≡ Menu

FreeBSD Enable PF ALTQ Firewall Support

Q. Under FreeBSD 7.0 patch level 5, I'm getting following warning message:

Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel

I need ALTQ support for my FreeBSD box. How do I enable ALTQ for Class Based Queuing (CBQ) to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules?

A. ALTQ - alternate queuing of network packets provides several disciplines for queuing outgoing network packets. This is done by modifications to the interface packet queues. This is useful for traffic shaping and other advanced usage.

WARNING! These examples may not work with your FreeBSD release as ALTQ is not supported by all of the available network card drivers. Please see the altq manual page for a list of drivers that are supported in your release of FreeBSD.

Fetch latest kernel source code

This is optional, but recommend so that you can build new kernel with latest version. To sync your source tree with the latest sources enter:
# csup /path/to/supfile
Please see cvsup tutorial for more information about syncing your source tree with the latest FreeBSD sources.

Open your kernel configuration file

Change directory to kernel configuration file:
# cd /usr/src/sys/`uname -m`/conf
If you are using vanilla kernel open GENERIC file:
If you've previously created kernel configuration file called nixcraft, open it:
# vi nixcraft
Make sure following line pf kernel option exits:

device pf
device pflog
device pfsync

Add the following kernel options will enable ALTQ and add additional functionality:

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

Save and close the file.

Build FreeBSD kernel

To compile the kernel, enter :
# make buildkernel KERNCONF=nixcraft

To install the new kernel, enter:
# make installkernel KERNCONF=nixcraft


  • KERNCONF=nixcraft: My kernel configuration file name.

Finally, reboot system to boot into a new kernel:
# reboot

Further readings:

{ 3 comments… add one }

  • Britto October 3, 2008, 10:13 am

    Do we have the same functionality in RedHat Like operating systems ?

  • nixCraft October 3, 2008, 11:25 am


    Use tc command, see

  • luka October 14, 2008, 3:10 pm

    You can avoid adding pf firewall exactly to your kernel conf file. Just take a look on the defaults list and take what you need…

    #less /etc/defaults/rc.conf
    pf_enable=”NO” # Set to YES to enable packet filter (pf)
    pf_rules=”/etc/pf.conf” # rules definition file for pf
    pf_program=”/sbin/pfctl” # where the pfctl program lives
    pf_flags=”” # additional flags for pfctl
    pflog_enable=”NO” # Set to YES to enable packet filter logging
    pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
    pflog_program=”/sbin/pflogd” # where the pflogd program lives
    pflog_flags=”” # additional flags for pflogd
    pfsync_enable=”NO” # Expose pf state to other hosts for syncing
    pfsync_syncdev=”” # Interface for pfsync to work through
    pfsync_syncpeer=”” # IP address of pfsync peer host
    pfsync_ifconfig=”” # Additional options to ifconfig(8) for pfsync

Leave a Comment

   Tagged with: , , , , , , , , , , ,