default queue for everything else.

For example if my system has 100Mb top

altq on $ext_if cbq bandwidth 100Mb queue { qin-www, qin-tor }
queue qin-www bandwidth 98Mb priority 1 cbq ( default borrow )
queue qin-tor bandwidth 56Kb priority 7 cbq ( rio )

...

pass in on $ext_if inet proto tcp to $IP4_PUB3 port www synproxy state
pass in on $ext_if inet proto tcp from <torlist> to $IP4_PUB3 port www synproxy state queue qin-tor

(doesn't need to be on top since pf parses all the rules unless you use 'quick')

In this way only those IPs matching in gets throttled down to the qin-tor queue, everything else not defined defaults to the qin-www queue.

The FAQ on OpenBSD's pf didn't seem to make this clear to me until I thought about why there would be an error for a "default", then I figured maybe it applies to the whole interface, so need to define a default for rules not marked to a specific queue.

So there it is... the solution to my 'simple' problem. Hopefully anyone else who has this problem comes accross this.

This is the FAQ I was going by for packet queueing: http://www.openbsd.org/faq/pf/queueing.html