[GTER] Limitar Upload com PF+HFSC
Mauricio Bonani
mbonani at gmail.com
Sun Jul 9 16:26:02 -03 2006
Acho que me precipitei ao dizer que estava tudo funcionando.
Infelizmente o tráfego de upload está passando pela fila padrão.
Fiz um teste numa interface que tem apenas uma rede ligada a ela.
Vejam a configuração do PF para essa interface:
### /etc/pf.conf ###
altq on $if_int hfsc bandwidth 100000Kb queue { std_int, u_teste, d_teste }
queue std_int bandwidth 2Kb hfsc(default)
queue u_teste bandwidth 128Kb hfsc(realtime 64Kb, upperlimit 128Kb)
queue d_teste bandwidth 256Kb hfsc(realtime 128Kb, upperlimit 256Kb)
pass in log quick on $if_int inet from $teste to any queue u_teste
pass out log quick on $if_int inet from any to $teste queue d_teste
### /etc/pf.conf ###
### pftop ###
root_xl3 100M
hfsc 0 0 0 0 0 0
std_int 2000
hfsc 102 6102 0 0 0
u_teste 128K
hfsc 0 0 0 0 0
d_teste 256K
hfsc 295371 27163381 0 0 0
### pftop ###
O que raio ainda estou fazendo de errado?
Não há mais nenhuma regra para essa interface no /etc/pf.conf.
At 19:40 03/07/2006, Christopher Giese - iRapida wrote:
>Opa
>
>eh que o exemplo foi de um Firewall Aberto
>
>caso queira fechar ele e colocar situacoes dinamicas com keep
>state....... sinta-se a vontade
>
>soh cuide na hora de formular para que os pacotes nao seja
>contabilizados + de 1 vez ou sofram + de 1 filtro :)
>
>t+
>
>Christopher Giese <SkyWarrior>
>bsdux at bsdux.com.br
>
>Mauricio Bonani escreveu:
> > Sei que a thread é antiga, mas pintou uma dúvida agora.
> >
> > O controle de banda conforme o Giese sugeriu está
> > funcionando corretamente, limita o upload e o download.
> > Só não entendi onde foi parar o 'keep state'.
> > Nesse caso se torna desnecessário?
> >
> > At 18:48 14/04/2006, you wrote:
> >
> >> Bom.... nao vou entrar em meritos linux/bsd... qdisk/altq (pq nao tem
> >> nem como comparar ....)
> >>
> >> vou montar um exemplo bem simples para demonstrar como controlar o seu
> >> problema:
> >>
> >> Veja bem que aqui apenas peguei um caso meu.... e dei uma recordada para
> >> +/- demonstrar como controlar o IN (ou seja.... estamos controlando na
> >> verdade o OUT.... porem mostrando que o IN da placa interna eh para ser
> >> contabilizado no OUT da placa externa)
> >>
> >> ###############################
> >> #/etc/pf.conf
> >>
> >> # VARIAVEIS DE AMBIENTE
> >> ext_if = "fxp1"
> >> int_if = "fxp0"
> >> int_net = "192.168.3.0/24"
> >> ext_net = "172.16.3.0/24"
> >> ip_nat = "200.200.200.200"
> >>
> >> # Opcoes: melhora o comportamento do pf, os valores atuais sao os padroes.
> >> set timeout { interval 10, frag 30 }
> >> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> >> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> >> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> >> set timeout { icmp.first 20, icmp.error 10 }
> >> set timeout { other.first 60, other.single 30, other.multiple 60 }
> >> set timeout { adaptive.start 0, adaptive.end 0 }
> >> set limit { states 10000, frags 5000 }
> >> set loginterface none
> >> set optimization normal
> >> set block-policy drop
> >> set require-order yes
> >>
> >> # Normalizaçao: remonta fragmentos e resolve ou reduz ambiguidades de
> >> trafego.
> >> scrub in all
> >>
> >>
> #########################################################################################
> >> # FILAS
> >>
> >> # UPLOAD
> >> altq on $ext_if hfsc bandwidth 102400Kb queue { qredeout, qpadraoout }
> >>
> >> # Rede Interna
> >> queue qredeout bandwidth 2048Kb hfsc (linkshare 2048Kb,
> >> upperlimit 2048Kb) { qtsout, qimpressaoout, qinternetout }
> >> queue qtsout bandwidth 1400Kb hfsc (realtime 1400Kb, red)
> >> queue qimpressaoout bandwidth 128Kb hfsc (realtime
> >> 128Kb, red)
> >> queue qinternetout bandwidth 512Kb hfsc (realtime 512Kb,
> >> red)
> >>
> >> # Padrao
> >> queue qpadraoout bandwidth 1Kb hfsc (upperlimit 1Kb,default)
> >>
> >>
> >> # DOWNLOAD
> >> altq on $int_if hfsc bandwidth 102400Kb queue { qredein, qpadraoin }
> >>
> >>
> >> # Rede Interna
> >> queue qinfip bandwidth 2048Kb hfsc (upperlimit 2048Kb) { qtsin,
> >> qimpressaoin, qinternetin }
> >> queue qtsin bandwidth 1400Kb hfsc (realtime 1400Kb, red)
> >> queue qimpressaoin bandwidth 128Kb hfsc (realtime
> >> 128Kb, red)
> >> queue qinternetin bandwidth 512Kb hfsc (realtime 512Kb,
> >> red)
> >>
> >>
> >> # Padrao
> >> queue qpadraoin bandwidth 1Kb hfsc (upperlimit 1Kb,default)
> >>
> >>
> ###########################################################################################
> >>
> >> # NAT FIP
> >> nat on $ext_if from $int_net to any_net -> $ip_nat
> >>
> >> # o ftp
> >> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
> >> ftp-proxy
> >>
> >>
> ###########################################################################################
> >>
> >> ####Rede INTERNA###############
> >>
> >> # QOS DOWNLOAD
> >> pass out quick on $int_if proto tcp from any to $int_net port 3389 queue
> >> qtsin
> >> pass out quick on $int_if from $fip_ext_net to $int_net queue qimpressaoin
> >> pass out quick on $int_if from any to $int_net queue qinternetin
> >>
> >> # QOS UPLOAD
> >> pass in quick on $int_if proto tcp from $int_net port 3389 to any queue
> >> qtsout
> >> pass in quick on $int_if from $int_net to $ext_net queue qimpressaoout
> >> pass in quick on $int_if from $int_net to any queue qinternetout
> >>
> >> ################################
> >>
> >> Espero ter auxiliado......
> >>
> >> Atenciosamente
> >>
> >> Christopher Giese
> >> bsdux at bsdux.com.br
> >>
> >
> >
> > Unix is very simple, but it takes a genius to understand the simplicity.
> > (Dennis Ritchie)
> >
> > --
> > Mauricio Bonani
> > mailto:mbonani at gmail.com
> >
> > --
> > gter list https://eng.registro.br/mailman/listinfo/gter
> >
>
>--
>gter list https://eng.registro.br/mailman/listinfo/gter
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
--
Mauricio Bonani
LPIC-1 Linux Professional Institute Certified
mailto:mbonani at gmail.com
More information about the gter
mailing list