# PF - packets filtering by length?



## Magnesik (Jun 21, 2011)

Is it possible to filter packets by lenght? If it is possible then how? I know that ipatables (for Linux) has it.

My piece of router's firewall looks like this:


```
##Upload without main queue
queue up_komp1     bandwidth  12% priority 5 qlimit 500 hfsc (realtime 10% upperlimit 99% ecn) { u_komp1 u_ack_komp1}

    queue u_ack_komp1 bandwidth 50% priority 6 qlimit 500 hfsc
    queue u_komp1   bandwidth 50% priority 5 qlimit 500 hfsc

##Download without main queue
queue dn_komp1      bandwidth  12% priority 5 qlimit 500 hfsc (realtime 10% upperlimit 99% ecn) { d_komp1, d_ack_komp1 }

    queue d_ack_komp1 bandwidth 50% priority 6 qlimit 500 hfsc
    queue d_komp1   bandwidth 50% priority 5 qlimit 500 hfsc

## and after all

pass in quick on $int_if from $komp1 to any tag komp1 keep state queue (d_komp1, d_ack_komp1)
pass out quick on $ext_if tagged komp1 keep state queue (u_komp1, u_ack_komp1)
```

My question is related to problem which I have. During uploading files on machine connected to router with firewall listed above by http (port 80), internet on it is frozen. Any other service doesnt work or works very very slowly. (Maybe should I have another firewall with QOS on local machine?)

I read somewhere that ACKs are not only small packets but sometimes contain playload. In this case they have higher priority than other packets and I suspect them (huge ACKs) as my problem. 
In iptables is possible to filter packets by length and assign proper priority for smaller ACKs and bigger ACKs.

Is it a good idea to set SYN and RST with priority to optimize utilization of bandwidth? If yes - how?


----------

