[GTER] Limitar Upload com PF+HFSC
Christopher Giese - iRapida
chris at irapida.com.br
Mon Jul 3 19:40:42 -03 2006
Opa
eh que o exemplo foi de um Firewall Aberto
caso queira fechar ele e colocar situacoes dinamicas com keep
state....... sinta-se a vontade
soh cuide na hora de formular para que os pacotes nao seja
contabilizados + de 1 vez ou sofram + de 1 filtro :)
t+
Christopher Giese <SkyWarrior>
bsdux at bsdux.com.br
Mauricio Bonani escreveu:
> Sei que a thread é antiga, mas pintou uma dúvida agora.
>
> O controle de banda conforme o Giese sugeriu está
> funcionando corretamente, limita o upload e o download.
> Só não entendi onde foi parar o 'keep state'.
> Nesse caso se torna desnecessário?
>
> At 18:48 14/04/2006, you wrote:
>
>> Bom.... nao vou entrar em meritos linux/bsd... qdisk/altq (pq nao tem
>> nem como comparar ....)
>>
>> vou montar um exemplo bem simples para demonstrar como controlar o seu
>> problema:
>>
>> Veja bem que aqui apenas peguei um caso meu.... e dei uma recordada para
>> +/- demonstrar como controlar o IN (ou seja.... estamos controlando na
>> verdade o OUT.... porem mostrando que o IN da placa interna eh para ser
>> contabilizado no OUT da placa externa)
>>
>> ###############################
>> #/etc/pf.conf
>>
>> # VARIAVEIS DE AMBIENTE
>> ext_if = "fxp1"
>> int_if = "fxp0"
>> int_net = "192.168.3.0/24"
>> ext_net = "172.16.3.0/24"
>> ip_nat = "200.200.200.200"
>>
>> # Opcoes: melhora o comportamento do pf, os valores atuais sao os padroes.
>> set timeout { interval 10, frag 30 }
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 0, adaptive.end 0 }
>> set limit { states 10000, frags 5000 }
>> set loginterface none
>> set optimization normal
>> set block-policy drop
>> set require-order yes
>>
>> # Normalizaçao: remonta fragmentos e resolve ou reduz ambiguidades de
>> trafego.
>> scrub in all
>>
>> #########################################################################################
>> # FILAS
>>
>> # UPLOAD
>> altq on $ext_if hfsc bandwidth 102400Kb queue { qredeout, qpadraoout }
>>
>> # Rede Interna
>> queue qredeout bandwidth 2048Kb hfsc (linkshare 2048Kb,
>> upperlimit 2048Kb) { qtsout, qimpressaoout, qinternetout }
>> queue qtsout bandwidth 1400Kb hfsc (realtime 1400Kb, red)
>> queue qimpressaoout bandwidth 128Kb hfsc (realtime
>> 128Kb, red)
>> queue qinternetout bandwidth 512Kb hfsc (realtime 512Kb,
>> red)
>>
>> # Padrao
>> queue qpadraoout bandwidth 1Kb hfsc (upperlimit 1Kb,default)
>>
>>
>> # DOWNLOAD
>> altq on $int_if hfsc bandwidth 102400Kb queue { qredein, qpadraoin }
>>
>>
>> # Rede Interna
>> queue qinfip bandwidth 2048Kb hfsc (upperlimit 2048Kb) { qtsin,
>> qimpressaoin, qinternetin }
>> queue qtsin bandwidth 1400Kb hfsc (realtime 1400Kb, red)
>> queue qimpressaoin bandwidth 128Kb hfsc (realtime
>> 128Kb, red)
>> queue qinternetin bandwidth 512Kb hfsc (realtime 512Kb,
>> red)
>>
>>
>> # Padrao
>> queue qpadraoin bandwidth 1Kb hfsc (upperlimit 1Kb,default)
>>
>> ###########################################################################################
>>
>> # NAT FIP
>> nat on $ext_if from $int_net to any_net -> $ip_nat
>>
>> # o ftp
>> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
>> ftp-proxy
>>
>> ###########################################################################################
>>
>> ####Rede INTERNA###############
>>
>> # QOS DOWNLOAD
>> pass out quick on $int_if proto tcp from any to $int_net port 3389 queue
>> qtsin
>> pass out quick on $int_if from $fip_ext_net to $int_net queue qimpressaoin
>> pass out quick on $int_if from any to $int_net queue qinternetin
>>
>> # QOS UPLOAD
>> pass in quick on $int_if proto tcp from $int_net port 3389 to any queue
>> qtsout
>> pass in quick on $int_if from $int_net to $ext_net queue qimpressaoout
>> pass in quick on $int_if from $int_net to any queue qinternetout
>>
>> ################################
>>
>> Espero ter auxiliado......
>>
>> Atenciosamente
>>
>> Christopher Giese
>> bsdux at bsdux.com.br
>>
>
>
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)
>
> --
> Mauricio Bonani
> mailto:mbonani at gmail.com
>
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
>
More information about the gter
mailing list