[FUG-BR] ALTQ
Christopher Giese - iRapida Telecom
chris em irapida.com.br
Seg Set 12 09:54:13 BRT 2005
vou te mandar um exemplo........ caso nao entenda.... soh mandar via pvt
#################################################
FhBSD /etc # cat /etc/pf.conf
# VARIAVEIS DE AMBIENTE
int_net = "192.168.188.0/24"
ext_net = "192.168.189.0/24"
int_if = "rl0"
ext_if1 = "vr0"
ext_if2 = "xl0"
ext_gw1 = "10.128.1.69"
ext_gw2 = "10.128.1.70"
chat_ips =
"{65.54.239.0/24,193.238.0.0/16,195.33.103.0/24,194.130.106.0/24,216.178.160.0/24}"
chat_liberados = "{192.168.188.91,192.168.188.77}"
# Opçoes: melhora o comportamento do pf, os valores atuais sao os padroes.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
# Normalizaçao: remonta fragmentos e resolve ou reduz ambiguidades de
trafego.
scrub in all
# Filas de QOS
altq on rl0 hfsc bandwidth 512Kb queue { qpaiin }
queue qpaiin bandwidth 512Kb hfsc (upperlimit 512Kb, linkshare
512Kb) {qicmp1, qrestoin, qrussinholi}
queue qicmp1 bandwidth 128Kb hfsc(red, realtime 128Kb)
queue qrestoin bandwidth 512Kb hfsc (red, linkshare
512Kb, default)
altq on vr0 hfsc bandwidth 512Kb queue { qpaiout }
queue qpaiout bandwidth 512Kb hfsc (upperlimit 512Kb, linkshare
512Kb) {qicmp2, qrestoout, qrussinholi2}
queue qicmp2 bandwidth 128Kb hfsc (red, realtime 128Kb)
queue qrestoout bandwidth 512Kb hfsc(red, default)
# Xunxera para o EDNARDO
nat on $int_if proto tcp from $int_net to 192.168.188.13 port { 80, 8070
} -> 192.168.188.1
rdr on { vr0, rl0 } proto tcp from any to 10.128.1.69 port { 80, 8070 }
-> 192.168.188.13
# Xunxera para o FERNANDO
rdr on $ext_if1 proto tcp from any to 10.128.1.69 port 8080 ->
192.168.188.248 port 8080
# NAT
nat on $ext_if1 from $int_net to !$ext_net -> $ext_gw1
# o ftp
rdr on $int_if proto tcp from any to ! <me> port ftp -> 127.0.0.1 port
ftp-proxy
# Hair
rdr on $ext_if1 proto tcp from any to 10.128.1.69 port 9922 ->
192.168.188.77 port 22
# MSN BLOQUEAR
pass in quick on $int_if proto tcp from 192.168.188.0/24 to 200.195.164.11
pass in quick on $int_if proto tcp from $chat_liberados to any port
{1863, 1720, 3128, 8080}
pass in quick on $int_if proto tcp from $chat_liberados to $chat_ips port 80
block in quick on $int_if proto tcp from 192.168.188.0/24 to any port
{1863, 1720, 3128, 8080}
block in quick on $int_if proto tcp from 192.168.188.0/24 to $chat_ips
port 80
# Filtros com filas
pass out quick on rl0 proto icmp from any to 192.168.188.0/24 queue qicmp1
pass out quick on rl0 proto tcp from any port 22 to 192.168.188.0/24
queue qicmp1
pass out quick on rl0 proto tcp from any port 23 to 192.168.188.0/24
queue qicmp1
####
pass in quick on rl0 proto icmp from 192.168.188.0/24 to any queue qicmp2
pass in quick on rl0 proto tcp from 192.168.188.0/24 to any port 22
queue qicmp2
pass in quick on rl0 proto tcp from 192.168.188.0/24 to any port 23
queue qicmp2
##################################################
Ronan Lucio wrote:
>Christopher,
>
>
>
>>Cria-se uma fila com relacao a interface EXTERNA
>>
>>e aplica-se uma regra falando da ENTRADA da interna... somando o pacote
>>na fila externa
>>
>>affeeee ficou meio extranho ne.... mas eh isso mesmo
>>
>>qq duvida pvt que eu te mando um exemplo
>>
>>
>
>Beleza, deu pra entender sim.
>Muito obrigado.
>
>[]s
>Ronan
>
>
>_______________________________________________
>Freebsd mailing list
>Freebsd em fug.com.br
>http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
>
>
_______________________________________________
Freebsd mailing list
Freebsd em fug.com.br
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Mais detalhes sobre a lista de discussão freebsd