[FUG-BR] PF com falha ICMP

Renata Dias renatchinha em gmail.com
Terça Março 23 12:22:31 BRT 2010 

Em 19 de março de 2010 16:34, Aline Freitas <aline em bsd.com.br> escreveu:

> Renata,
>
> Eu já fiquei com minha rede assim devido a otimizações mal feitas no
> sysctl.conf. O que você tem nele?
>
> []'s
> Aline
>
>
>
> On Mar 19, 2010, at 10:37 AM, Renata Dias wrote:
>
> > Caros,
> >
> >    Encontrei varias discussões a respeito da minha dúvida, porém
> > nenhuma
> > com solução!
> >
> > Eu ativo o pf e a rede passa a responder com "No buffer space
> > available".
> > Testei algumas opções que encontrei na internet, como: set limit
> > { states
> > 1000000000, src-nodes 1000000000, frags 50000000 } , porém sem
> > sucesso.
> >
> > Segue meu pf.conf
> >
> > if_wan_upload="em0"
> > if_lan_download="em1"
> >
> > table <rede_interna> { 192.168.0.0/24, 10.0.10.0/24 }
> >
> > altq on $if_wan_upload hfsc bandwidth 100% queue total_out
> > queue total_out bandwidth 34Mb hfsc(upperlimit 34Mb) { ping_out
> > voip_out
> > dns_out http-https_out pop_out smtp_out ssh_out outros_out p2p_out }
> >  queue ping_out bandwidth 6% priority 9 hfsc(upperlimit 100%
> > realtime 6%
> > ecn red)
> >  queue voip_out bandwidth 5% priority 8 hfsc(upperlimit 100%
> > realtime 5%
> > ecn red)
> >  queue dns_out bandwidth 2% priority 7 hfsc(upperlimit 100% realtime
> > 2% ecn
> > red)
> >  queue http-https_out bandwidth 60% priority 6 hfsc(upperlimit 100%
> > realtime 60% ecn red)
> >  queue ssh_out bandwidth 2% priority 5 hfsc(upperlimit 100% realtime
> > 2% ecn
> > red)
> >  queue smtp_out bandwidth 5% priority 4 hfsc(upperlimit 100%
> > realtime 5%
> > ecn red)
> >  queue pop_out bandwidth 5% priority 3 hfsc(upperlimit 100% realtime
> > 5% ecn
> > red)
> >  queue outros_out bandwidth 10% priority 2 hfsc(upperlimit 95%
> > realtime 10%
> > ecn red default)
> >  queue p2p_out bandwidth 5% priority 1 hfsc(upperlimit 80% realtime
> > 5% ecn
> > red)
> >
> > altq on $if_lan_download hfsc bandwidth 100Mb queue total
> > queue total bandwidth 34Mb hfsc(upperlimit 34Mb) { ping voip dns
> > http-https
> > ssh smtp pop outros p2p }
> >  queue ping bandwidth 6% priority 9 hfsc(upperlimit 100% realtime 6%
> > ecn
> > red)
> >  queue voip bandwidth 5% priority 8 hfsc(upperlimit 100% realtime 5%
> > ecn
> > red)
> >  queue dns bandwidth 2% priority 7 hfsc(upperlimit 100% realtime 2%
> > ecn
> > red)
> >  queue http-https bandwidth 60% priority 6 hfsc(upperlimit 100%
> > realtime
> > 60% ecn red)
> >  queue ssh bandwidth 2% priority 5 hfsc(upperlimit 100% realtime 2%
> > ecn
> > red)
> >  queue smtp bandwidth 5% priority 4 hfsc(upperlimit 100% realtime 5%
> > ecn
> > red)
> >  queue pop bandwidth 5% priority 3 hfsc(upperlimit 100% realtime 5%
> > ecn
> > red)
> >  queue outros bandwidth 10% priority 2 hfsc(upperlimit 95% realtime
> > 10% ecn
> > red default)
> >  queue p2p bandwidth 5% priority 1 hfsc(upperlimit 80% realtime 5%
> > ecn red)
> >
> > pass in quick on $if_wan_upload proto icmp from <rede_interna> to
> > any keep
> > state queue ping_out
> > pass in quick on $if_lan_download proto icmp from <rede_interna> to
> > any keep
> > state queue ping
> >
> > pass in quick on $if_wan_upload proto { tcp, udp } from
> > <rede_interna> to
> > any port 53 keep state queue dns_out
> > pass in quick on $if_lan_download proto { tcp, udp } from
> > <rede_interna> to
> > any port 53 keep state queue dns
> >
> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
> > port {
> > 80, 443 } keep state queue http-https_out
> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
> > any port
> > { 80, 443 } keep state queue http-https
> >
> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
> > port
> > 110 keep state queue pop_out
> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
> > any port
> > 110 keep state queue pop
> >
> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
> > port 25
> > keep state queue smtp_out
> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
> > any port
> > 25 keep state queue smtp
> >
> > pass in quick on $if_wan_upload proto tcp from <rede_interna> to any
> > port 22
> > keep state queue ssh_out
> > pass in quick on $if_lan_download proto tcp from <rede_interna> to
> > any port
> > 22 keep state queue ssh
> >
> >
> >
> > --
> > Renata Dias
>  > -------------------------
> > Histórico: http://www.fug.com.br/historico/html/freebsd/
> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>



Oi Aline,

# MAC - Layer 2
net.link.ether.ipfw=1

Apenas habilito a camada 2 para as regras de MAC do IPFW. Porém, para
testes, eu desabilitei essa sysctl e ativei o PF... o resultado foi o mesmo
(no buffer space) no meio das respostas de ping.

Obrigada.

-- 
Renata Dias

Mais detalhes sobre a lista de discussão freebsd