[FUG-BR] ALTQ não controla banda
Renato Martins
renato em redenetworks.com.br
Terça Junho 19 15:05:27 BRT 2007
é isso mesmo para liberar coloque as regras bem em cima
e acho que vc tem que criar duas linhas memo nao assim 'altq on { fxp0
fxp1 }'
assim como vc vai separa oque é externa e interna ?
-----
Original Message -----
From: "Fabiano (BiGu)" <bigu at grupoheringer.com.br>
To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)""
<freebsd at fug.com.br>
Sent: Tuesday, June 19, 2007 2:00 PM
Subject: Re: [FUG-BR] ALTQ não controla banda
Opa Renato...
funcionou bacana agora!!!
so acrescentei no altq on { fxp0 fxp1 } , como ja tinha as regras de
saida pra interfaces, ele ja funcionou
meu problema agora q o acesso do server ficou limitado também...
tentei colocar
pass quick from any to $me (meu server)
pass quick from $me to any
mas ele ainda continua limitando...pelo q entendi, se eu coloco colocar
uma regra e nao especificar nenhuma queue ele vai passar livre, por fora
do altq...
eh assim mesmo? caso nao seja, como faco pra ignorar o altq para certas
regras? tem alguns ips que preciso deixar liberado...
Obrigado
Renato Martins escreveu:
> outra coisa altq so faz da saida da placa e nao do in
> entao faça queue nas duas interfaces na interna e externa
>
> esse é um exemplo:
>
> # interfaces
>
> ext_if="re0"
>
> int_if="re1"
>
> # configuracao de ips e portas
>
> internal_net="10.0.0.0/24"
>
> external_addr="200.250.x.x"
>
> me="{ 200.250.x.1, 10.x.x.2, 127.0.0.1 }"
>
> confiavel="{ 200.250.x.x 10.0.0.0/24}"
>
> ns="{ 200.250.x.9, 200.250.x.2 }"
>
> voip="{ 200.250.x.4, 200.250.x.7 }"
>
> port_serv="{ 20, 21, 22, 25, 53, 80, 81, 110, 143, 443, 8080 }"
>
> port_ssh="22"
>
> port_voip="{ 5060 >< 5063 }"
>
> port_h323="{ 1718 >< 1721 }"
>
> portudp_voip="{5999 >< 65000 }"
>
> port_drop="{134 >< 139, 445, 1025 >< 1027, 444, 3456, 1234, 666 }"
>
> port_all="{ 1><65535 }"
>
> redes="{ 10.0.0.0/24, 200.250.x.x/24 }"
>
> # Options: tune the behavior of pf, default values are given.
>
> set timeout { interval 10, frag 30 }
>
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>
> set timeout { icmp.first 20, icmp.error 10 }
>
> set timeout { other.first 60, other.single 30, other.multiple 60 }
>
> set timeout { adaptive.start 0, adaptive.end 0 }
>
> set limit { states 10000, frags 5000 }
>
> set loginterface none
>
> set optimization normal
>
> set block-policy drop
>
> set require-order yes
>
> set skip on lo
>
> #set fingerprints "/etc/pf.os"
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
>
> #scrub in all
>
> # Queue out interface externa upload.
>
> altq on $ext_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { eresto,
> evoip, eserv }
>
> queue eresto bandwidth 800Kb priority 1 cbq (default borrow)
>
> queue evoip bandwidth 1.2Mb priority 3 cbq(borrow)
>
> queue eserv bandwidth 2.0Mb priority 2 cbq(borrow)
>
> # Queue out interface interface download.
>
> altq on $int_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { iresto,
> ivoip, iserv }
>
> queue iresto bandwidth 800Kb priority 1 cbq (default borrow)
>
> queue ivoip bandwidth 1.2Mb priority 3 cbq(borrow)
>
> queue iserv bandwidth 2.0Mb priority 2 cbq(borrow)
>
>
>
> # nat da rede cliente
>
> nat on $ext_if from $internal_net to any -> ($ext_if)
>
> # rdr outgoing FTP requests to the ftp-proxy
>
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>
> ## squid
>
> #no rdr on $int_if proto tcp from 200.250.x.x to any port 80
>
> rdr on $int_if proto tcp from 200.250.x.8 to any port 80 -> 127.0.0.1 port
> 3128
>
> # Filtering: the implicit first two rules are
>
> block in all
>
> block out all
>
> # libera acesso receita
>
> pass proto tcp from $redes to 161.148.0.0/16 keep state queue eserv
>
> pass proto tcp from 161.148.0.0/16 to $redes keep state queue iserv
>
> pass quick proto tcp from $redes to 161.148.0.0/16 port 3456 keep state
> queue eserv
>
> pass quick proto tcp from 161.148.0.0/16 port 3456 to $redes keep state
> queue iserv
>
>
>
> # block de spoof e brodcast vindos de fora da rede
>
> block quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
> 255.255.255.255/32 } to any
>
> block quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12,
> 192.168.0.0/16, 255.255.255.255/32 }
>
> # aceita trafego da rede para o local
>
> pass in on lo from $redes to 127.0.0.1 keep state
>
> # libera o acesso da rede para proxy
>
> #pass quick proto {tcp,udp } from $redes to $me port 3128 keep state
>
> #pass quick proto {tcp,udp } from $me to $redes keep state
>
> # block portas spoofadas windows
>
> block quick proto { tcp,udp } from any to any port $port_drop
>
> # aceitar ssh somente dos confiaveis
>
> pass in quick on $int_if proto { tcp,udp } from $confiavel to $me port
> $port_ssh keep state
>
> pass out quick on $int_if proto { tcp,udp } from $me port $port_ssh to
> $confiavel keep state
>
> # fecha ssh de outros que nao seja confiaveis
>
> block in quick proto { tcp,udp } from any to $me port $port_ssh
>
> block out quick proto { tcp,udp } from $me port $port_ssh to any
>
> # aceitar ssh para 2
>
> pass quick proto { tcp,udp } from any to 200.250.x.2 port $port_ssh keep
> state
>
> pass quick proto { tcp,udp } from 200.250.x.2 to any keep state
>
> # Prioridade de 1024 para voips
>
> pass out quick on $int_if proto tcp from any to $voip flags S/SAU keep
> state
> queue ivoip
>
> pass in quick on $int_if proto tcp from $voip to any flags S/SAU keep
> state
> queue evoip
>
> pass out quick on $ext_if proto tcp from $voip to any flags S/SAU keep
> state
> queue evoip
>
> pass in quick on $ext_if proto tcp from any to $voip flags S/SAU keep
> state
> queue ivoip
>
> # prio das portas voip sip: tcp
>
> pass out quick on $int_if proto tcp from any to $redes port $port_voip
> flags
> S/SAU keep state queue ivoip
>
> pass in quick on $int_if proto tcp from $redes to any port $port_voip
> flags
> S/SAU keep state queue evoip
>
> pass out quick on $ext_if proto tcp from $redes to any port $port_voip
> flags
> S/SAU keep state queue evoip
>
> pass in quick on $ext_if proto tcp from any to $redes port $port_voip
> flags
> S/SAU keep state queue ivoip
>
> # Prioridade das portas voip
>
> # prio das portas voip sip: udp
>
> pass out quick on $int_if proto udp from any to $redes port $port_voip
> keep
> state queue iserv
>
> pass in quick on $int_if proto udp from $redes to any port $port_voip keep
> state queue eserv
>
> pass out quick on $ext_if proto udp from $redes to any port $port_voip
> keep
> state queue eserv
>
> pass in quick on $ext_if proto udp from any to $redes port $port_voip keep
> state queue iserv
>
>
>
> # portas udp de sip 506x
>
> pass out quick on $int_if proto udp from any to $redes port $portudp_voip
> keep state queue iserv
>
> pass in quick on $int_if proto udp from $redes to any port $portudp_voip
> keep state queue eserv
>
> pass out quick on $ext_if proto udp from $redes to any port $portudp_voip
> keep state queue eserv
>
> pass in quick on $ext_if proto udp from any to $redes port $portudp_voip
> keep state queue iserv
>
>
>
> # portas h323
>
> pass out quick on $int_if proto { tcp,udp } from any to $redes port
> $port_h323 keep state queue iserv
>
> pass in quick on $int_if proto {tcp,udp } from $redes to any port
> $port_h323
> keep state queue eserv
>
> pass out quick on $ext_if proto { tcp,udp } from $redes to any port
> $port_h323 keep state queue eserv
>
> pass in quick on $ext_if proto {tcp,udp } from any to $redes port
> $port_h323
> keep state queue iserv
>
>
>
> #portas dos nosso ssh
>
> pass out quick on $int_if proto { tcp,udp } from any to any port $port_ssh
> keep state queue iserv
>
> pass in quick on $int_if proto {tcp,udp } from any port $port_ssh to any
> keep state queue eserv
>
> pass out quick on $ext_if proto { tcp,udp } from any port $port_ssh to any
> keep state queue eserv
>
> pass in quick on $ext_if proto {tcp,udp } from any to any port $port_ssh
> keep state queue iserv
>
>
>
> #libera o trafego de serviços +comuns
>
> #int int +comuns
>
> pass out quick on $int_if proto { tcp,udp } from any to $redes port
> $port_serv keep state queue iserv
>
> pass in quick on $int_if proto { tcp,udp } from $redes port $port_serv to
> any keep state queue eserv
>
> #int ext +comuns
>
> pass out quick on $ext_if proto { tcp,udp } from $redes port $port_serv to
> any keep state queue eserv
>
> pass in quick on $ext_if proto { tcp,udp } from any to $redes port
> $port_serv keep state queue iserv
>
>
>
> ## libera icmp
>
> #icmp para interface interna
>
> pass out quick on $int_if proto icmp from any to $redes queue iserv
>
> pass in quick on $int_if proto icmp from $redes to any queue eserv
>
> #icmp para interface externa
>
> pass out quick on $ext_if proto icmp from $redes to any queue eserv
>
> pass in quick on $ext_if proto icmp from any to $redes queue iserv
>
>
>
> # libera todas portas para o resto do link que sobrar
>
> pass out quick on $int_if from any to $redes queue irest
>
> pass in quick on $int_if from $redes to any queue erest
>
> pass out quick on $ext_if from $redes to any queue erest
>
> pass in quick on $ext_if from any to $redes queue irest
>
>
> ----- Original Message -----
> From: "Fabiano (BiGu)" <bigu at grupoheringer.com.br>
> To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)""
> <freebsd at fug.com.br>
> Sent: Tuesday, June 19, 2007 12:08 PM
> Subject: Re: [FUG-BR] ALTQ não controla banda
>
>
> Gilberto Villani Brito escreveu:
>
>> On 19/06/07, Fabiano (BiGu) <bigu at grupoheringer.com.br> wrote:
>>
>>
>>> Pois eh, mas aqui nao funciona...nao sei o q estou fazendo errado...
>>> Ja vasculhei o manual do PF de cabo a rabo...e estou fazendo a
>>> configuracao exata como esta no manual...
>>>
>>> Gilberto Villani Brito escreveu:
>>>
>>>
>>>> On 17/06/07, Fabiano (BiGu) <bigu at grupoheringer.com.br> wrote:
>>>>
>>>>
>>>>
>>>>> Oi Galera,
>>>>>
>>>>> Montei um ALTQ + PF aqui mas nao estou conseguindo controlar banda
>>>>> de um IP
>>>>>
>>>>> fiz o seguinte:
>>>>>
>>>>> altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }
>>>>>
>>>>> queue std bandwidth 128Kb priority 0 \
>>>>> cbq(default borrow)
>>>>>
>>>>> queue voip bandwidth 512Kb priority 7 \
>>>>> cbq(red ecn)
>>>>>
>>>>> queue email bandwidth 128Kb priority 0 \
>>>>> cbq(red ecn borrow)
>>>>>
>>>>> queue rede bandwidth 512Kb priority 0 \
>>>>> cbq(red ecn)
>>>>>
>>>>>
>>>>> E coloquei essas regras
>>>>>
>>>>> pass out quick proto { tcp icmp udp } from x.x.x.x to any \
>>>>> queue rede
>>>>> pass in quick proto { tcp udp icmp } from any to x.x.x.x \
>>>>> queue rede
>>>>>
>>>>>
>>>>> O problema que nao constrola a banda de jeito nenhum, esse ip utiliza
>>>>> toda a banda disponível do link...
>>>>> Quando rodo o pftop existe trafego nessas duas filas, q é exatamente
>>>>> desse IP...mas ele nao segura a banda..
>>>>>
>>>>> O que posso estar fazendo errado?
>>>>>
>>>>> uso freebsd 6.2-RELEASE
>>>>>
>>>>> Obrigado
>>>>> -------------------------
>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Funciona sim.
>>>> Verifique o histórico da lista que você vai encontrar um e-mail meu
>>>> com exemplos.
>>>>
>>>>
>>>> Abraços
>>>>
>>>>
>>>>
>>> -------------------------
>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>
>>>
>>>
>> Tente isso:
>> pass in (interface da rede interna) quick proto { tcp udp icmp } from
>> x.x.x.x to any queue rede
>>
>> Abraços
>>
>>
> opa, tentei isso ...sem sucesso tambem:
>
> vou mandar todo meu pf.conf
>
> ext_if=fxp1
> int_if=fxp0
>
> set optimization normal
> set block-policy drop
> set loginterface fxp1
> set loginterface fxp0
> set debug misc
> set skip on lo0
>
> scrub in all
> scrub out all
>
> altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }
>
> queue std bandwidth 128Kb priority 1 \
> cbq(default)
>
> queue voip bandwidth 512Kb priority 7 \
> cbq(red ecn borrow)
>
> queue email bandwidth 256Kb priority 2 \
> cbq(red ecn borrow)
>
> queue rede bandwidth 512Kb priority 1 \
> cbq(red ecn)
>
> rdr on $int_if proto tcp from $rede_1 to any port 80 -> localhost port
> 3128
>
> block in on fxp1
> block out on fxp1
>
> pass out quick proto { tcp udp icmp } from x.x.x.x to any \
> queue rede
>
> pass in quick proto { tcp udp icmp } from any to x.x.x.x \
> queue rede
>
>
> Se eu colocar a regra que o amigo citou acima, num consigo nem
> navegar...e desse jeito ele nao controla banda...ou seja, nao segura a
> conexao nos 512K
>
> Já estou quase pirando e num consigo resolver isso..eheheh
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
> __________ NOD32 2338 (20070619) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Mais detalhes sobre a lista de discussão freebsd