[FUG-BR] ALTQ não controla banda
Fabiano (BiGu)
bigu em grupoheringer.com.br
Terça Junho 19 15:32:18 BRT 2007
entendo, mas eu quero q tanto interna quanto externa tenho os mesmos
criterios...entao nao tem problema...
Obrigado, funcionou beleza!
Renato Martins escreveu:
> é isso mesmo para liberar coloque as regras bem em cima
> e acho que vc tem que criar duas linhas memo nao assim 'altq on { fxp0
> fxp1 }'
> assim como vc vai separa oque é externa e interna ?
> -----
> Original Message -----
> From: "Fabiano (BiGu)" <bigu em grupoheringer.com.br>
> To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)""
> <freebsd em fug.com.br>
> Sent: Tuesday, June 19, 2007 2:00 PM
> Subject: Re: [FUG-BR] ALTQ não controla banda
>
>
> Opa Renato...
>
> funcionou bacana agora!!!
>
> so acrescentei no altq on { fxp0 fxp1 } , como ja tinha as regras de
> saida pra interfaces, ele ja funcionou
>
> meu problema agora q o acesso do server ficou limitado também...
>
> tentei colocar
>
> pass quick from any to $me (meu server)
> pass quick from $me to any
>
> mas ele ainda continua limitando...pelo q entendi, se eu coloco colocar
> uma regra e nao especificar nenhuma queue ele vai passar livre, por fora
> do altq...
>
> eh assim mesmo? caso nao seja, como faco pra ignorar o altq para certas
> regras? tem alguns ips que preciso deixar liberado...
>
> Obrigado
>
> Renato Martins escreveu:
>
>> outra coisa altq so faz da saida da placa e nao do in
>> entao faça queue nas duas interfaces na interna e externa
>>
>> esse é um exemplo:
>>
>> # interfaces
>>
>> ext_if="re0"
>>
>> int_if="re1"
>>
>> # configuracao de ips e portas
>>
>> internal_net="10.0.0.0/24"
>>
>> external_addr="200.250.x.x"
>>
>> me="{ 200.250.x.1, 10.x.x.2, 127.0.0.1 }"
>>
>> confiavel="{ 200.250.x.x 10.0.0.0/24}"
>>
>> ns="{ 200.250.x.9, 200.250.x.2 }"
>>
>> voip="{ 200.250.x.4, 200.250.x.7 }"
>>
>> port_serv="{ 20, 21, 22, 25, 53, 80, 81, 110, 143, 443, 8080 }"
>>
>> port_ssh="22"
>>
>> port_voip="{ 5060 >< 5063 }"
>>
>> port_h323="{ 1718 >< 1721 }"
>>
>> portudp_voip="{5999 >< 65000 }"
>>
>> port_drop="{134 >< 139, 445, 1025 >< 1027, 444, 3456, 1234, 666 }"
>>
>> port_all="{ 1><65535 }"
>>
>> redes="{ 10.0.0.0/24, 200.250.x.x/24 }"
>>
>> # Options: tune the behavior of pf, default values are given.
>>
>> set timeout { interval 10, frag 30 }
>>
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>>
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>>
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>>
>> set timeout { icmp.first 20, icmp.error 10 }
>>
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>>
>> set timeout { adaptive.start 0, adaptive.end 0 }
>>
>> set limit { states 10000, frags 5000 }
>>
>> set loginterface none
>>
>> set optimization normal
>>
>> set block-policy drop
>>
>> set require-order yes
>>
>> set skip on lo
>>
>> #set fingerprints "/etc/pf.os"
>>
>> # Normalization: reassemble fragments and resolve or reduce traffic
>> ambiguities.
>>
>> #scrub in all
>>
>> # Queue out interface externa upload.
>>
>> altq on $ext_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { eresto,
>> evoip, eserv }
>>
>> queue eresto bandwidth 800Kb priority 1 cbq (default borrow)
>>
>> queue evoip bandwidth 1.2Mb priority 3 cbq(borrow)
>>
>> queue eserv bandwidth 2.0Mb priority 2 cbq(borrow)
>>
>> # Queue out interface interface download.
>>
>> altq on $int_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { iresto,
>> ivoip, iserv }
>>
>> queue iresto bandwidth 800Kb priority 1 cbq (default borrow)
>>
>> queue ivoip bandwidth 1.2Mb priority 3 cbq(borrow)
>>
>> queue iserv bandwidth 2.0Mb priority 2 cbq(borrow)
>>
>>
>>
>> # nat da rede cliente
>>
>> nat on $ext_if from $internal_net to any -> ($ext_if)
>>
>> # rdr outgoing FTP requests to the ftp-proxy
>>
>> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>
>> ## squid
>>
>> #no rdr on $int_if proto tcp from 200.250.x.x to any port 80
>>
>> rdr on $int_if proto tcp from 200.250.x.8 to any port 80 -> 127.0.0.1 port
>> 3128
>>
>> # Filtering: the implicit first two rules are
>>
>> block in all
>>
>> block out all
>>
>> # libera acesso receita
>>
>> pass proto tcp from $redes to 161.148.0.0/16 keep state queue eserv
>>
>> pass proto tcp from 161.148.0.0/16 to $redes keep state queue iserv
>>
>> pass quick proto tcp from $redes to 161.148.0.0/16 port 3456 keep state
>> queue eserv
>>
>> pass quick proto tcp from 161.148.0.0/16 port 3456 to $redes keep state
>> queue iserv
>>
>>
>>
>> # block de spoof e brodcast vindos de fora da rede
>>
>> block quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
>> 255.255.255.255/32 } to any
>>
>> block quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12,
>> 192.168.0.0/16, 255.255.255.255/32 }
>>
>> # aceita trafego da rede para o local
>>
>> pass in on lo from $redes to 127.0.0.1 keep state
>>
>> # libera o acesso da rede para proxy
>>
>> #pass quick proto {tcp,udp } from $redes to $me port 3128 keep state
>>
>> #pass quick proto {tcp,udp } from $me to $redes keep state
>>
>> # block portas spoofadas windows
>>
>> block quick proto { tcp,udp } from any to any port $port_drop
>>
>> # aceitar ssh somente dos confiaveis
>>
>> pass in quick on $int_if proto { tcp,udp } from $confiavel to $me port
>> $port_ssh keep state
>>
>> pass out quick on $int_if proto { tcp,udp } from $me port $port_ssh to
>> $confiavel keep state
>>
>> # fecha ssh de outros que nao seja confiaveis
>>
>> block in quick proto { tcp,udp } from any to $me port $port_ssh
>>
>> block out quick proto { tcp,udp } from $me port $port_ssh to any
>>
>> # aceitar ssh para 2
>>
>> pass quick proto { tcp,udp } from any to 200.250.x.2 port $port_ssh keep
>> state
>>
>> pass quick proto { tcp,udp } from 200.250.x.2 to any keep state
>>
>> # Prioridade de 1024 para voips
>>
>> pass out quick on $int_if proto tcp from any to $voip flags S/SAU keep
>> state
>> queue ivoip
>>
>> pass in quick on $int_if proto tcp from $voip to any flags S/SAU keep
>> state
>> queue evoip
>>
>> pass out quick on $ext_if proto tcp from $voip to any flags S/SAU keep
>> state
>> queue evoip
>>
>> pass in quick on $ext_if proto tcp from any to $voip flags S/SAU keep
>> state
>> queue ivoip
>>
>> # prio das portas voip sip: tcp
>>
>> pass out quick on $int_if proto tcp from any to $redes port $port_voip
>> flags
>> S/SAU keep state queue ivoip
>>
>> pass in quick on $int_if proto tcp from $redes to any port $port_voip
>> flags
>> S/SAU keep state queue evoip
>>
>> pass out quick on $ext_if proto tcp from $redes to any port $port_voip
>> flags
>> S/SAU keep state queue evoip
>>
>> pass in quick on $ext_if proto tcp from any to $redes port $port_voip
>> flags
>> S/SAU keep state queue ivoip
>>
>> # Prioridade das portas voip
>>
>> # prio das portas voip sip: udp
>>
>> pass out quick on $int_if proto udp from any to $redes port $port_voip
>> keep
>> state queue iserv
>>
>> pass in quick on $int_if proto udp from $redes to any port $port_voip keep
>> state queue eserv
>>
>> pass out quick on $ext_if proto udp from $redes to any port $port_voip
>> keep
>> state queue eserv
>>
>> pass in quick on $ext_if proto udp from any to $redes port $port_voip keep
>> state queue iserv
>>
>>
>>
>> # portas udp de sip 506x
>>
>> pass out quick on $int_if proto udp from any to $redes port $portudp_voip
>> keep state queue iserv
>>
>> pass in quick on $int_if proto udp from $redes to any port $portudp_voip
>> keep state queue eserv
>>
>> pass out quick on $ext_if proto udp from $redes to any port $portudp_voip
>> keep state queue eserv
>>
>> pass in quick on $ext_if proto udp from any to $redes port $portudp_voip
>> keep state queue iserv
>>
>>
>>
>> # portas h323
>>
>> pass out quick on $int_if proto { tcp,udp } from any to $redes port
>> $port_h323 keep state queue iserv
>>
>> pass in quick on $int_if proto {tcp,udp } from $redes to any port
>> $port_h323
>> keep state queue eserv
>>
>> pass out quick on $ext_if proto { tcp,udp } from $redes to any port
>> $port_h323 keep state queue eserv
>>
>> pass in quick on $ext_if proto {tcp,udp } from any to $redes port
>> $port_h323
>> keep state queue iserv
>>
>>
>>
>> #portas dos nosso ssh
>>
>> pass out quick on $int_if proto { tcp,udp } from any to any port $port_ssh
>> keep state queue iserv
>>
>> pass in quick on $int_if proto {tcp,udp } from any port $port_ssh to any
>> keep state queue eserv
>>
>> pass out quick on $ext_if proto { tcp,udp } from any port $port_ssh to any
>> keep state queue eserv
>>
>> pass in quick on $ext_if proto {tcp,udp } from any to any port $port_ssh
>> keep state queue iserv
>>
>>
>>
>> #libera o trafego de serviços +comuns
>>
>> #int int +comuns
>>
>> pass out quick on $int_if proto { tcp,udp } from any to $redes port
>> $port_serv keep state queue iserv
>>
>> pass in quick on $int_if proto { tcp,udp } from $redes port $port_serv to
>> any keep state queue eserv
>>
>> #int ext +comuns
>>
>> pass out quick on $ext_if proto { tcp,udp } from $redes port $port_serv to
>> any keep state queue eserv
>>
>> pass in quick on $ext_if proto { tcp,udp } from any to $redes port
>> $port_serv keep state queue iserv
>>
>>
>>
>> ## libera icmp
>>
>> #icmp para interface interna
>>
>> pass out quick on $int_if proto icmp from any to $redes queue iserv
>>
>> pass in quick on $int_if proto icmp from $redes to any queue eserv
>>
>> #icmp para interface externa
>>
>> pass out quick on $ext_if proto icmp from $redes to any queue eserv
>>
>> pass in quick on $ext_if proto icmp from any to $redes queue iserv
>>
>>
>>
>> # libera todas portas para o resto do link que sobrar
>>
>> pass out quick on $int_if from any to $redes queue irest
>>
>> pass in quick on $int_if from $redes to any queue erest
>>
>> pass out quick on $ext_if from $redes to any queue erest
>>
>> pass in quick on $ext_if from any to $redes queue irest
>>
>>
>> ----- Original Message -----
>> From: "Fabiano (BiGu)" <bigu em grupoheringer.com.br>
>> To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)""
>> <freebsd em fug.com.br>
>> Sent: Tuesday, June 19, 2007 12:08 PM
>> Subject: Re: [FUG-BR] ALTQ não controla banda
>>
>>
>> Gilberto Villani Brito escreveu:
>>
>>
>>> On 19/06/07, Fabiano (BiGu) <bigu em grupoheringer.com.br> wrote:
>>>
>>>
>>>
>>>> Pois eh, mas aqui nao funciona...nao sei o q estou fazendo errado...
>>>> Ja vasculhei o manual do PF de cabo a rabo...e estou fazendo a
>>>> configuracao exata como esta no manual...
>>>>
>>>> Gilberto Villani Brito escreveu:
>>>>
>>>>
>>>>
>>>>> On 17/06/07, Fabiano (BiGu) <bigu em grupoheringer.com.br> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Oi Galera,
>>>>>>
>>>>>> Montei um ALTQ + PF aqui mas nao estou conseguindo controlar banda
>>>>>> de um IP
>>>>>>
>>>>>> fiz o seguinte:
>>>>>>
>>>>>> altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }
>>>>>>
>>>>>> queue std bandwidth 128Kb priority 0 \
>>>>>> cbq(default borrow)
>>>>>>
>>>>>> queue voip bandwidth 512Kb priority 7 \
>>>>>> cbq(red ecn)
>>>>>>
>>>>>> queue email bandwidth 128Kb priority 0 \
>>>>>> cbq(red ecn borrow)
>>>>>>
>>>>>> queue rede bandwidth 512Kb priority 0 \
>>>>>> cbq(red ecn)
>>>>>>
>>>>>>
>>>>>> E coloquei essas regras
>>>>>>
>>>>>> pass out quick proto { tcp icmp udp } from x.x.x.x to any \
>>>>>> queue rede
>>>>>> pass in quick proto { tcp udp icmp } from any to x.x.x.x \
>>>>>> queue rede
>>>>>>
>>>>>>
>>>>>> O problema que nao constrola a banda de jeito nenhum, esse ip utiliza
>>>>>> toda a banda disponível do link...
>>>>>> Quando rodo o pftop existe trafego nessas duas filas, q é exatamente
>>>>>> desse IP...mas ele nao segura a banda..
>>>>>>
>>>>>> O que posso estar fazendo errado?
>>>>>>
>>>>>> uso freebsd 6.2-RELEASE
>>>>>>
>>>>>> Obrigado
>>>>>> -------------------------
>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Funciona sim.
>>>>> Verifique o histórico da lista que você vai encontrar um e-mail meu
>>>>> com exemplos.
>>>>>
>>>>>
>>>>> Abraços
>>>>>
>>>>>
>>>>>
>>>>>
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>>
>>>>
>>>>
>>> Tente isso:
>>> pass in (interface da rede interna) quick proto { tcp udp icmp } from
>>> x.x.x.x to any queue rede
>>>
>>> Abraços
>>>
>>>
>>>
>> opa, tentei isso ...sem sucesso tambem:
>>
>> vou mandar todo meu pf.conf
>>
>> ext_if=fxp1
>> int_if=fxp0
>>
>> set optimization normal
>> set block-policy drop
>> set loginterface fxp1
>> set loginterface fxp0
>> set debug misc
>> set skip on lo0
>>
>> scrub in all
>> scrub out all
>>
>> altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }
>>
>> queue std bandwidth 128Kb priority 1 \
>> cbq(default)
>>
>> queue voip bandwidth 512Kb priority 7 \
>> cbq(red ecn borrow)
>>
>> queue email bandwidth 256Kb priority 2 \
>> cbq(red ecn borrow)
>>
>> queue rede bandwidth 512Kb priority 1 \
>> cbq(red ecn)
>>
>> rdr on $int_if proto tcp from $rede_1 to any port 80 -> localhost port
>> 3128
>>
>> block in on fxp1
>> block out on fxp1
>>
>> pass out quick proto { tcp udp icmp } from x.x.x.x to any \
>> queue rede
>>
>> pass in quick proto { tcp udp icmp } from any to x.x.x.x \
>> queue rede
>>
>>
>> Se eu colocar a regra que o amigo citou acima, num consigo nem
>> navegar...e desse jeito ele nao controla banda...ou seja, nao segura a
>> conexao nos 512K
>>
>> Já estou quase pirando e num consigo resolver isso..eheheh
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>> __________ NOD32 2338 (20070619) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>> http://www.eset.com
>>
>>
>>
>>
>>
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
> __________ NOD32 2338 (20070619) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>
Mais detalhes sobre a lista de discussão freebsd