[FUG-BR] ALTQ não controla banda

Renato Martins renato em redenetworks.com.br
Terça Junho 19 13:34:34 BRT 2007 

outra coisa altq so faz da saida da placa e nao do in
entao faça queue nas duas interfaces na interna e externa

esse é um exemplo:

# interfaces

ext_if="re0"

int_if="re1"

# configuracao de ips e portas

internal_net="10.0.0.0/24"

external_addr="200.250.x.x"

me="{ 200.250.x.1, 10.x.x.2, 127.0.0.1 }"

confiavel="{ 200.250.x.x 10.0.0.0/24}"

ns="{ 200.250.x.9, 200.250.x.2 }"

voip="{ 200.250.x.4, 200.250.x.7 }"

port_serv="{ 20, 21, 22, 25, 53, 80, 81, 110, 143, 443, 8080 }"

port_ssh="22"

port_voip="{ 5060 >< 5063 }"

port_h323="{ 1718 >< 1721 }"

portudp_voip="{5999 >< 65000 }"

port_drop="{134 >< 139, 445, 1025 >< 1027, 444, 3456, 1234, 666 }"

port_all="{ 1><65535 }"

redes="{ 10.0.0.0/24, 200.250.x.x/24 }"

# Options: tune the behavior of pf, default values are given.

set timeout { interval 10, frag 30 }

set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }

set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }

set timeout { udp.first 60, udp.single 30, udp.multiple 60 }

set timeout { icmp.first 20, icmp.error 10 }

set timeout { other.first 60, other.single 30, other.multiple 60 }

set timeout { adaptive.start 0, adaptive.end 0 }

set limit { states 10000, frags 5000 }

set loginterface none

set optimization normal

set block-policy drop

set require-order yes

set skip on lo

#set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic 
ambiguities.

#scrub in all

# Queue out interface externa upload.

altq on $ext_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { eresto, 
evoip, eserv }

queue eresto bandwidth 800Kb priority 1 cbq (default borrow)

queue evoip bandwidth 1.2Mb priority 3 cbq(borrow)

queue eserv bandwidth 2.0Mb priority 2 cbq(borrow)

# Queue out interface interface download.

altq on $int_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { iresto, 
ivoip, iserv }

queue iresto bandwidth 800Kb priority 1 cbq (default borrow)

queue ivoip bandwidth 1.2Mb priority 3 cbq(borrow)

queue iserv bandwidth 2.0Mb priority 2 cbq(borrow)



# nat da rede cliente

nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr outgoing FTP requests to the ftp-proxy

rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

## squid

#no rdr on $int_if proto tcp from 200.250.x.x to any port 80

rdr on $int_if proto tcp from 200.250.x.8 to any port 80 -> 127.0.0.1 port 
3128

# Filtering: the implicit first two rules are

block in all

block out all

# libera acesso receita

pass proto tcp from $redes to 161.148.0.0/16 keep state queue eserv

pass proto tcp from 161.148.0.0/16 to $redes keep state queue iserv

pass quick proto tcp from $redes to 161.148.0.0/16 port 3456 keep state 
queue eserv

pass quick proto tcp from 161.148.0.0/16 port 3456 to $redes keep state 
queue iserv



# block de spoof e brodcast vindos de fora da rede

block quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 
255.255.255.255/32 } to any

block quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12, 
192.168.0.0/16, 255.255.255.255/32 }

# aceita trafego da rede para o local

pass in on lo from $redes to 127.0.0.1 keep state

# libera o acesso da rede para proxy

#pass quick proto {tcp,udp } from $redes to $me port 3128 keep state

#pass quick proto {tcp,udp } from $me to $redes keep state

# block portas spoofadas windows

block quick proto { tcp,udp } from any to any port $port_drop

# aceitar ssh somente dos confiaveis

pass in quick on $int_if proto { tcp,udp } from $confiavel to $me port 
$port_ssh keep state

pass out quick on $int_if proto { tcp,udp } from $me port $port_ssh to 
$confiavel keep state

# fecha ssh de outros que nao seja confiaveis

block in quick proto { tcp,udp } from any to $me port $port_ssh

block out quick proto { tcp,udp } from $me port $port_ssh to any

# aceitar ssh para 2

pass quick proto { tcp,udp } from any to 200.250.x.2 port $port_ssh keep 
state

pass quick proto { tcp,udp } from 200.250.x.2 to any keep state

# Prioridade de 1024 para voips

pass out quick on $int_if proto tcp from any to $voip flags S/SAU keep state 
queue ivoip

pass in quick on $int_if proto tcp from $voip to any flags S/SAU keep state 
queue evoip

pass out quick on $ext_if proto tcp from $voip to any flags S/SAU keep state 
queue evoip

pass in quick on $ext_if proto tcp from any to $voip flags S/SAU keep state 
queue ivoip

# prio das portas voip sip: tcp

pass out quick on $int_if proto tcp from any to $redes port $port_voip flags 
S/SAU keep state queue ivoip

pass in quick on $int_if proto tcp from $redes to any port $port_voip flags 
S/SAU keep state queue evoip

pass out quick on $ext_if proto tcp from $redes to any port $port_voip flags 
S/SAU keep state queue evoip

pass in quick on $ext_if proto tcp from any to $redes port $port_voip flags 
S/SAU keep state queue ivoip

# Prioridade das portas voip

# prio das portas voip sip: udp

pass out quick on $int_if proto udp from any to $redes port $port_voip keep 
state queue iserv

pass in quick on $int_if proto udp from $redes to any port $port_voip keep 
state queue eserv

pass out quick on $ext_if proto udp from $redes to any port $port_voip keep 
state queue eserv

pass in quick on $ext_if proto udp from any to $redes port $port_voip keep 
state queue iserv



# portas udp de sip 506x

pass out quick on $int_if proto udp from any to $redes port $portudp_voip 
keep state queue iserv

pass in quick on $int_if proto udp from $redes to any port $portudp_voip 
keep state queue eserv

pass out quick on $ext_if proto udp from $redes to any port $portudp_voip 
keep state queue eserv

pass in quick on $ext_if proto udp from any to $redes port $portudp_voip 
keep state queue iserv



# portas h323

pass out quick on $int_if proto { tcp,udp } from any to $redes port 
$port_h323 keep state queue iserv

pass in quick on $int_if proto {tcp,udp } from $redes to any port $port_h323 
keep state queue eserv

pass out quick on $ext_if proto { tcp,udp } from $redes to any port 
$port_h323 keep state queue eserv

pass in quick on $ext_if proto {tcp,udp } from any to $redes port $port_h323 
keep state queue iserv



#portas dos nosso ssh

pass out quick on $int_if proto { tcp,udp } from any to any port $port_ssh 
keep state queue iserv

pass in quick on $int_if proto {tcp,udp } from any port $port_ssh to any 
keep state queue eserv

pass out quick on $ext_if proto { tcp,udp } from any port $port_ssh to any 
keep state queue eserv

pass in quick on $ext_if proto {tcp,udp } from any to any port $port_ssh 
keep state queue iserv



#libera o trafego de serviços +comuns

#int int +comuns

pass out quick on $int_if proto { tcp,udp } from any to $redes port 
$port_serv keep state queue iserv

pass in quick on $int_if proto { tcp,udp } from $redes port $port_serv to 
any keep state queue eserv

#int ext +comuns

pass out quick on $ext_if proto { tcp,udp } from $redes port $port_serv to 
any keep state queue eserv

pass in quick on $ext_if proto { tcp,udp } from any to $redes port 
$port_serv keep state queue iserv



## libera icmp

#icmp para interface interna

pass out quick on $int_if proto icmp from any to $redes queue iserv

pass in quick on $int_if proto icmp from $redes to any queue eserv

#icmp para interface externa

pass out quick on $ext_if proto icmp from $redes to any queue eserv

pass in quick on $ext_if proto icmp from any to $redes queue iserv



# libera todas portas para o resto do link que sobrar

pass out quick on $int_if from any to $redes queue irest

pass in quick on $int_if from $redes to any queue erest

pass out quick on $ext_if from $redes to any queue erest

pass in quick on $ext_if from any to $redes queue irest


----- Original Message ----- 
From: "Fabiano (BiGu)" <bigu at grupoheringer.com.br>
To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"" 
<freebsd at fug.com.br>
Sent: Tuesday, June 19, 2007 12:08 PM
Subject: Re: [FUG-BR] ALTQ não controla banda


Gilberto Villani Brito escreveu:
> On 19/06/07, Fabiano (BiGu) <bigu at grupoheringer.com.br> wrote:
>
>> Pois eh, mas aqui nao funciona...nao sei o q estou fazendo errado...
>> Ja vasculhei o manual do PF de cabo a rabo...e estou fazendo a
>> configuracao exata como esta no manual...
>>
>> Gilberto Villani Brito escreveu:
>>
>>> On 17/06/07, Fabiano (BiGu) <bigu at grupoheringer.com.br> wrote:
>>>
>>>
>>>> Oi Galera,
>>>>
>>>>     Montei um ALTQ + PF aqui mas nao estou conseguindo controlar banda
>>>> de um IP
>>>>
>>>> fiz o seguinte:
>>>>
>>>> altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }
>>>>
>>>>         queue std bandwidth 128Kb priority 0 \
>>>>                 cbq(default borrow)
>>>>
>>>>         queue voip bandwidth 512Kb priority 7 \
>>>>                 cbq(red ecn)
>>>>
>>>>         queue email bandwidth 128Kb priority 0 \
>>>>                 cbq(red ecn borrow)
>>>>
>>>>         queue rede bandwidth 512Kb priority 0 \
>>>>                 cbq(red ecn)
>>>>
>>>>
>>>> E coloquei essas regras
>>>>
>>>> pass out quick proto { tcp icmp udp } from x.x.x.x to any \
>>>>         queue rede
>>>> pass in quick proto { tcp udp icmp } from any to x.x.x.x \
>>>>         queue rede
>>>>
>>>>
>>>> O problema que nao constrola a banda de jeito nenhum, esse ip utiliza
>>>> toda a banda disponível do link...
>>>> Quando rodo o pftop existe trafego nessas duas filas, q é exatamente
>>>> desse IP...mas ele nao segura a banda..
>>>>
>>>> O que posso estar fazendo errado?
>>>>
>>>> uso freebsd 6.2-RELEASE
>>>>
>>>> Obrigado
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>>
>>>>
>>> Funciona sim.
>>> Verifique o histórico da lista que você vai encontrar um e-mail meu
>>> com exemplos.
>>>
>>>
>>> Abraços
>>>
>>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>>
> Tente isso:
> pass in (interface da rede interna) quick proto { tcp udp icmp } from
> x.x.x.x to any queue rede
>
> Abraços
>
opa, tentei isso ...sem sucesso tambem:

vou mandar todo meu pf.conf

ext_if=fxp1
int_if=fxp0

set optimization normal
set block-policy drop
set loginterface fxp1
set loginterface fxp0
set debug misc
set skip on lo0

scrub in all
scrub out all

altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }

        queue std bandwidth 128Kb priority 1 \
                cbq(default)

        queue voip bandwidth 512Kb priority 7 \
                cbq(red ecn borrow)

        queue email bandwidth 256Kb priority 2 \
                cbq(red ecn borrow)

        queue rede bandwidth 512Kb priority 1 \
                cbq(red ecn)

rdr on $int_if proto tcp from $rede_1 to any port 80 -> localhost port 3128

block in on fxp1
block out on fxp1

pass out quick proto { tcp udp icmp } from x.x.x.x to any \
        queue rede

pass in quick proto { tcp udp icmp } from any to x.x.x.x \
        queue rede


Se eu colocar a regra que o amigo citou acima, num consigo nem
navegar...e desse jeito ele nao controla banda...ou seja, nao segura a
conexao nos 512K

Já estou quase pirando e num consigo resolver isso..eheheh
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Mais detalhes sobre a lista de discussão freebsd