[GTER] Limitar Upload com PF+HFSC
Mauricio Bonani
mbonani at gmail.com
Tue Jul 11 17:46:12 -03 2006
Vi na antiga sugestão (risos) do Giese a
definição em duas interfaces, mas teimei em tentar usar na mesma interface.
Acabei de fazer um teste e está 100%. Querer
fazer de tudo ao mesmo tempo é ruim por isso,
você acaba não fazendo algumas coisas direito.
Obrigado pela paciência de todos.
At 09:49 10/07/2006, Gilberto Villani Brito wrote:
>Eu não sei se o HFSC faz controle de upload na propria interface.
>Aqui eu controlo o upload da seguinte maneira:
>
>altq on $ext_if hfsc bandwidth 100% queue ext_root
> queue ext_root bandwidth 14Mb hfsc(red realtime 12Mb upperlimit 14Mb) {
>upload upload1 }
> queue upload bandwidth 9Mb priority 1 hfsc(default)
> queue upload1 bandwidth 5Mb priority 1 hfsc(realtime 4Mb upperlimit 5Mb)
>
>altq on $int_if hfsc bandwidth 100% queue int_root
> queue int_root bandwidth 14Mb hfsc(red realtime 12Mb upperlimit 14Mb) {
>download download1 }
> queue download bandwidth 9Mb priority 1 hfsc(default)
> queue download1 bandwidth 5Mb priority 1 hfsc(realtime 4Mb upperlimit
>5Mb)
>
>pass in on $int_if from <ip interno> to any keep state queue upload1
>pass in on $int_if from <ip interno> to any keep state queue download1
>
>Esse tipo de configuração, usando in nas 2 regras funciona com certeza, pois
>uso aqui para limitar meu upload de ips reservados.
>
>Abraços
>Gilberto
>
>2006/7/9, Mauricio Bonani <mbonani at gmail.com>:
> >
> > Acho que me precipitei ao dizer que estava tudo funcionando.
> > Infelizmente o tráfego de upload está passando pela fila padrão.
> >
> > Fiz um teste numa interface que tem apenas uma rede ligada a ela.
> > Vejam a configuração do PF para essa interface:
> >
> > ### /etc/pf.conf ###
> > altq on $if_int hfsc bandwidth 100000Kb queue { std_int, u_teste, d_teste
> > }
> >
> > queue std_int bandwidth 2Kb hfsc(default)
> > queue u_teste bandwidth 128Kb hfsc(realtime 64Kb, upperlimit
> > 128Kb)
> > queue d_teste bandwidth 256Kb hfsc(realtime 128Kb, upperlimit
> > 256Kb)
> >
> > pass in log quick on $if_int inet from $teste to any queue u_teste
> > pass out log quick on $if_int inet from any to $teste queue d_teste
> > ### /etc/pf.conf ###
> >
> > ### pftop ###
> > root_xl3 100M
> > hfsc 0 0 0 0 0 0
> > std_int 2000
> > hfsc 102 6102 0 0 0
> > u_teste 128K
> > hfsc 0 0 0 0 0
> > d_teste 256K
> > hfsc 295371 27163381 0 0 0
> > ### pftop ###
> >
> > O que raio ainda estou fazendo de errado?
> > Não há mais nenhuma regra para essa interface no /etc/pf.conf.
> >
> > At 19:40 03/07/2006, Christopher Giese - iRapida wrote:
> > >Opa
> > >
> > >eh que o exemplo foi de um Firewall Aberto
> > >
> > >caso queira fechar ele e colocar situacoes dinamicas com keep
> > >state....... sinta-se a vontade
> > >
> > >soh cuide na hora de formular para que os pacotes nao seja
> > >contabilizados + de 1 vez ou sofram + de 1 filtro :)
> > >
> > >t+
> > >
> > >Christopher Giese <SkyWarrior>
> > >bsdux at bsdux.com.br
> > >
> > >Mauricio Bonani escreveu:
> > > > Sei que a thread é antiga, mas pintou uma dúvida agora.
> > > >
> > > > O controle de banda conforme o Giese sugeriu está
> > > > funcionando corretamente, limita o upload e o download.
> > > > Só não entendi onde foi parar o 'keep state'.
> > > > Nesse caso se torna desnecessário?
> > > >
> > > > At 18:48 14/04/2006, you wrote:
> > > >
> > > >> Bom.... nao vou entrar em meritos linux/bsd... qdisk/altq (pq nao tem
> > > >> nem como comparar ....)
> > > >>
> > > >> vou montar um exemplo bem simples para demonstrar como controlar o
> > seu
> > > >> problema:
> > > >>
> > > >> Veja bem que aqui apenas peguei um caso meu.... e dei uma recordada
> > para
> > > >> +/- demonstrar como controlar o IN (ou seja.... estamos controlando
> > na
> > > >> verdade o OUT.... porem mostrando que o IN da placa interna eh para
> > ser
> > > >> contabilizado no OUT da placa externa)
> > > >>
> > > >> ###############################
> > > >> #/etc/pf.conf
> > > >>
> > > >> # VARIAVEIS DE AMBIENTE
> > > >> ext_if = "fxp1"
> > > >> int_if = "fxp0"
> > > >> int_net = "192.168.3.0/24"
> > > >> ext_net = "172.16.3.0/24"
> > > >> ip_nat = "200.200.200.200"
> > > >>
> > > >> # Opcoes: melhora o comportamento do pf, os valores atuais sao os
> > padroes.
> > > >> set timeout { interval 10, frag 30 }
> > > >> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> > > >> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> > > >> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> > > >> set timeout { icmp.first 20, icmp.error 10 }
> > > >> set timeout { other.first 60, other.single 30, other.multiple 60 }
> > > >> set timeout { adaptive.start 0, adaptive.end 0 }
> > > >> set limit { states 10000, frags 5000 }
> > > >> set loginterface none
> > > >> set optimization normal
> > > >> set block-policy drop
> > > >> set require-order yes
> > > >>
> > > >> # Normalizaçao: remonta fragmentos e resolve ou reduz ambiguidades de
> > > >> trafego.
> > > >> scrub in all
> > > >>
> > > >>
> > >
> >
> #########################################################################################
> > > >> # FILAS
> > > >>
> > > >> # UPLOAD
> > > >> altq on $ext_if hfsc bandwidth 102400Kb queue { qredeout, qpadraoout
> > }
> > > >>
> > > >> # Rede Interna
> > > >> queue qredeout bandwidth 2048Kb hfsc (linkshare 2048Kb,
> > > >> upperlimit 2048Kb) { qtsout, qimpressaoout, qinternetout }
> > > >> queue qtsout bandwidth 1400Kb hfsc (realtime 1400Kb,
> > red)
> > > >> queue qimpressaoout bandwidth 128Kb hfsc (realtime
> > > >> 128Kb, red)
> > > >> queue qinternetout bandwidth 512Kb hfsc (realtime
> > 512Kb,
> > > >> red)
> > > >>
> > > >> # Padrao
> > > >> queue qpadraoout bandwidth 1Kb hfsc (upperlimit 1Kb,default)
> > > >>
> > > >>
> > > >> # DOWNLOAD
> > > >> altq on $int_if hfsc bandwidth 102400Kb queue { qredein, qpadraoin }
> > > >>
> > > >>
> > > >> # Rede Interna
> > > >> queue qinfip bandwidth 2048Kb hfsc (upperlimit 2048Kb) {
> > qtsin,
> > > >> qimpressaoin, qinternetin }
> > > >> queue qtsin bandwidth 1400Kb hfsc (realtime 1400Kb,
> > red)
> > > >> queue qimpressaoin bandwidth 128Kb hfsc (realtime
> > > >> 128Kb, red)
> > > >> queue qinternetin bandwidth 512Kb hfsc (realtime
> > 512Kb,
> > > >> red)
> > > >>
> > > >>
> > > >> # Padrao
> > > >> queue qpadraoin bandwidth 1Kb hfsc (upperlimit 1Kb,default)
> > > >>
> > > >>
> > >
> >
> ###########################################################################################
> > > >>
> > > >> # NAT FIP
> > > >> nat on $ext_if from $int_net to any_net -> $ip_nat
> > > >>
> > > >> # o ftp
> > > >> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
> > > >> ftp-proxy
> > > >>
> > > >>
> > >
> >
> ###########################################################################################
> > > >>
> > > >> ####Rede INTERNA###############
> > > >>
> > > >> # QOS DOWNLOAD
> > > >> pass out quick on $int_if proto tcp from any to $int_net port 3389
> > queue
> > > >> qtsin
> > > >> pass out quick on $int_if from $fip_ext_net to $int_net queue
> > qimpressaoin
> > > >> pass out quick on $int_if from any to $int_net queue qinternetin
> > > >>
> > > >> # QOS UPLOAD
> > > >> pass in quick on $int_if proto tcp from $int_net port 3389 to any
> > queue
> > > >> qtsout
> > > >> pass in quick on $int_if from $int_net to $ext_net queue
> > qimpressaoout
> > > >> pass in quick on $int_if from $int_net to any queue qinternetout
> > > >>
> > > >> ################################
> > > >>
> > > >> Espero ter auxiliado......
> > > >>
> > > >> Atenciosamente
> > > >>
> > > >> Christopher Giese
> > > >> bsdux at bsdux.com.br
> > > >>
> > > >
> > > >
> > > > Unix is very simple, but it takes a genius to understand the
> > simplicity.
> > > > (Dennis Ritchie)
> > > >
> > > > --
> > > > Mauricio Bonani
> > > > mailto:mbonani at gmail.com
> > > >
> > > > --
> > > > gter list https://eng.registro.br/mailman/listinfo/gter
> > > >
> > >
> > >--
> > >gter list https://eng.registro.br/mailman/listinfo/gter
> >
> >
> > Unix is very simple, but it takes a genius to understand the simplicity.
> > (Dennis Ritchie)
> >
> > --
> > Mauricio Bonani
> > LPIC-1 Linux Professional Institute Certified
> > mailto:mbonani at gmail.com
> >
> > --
> > gter list https://eng.registro.br/mailman/listinfo/gter
> >
>--
>gter list https://eng.registro.br/mailman/listinfo/gter
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
--
Mauricio Bonani
LPIC-1 Linux Professional Institute Certified
mailto:mbonani at gmail.com
More information about the gter
mailing list