[GTER] Limitar Upload com PF+HFSC
Mauricio Bonani
mbonani at gmail.com
Mon Jul 3 18:06:44 -03 2006
Sei que a thread é antiga, mas pintou uma dúvida agora.
O controle de banda conforme o Giese sugeriu está
funcionando corretamente, limita o upload e o download.
Só não entendi onde foi parar o 'keep state'.
Nesse caso se torna desnecessário?
At 18:48 14/04/2006, you wrote:
>Bom.... nao vou entrar em meritos linux/bsd... qdisk/altq (pq nao tem
>nem como comparar ....)
>
>vou montar um exemplo bem simples para demonstrar como controlar o seu
>problema:
>
>Veja bem que aqui apenas peguei um caso meu.... e dei uma recordada para
>+/- demonstrar como controlar o IN (ou seja.... estamos controlando na
>verdade o OUT.... porem mostrando que o IN da placa interna eh para ser
>contabilizado no OUT da placa externa)
>
>###############################
>#/etc/pf.conf
>
># VARIAVEIS DE AMBIENTE
>ext_if = "fxp1"
>int_if = "fxp0"
>int_net = "192.168.3.0/24"
>ext_net = "172.16.3.0/24"
>ip_nat = "200.200.200.200"
>
># Opcoes: melhora o comportamento do pf, os valores atuais sao os padroes.
>set timeout { interval 10, frag 30 }
>set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>set timeout { icmp.first 20, icmp.error 10 }
>set timeout { other.first 60, other.single 30, other.multiple 60 }
>set timeout { adaptive.start 0, adaptive.end 0 }
>set limit { states 10000, frags 5000 }
>set loginterface none
>set optimization normal
>set block-policy drop
>set require-order yes
>
># Normalizaçao: remonta fragmentos e resolve ou reduz ambiguidades de
>trafego.
>scrub in all
>
>#########################################################################################
># FILAS
>
># UPLOAD
>altq on $ext_if hfsc bandwidth 102400Kb queue { qredeout, qpadraoout }
>
> # Rede Interna
> queue qredeout bandwidth 2048Kb hfsc (linkshare 2048Kb,
>upperlimit 2048Kb) { qtsout, qimpressaoout, qinternetout }
> queue qtsout bandwidth 1400Kb hfsc (realtime 1400Kb, red)
> queue qimpressaoout bandwidth 128Kb hfsc (realtime
>128Kb, red)
> queue qinternetout bandwidth 512Kb hfsc (realtime 512Kb,
>red)
>
> # Padrao
> queue qpadraoout bandwidth 1Kb hfsc (upperlimit 1Kb,default)
>
>
># DOWNLOAD
>altq on $int_if hfsc bandwidth 102400Kb queue { qredein, qpadraoin }
>
>
> # Rede Interna
> queue qinfip bandwidth 2048Kb hfsc (upperlimit 2048Kb) { qtsin,
>qimpressaoin, qinternetin }
> queue qtsin bandwidth 1400Kb hfsc (realtime 1400Kb, red)
> queue qimpressaoin bandwidth 128Kb hfsc (realtime
>128Kb, red)
> queue qinternetin bandwidth 512Kb hfsc (realtime 512Kb,
>red)
>
>
> # Padrao
> queue qpadraoin bandwidth 1Kb hfsc (upperlimit 1Kb,default)
>
>###########################################################################################
>
># NAT FIP
>nat on $ext_if from $int_net to any_net -> $ip_nat
>
># o ftp
>rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
>ftp-proxy
>
>###########################################################################################
>
>####Rede INTERNA###############
>
># QOS DOWNLOAD
>pass out quick on $int_if proto tcp from any to $int_net port 3389 queue
>qtsin
>pass out quick on $int_if from $fip_ext_net to $int_net queue qimpressaoin
>pass out quick on $int_if from any to $int_net queue qinternetin
>
># QOS UPLOAD
>pass in quick on $int_if proto tcp from $int_net port 3389 to any queue
>qtsout
>pass in quick on $int_if from $int_net to $ext_net queue qimpressaoout
>pass in quick on $int_if from $int_net to any queue qinternetout
>
>################################
>
>Espero ter auxiliado......
>
>Atenciosamente
>
>Christopher Giese
>bsdux at bsdux.com.br
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
--
Mauricio Bonani
mailto:mbonani at gmail.com
More information about the gter
mailing list