[FUG-BR] limitar upload com PF+ALTQ
Rogério Moura
rogerpop em gmail.com
Quinta Novembro 19 12:09:56 BRST 2009
Pessoal, agradeço a todos pelas dicas
segue abaixo o que funcional para mim
################################################################################
############################### Definicao das Interfaces
############################
################################################################################
if_ext="em0"
if_int="em1"
################################################################################
############################### Definicao das Redes
###############################
################################################################################
# Redes
rede_1="192.168.1.0/24"
rede_2="192.168.2/24"
# Enderecos IP
ip_nat="200.163.75.250"
################################################################################
############################### Definicao das Listas
###########################
################################################################################
table <bruteforce> persist
################################################################################
############################### Definicao das Opcoes
###########################
################################################################################
set limit states 40000
set ruleset-optimization basic
set optimization aggressive
set require-order yes
set skip on lo0
################################################################################
################################ Normalizacao
##################################
################################################################################
scrub in all fragment reassemble random-id no-df
################################################################################
################ Controle de Banda e Priorizacao de Pacotes
####################
################################################################################
altq on $if_ext hfsc bandwidth 2Mb queue { ustd, urede_1, urede_2 }
queue ustd bandwidth 1Kb priority 0 hfsc (default realtime 1Kb
upperlimit 2Kb)
queue urede_1 bandwidth 1Mb priority 7 qlimit 500 hfsc (realtime 1Mb
upperlimit 2Mb)
queue urede_2 bandwidth 500Kb priority 7 qlimit 500 hfsc (realtime
500Kb upperlimit 1Mb)
altq on $if_ext hfsc bandwidth 100Mb queue { dstd, drede_1, drede_2 }
queue dstd bandwidth 1Kb priority 0 hfsc (default realtime 1Kb
upperlimit 2Kb)
queue drede_1 bandwidth 1Mb priority 7 qlimit 500 hfsc (realtime 1Mb
upperlimit 2Mb)
queue drede_2 bandwidth 500Kb priority 7 qlimit 500 hfsc (realtime
500Kb upperlimit 1Mb)
################################################################################
################################ NAT
###########################################
################################################################################
nat on $if_ext from { $rede_gabgov } to any tag rede_1 -> $ip_nat
nat on $if_ext from { $rede_cc } to any tag rede_2 -> $ip_nat
################################################################################
################################# Antispoof
######################################
################################################################################
antispoof for { $if_int $if_ext }
################################################################################
############################ Regras de Filtragem
##################################
################################################################################
# Rede 1
pass in quick on $if_int inet proto tcp from $rede_1 to any modulate state
label rede_1 queue drede_1
pass out quick on $if_ext inet proto tcp from $ip_nat to any tagged rede_1
modulate state label rede_1 queue urede_1
pass in quick on $if_int inet proto {udp icmp} from $rede_1 to any label
rede_1 queue drede_1
pass out quick on $if_ext inet proto {udp icmp} from $ip_nat to any tagged
rede_1 label rede_1 queue urede_1
# Rede 2
pass in quick on $if_int inet proto tcp from $rede_2 to any modulate state
label rede_2 queue drede_2
pass out quick on $if_ext inet proto tcp from $ip_nat to any tagged rede_2
modulate state label rede_2 queue urede_2
pass in quick on $if_int inet proto {udp icmp} from $rede_1 to any label
rede_1 queue drede_1
pass out quick on $if_ext inet proto {udp icmp} from $ip_nat to any tagged
rede_1 label rede_1 queue urede_1
sendo assim o meu problema com o UPLOAD foi resolvido com TAG
um abraço a todos
2009/11/17 Alessandro de Souza Rocha <etherlinkii at gmail.com>
> exemplo meu aki.
>
> altq on $ext_if1 bandwidth 170Kb cbq queue {cpd}
> queue cpd bandwidth 170Kb cbq(default)
>
>
> altq on $int_if bandwidth 256Kb cbq queue {local1}
> queue local1 bandwidth 250Kb cbq(default)
>
> pass out on $ext_if1 from 192.168.0.0/24 to any keep state queue local1
> pass out on $int_if from 192.168.0.0/24 to any keep state queue cpd
>
>
> 2009/11/16 Nenhum_de_Nos <matheus at eternamente.info>:
> >
> > On Mon, November 16, 2009 21:03, Rogério Moura wrote:
> >> 2009/11/16 Matheus Cucoloto <matheuscucoloto at gmail.com>
> >>
> >>> altq só funciona no fluxo sainte.
> >>>
> >>> por este motivo faça uma adaptação nas suas regras para limitar no
> fluxo
> >>> de
> >>> saida.
> >>>
> >>> exempo:
> >>>
> >>> para limitar o download de um pc atras do seu limitador crie uma regra
> >>> na
> >>> saida da interface interna ( from any to ip damaquina)
> >>>
> >>> para limitar o upload de um pc atras do seu limitador crie uma regra na
> >>> saida da interface externa ( from ip da maquina to any)
> >>>
> >> Mas Matheus como vou criar a regra na interface externa se o IP da
> maquina
> >> já foi traduzido pelo NAT , a interface externa não conhece o IP da
> minha
> >> maquina
> >> me corriga se estiver errado.
> >>
> >> valeu
> >
> > como uma sugestão:
> >
> > # só upload
> >
> > pass in on $int_if from $minhaRede1 to any keep state queue filaUpload1
> >
> > # só download
> >
> > pass out on $int_if from any to $minhaRede1 keep state queue
> filaDownload1
> >
> > mas se tudo tá atras de nat, ninguém tem ip válido na rede para publicar
> > nenhum serviço. assim, tu já podes na chegada da $int_if colocar os dois
> > nas suas filas:
> >
> > pass in ont $int_if from $minhaRede1 to any keep state queue
> > (filaDownload1, filaUpload1)
> >
> > alguns protocolos são chatos para entrarem nesta onda, mas já consegui
> > isso :)
> >
> > pass in on $int_if proto tcp from any to any port { 21, 80, 443, 8080 }
> > modulate state queue (in_web, out_web)
> >
> > e isso funciona bem comigo :)
> >
> > matheus
> >>>
> >>> Cuidado com o keep state no free 7 ele gera automaticamente mesmo que
> >>> você
> >>> não mensione na regra, isso as vezes pode prejudicar na formação das
> >>> regras,
> >>> eu uso no state porem deve de existir formas mais elegantes.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> 2009/11/16 Rogério Moura <rogerpop at gmail.com>
> >>>
> >>> > olá pessoal,
> >>> > estou com dificuldades para limitar o upload aqui na rede, ja fiz
> >>> pesquina
> >>> > no google e aqui mesmo na lista, achei algumas dicas mas que apliquei
> >>> sem
> >>> > sucesso.
> >>> >
> >>> > Meu ambiente é o seguinte, tenho uma maquina com PF fazendo NAT e
> ALTQ
> >>> para
> >>> > um link de 34Mbps com varias redes atras dela
> >>> >
> >>> > -----------
> >>> > varias LANs----| P NAT |----internet
> >>> > | F ALTQ|
> >>> > ------------
> >>> > e gostaria de limitar x banda para cada uma dessas lans tanto para
> >>> download
> >>> > quanto upload, o download eu consigo mas nao o upload.
> >>> >
> >>> > segue minhas regras:
> >>> >
> >>> > # Interfaces
> >>> > if_int="em0"
> >>> > if_ext="em1"
> >>> >
> >>> > # Redes
> >>> > rede_geral="10/8"
> >>> > rede_1="10.20/16"
> >>> > rede_2="10.50/16"
> >>> >
> >>> > # NAT
> >>> > nat on $if_ext from $rede_geral to any -> ip_real
> >>> >
> >>> >
> >>> > # ALTQ
> >>> >
> >>> > # UPLOAD
> >>> > altq on $if_ext hfsc bandwidth 34Mb queue { upstnd, uprede1, uprede2
> >>> }
> >>> > queue upstnd bandwidth 2Mb hfsc (default, realtime 2Mb,
> >>> upperlimit
> >>> > 3Mb)
> >>> > queue uprede1 bandwidth 4Mb hfsc (realtime 4Mb, upperlimit
> 5Mb)
> >>> > queue uprede2 bandwidth 4Mb hfsc (realtime 4Mb, upperlimit
> >>> 15Mb)
> >>> >
> >>> >
> >>> >
> >>> > # DOWNLOAD
> >>> > altq on $if_int hfsc bandwidth 34Mb queue { dowstnd, dowrede1,
> >>> dowrede2
> >>> }
> >>> > queue dowstnd bandwidth 2Mb hfsc (default, realtime 2Mb,
> >>> upperlimit
> >>> > 3Mb)
> >>> > queue dowrede1 bandwidth 4Mb hfsc (realtime 4Mb, upperlimit
> >>> 5Mb)
> >>> > queue dowrede2 bandwidth 4Mb hfsc (realtime 4Mb, upperlimit
> >>> 15Mb)
> >>> >
> >>> >
> >>> > # Regras
> >>> >
> >>> > pass in quick on $if_int from $rede_1 to any queue dowrede1
> >>> >
> >>> > pass in quick on $if_int from $rede_2 to any queue dowrede2
> >>> >
> >>> >
> >>> > Do jeito que está descrito ai, consigo limitar o download, mas como
> >>> faria
> >>> > nesse ambiente pra limitar o UPLOAD?
> >>> >
> >>> > um abraço.
> >>> > -------------------------
> >>> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> >>> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >>> >
> >>>
> >>>
> >>>
> >>> --
> >>> -----------------------------------------------
> >>> Matheus Cucoloto
> >>> Unix Expertise
> >>> Voip Expertise
> >>>
> >>> WiTec - Wi Telecom
> >>> Fix: +55 44 36194203
> >>> Cel: +55 44 99216200
> >>> Sip: sip://1000@sipwicne1.grupoirapida.com.br
> >>> -------------------------
> >>> Histórico: http://www.fug.com.br/historico/html/freebsd/
> >>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >>>
> >> -------------------------
> >> Histórico: http://www.fug.com.br/historico/html/freebsd/
> >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >>
> >
> >
> > --
> > We will call you cygnus,
> > The God of balance you shall be
> >
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
> >
> > http://en.wikipedia.org/wiki/Posting_style
> > -------------------------
> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
> >
>
>
>
> --
> Alessandro de Souza Rocha
> Administrador de Redes e Sistemas
> FreeBSD-BR User #117
> Long live FreeBSD
>
> Powered by ....
>
> (__)
> \\\'',)
> \/ \ ^
> .\._/_)
>
> www.FreeBSD.org
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
Mais detalhes sobre a lista de discussão freebsd