[GTER] Limitar Upload com PF+HFSC

Gilberto Villani Brito linux at giboia.org
Mon Jul 10 09:49:29 -03 2006 

Eu não sei se o HFSC faz controle de upload na propria interface.
Aqui eu controlo o upload da seguinte maneira:

altq on $ext_if hfsc bandwidth 100% queue ext_root
  queue ext_root bandwidth 14Mb hfsc(red realtime 12Mb upperlimit 14Mb) {
upload upload1 }
    queue upload bandwidth 9Mb priority 1 hfsc(default)
    queue upload1 bandwidth 5Mb priority 1 hfsc(realtime 4Mb upperlimit 5Mb)

altq on $int_if hfsc bandwidth 100% queue int_root
  queue int_root bandwidth 14Mb hfsc(red realtime 12Mb upperlimit 14Mb) {
download download1 }
    queue download bandwidth 9Mb priority 1 hfsc(default)
    queue download1 bandwidth 5Mb priority 1 hfsc(realtime 4Mb upperlimit
5Mb)

pass in on $int_if from <ip interno> to any keep state queue upload1
pass in on $int_if from <ip interno> to any keep state queue download1

Esse tipo de configuração, usando in nas 2 regras funciona com certeza, pois
uso aqui para limitar meu upload de ips reservados.

Abraços
Gilberto

2006/7/9, Mauricio Bonani <mbonani at gmail.com>:
>
> Acho que me precipitei ao dizer que estava tudo funcionando.
> Infelizmente o tráfego de upload está passando pela fila padrão.
>
> Fiz um teste numa interface que tem apenas uma rede ligada a ela.
> Vejam a configuração do PF para essa interface:
>
> ### /etc/pf.conf ###
> altq on $if_int hfsc bandwidth 100000Kb queue { std_int, u_teste, d_teste
> }
>
>          queue std_int bandwidth 2Kb hfsc(default)
>          queue u_teste bandwidth 128Kb hfsc(realtime 64Kb, upperlimit
> 128Kb)
>          queue d_teste bandwidth 256Kb hfsc(realtime 128Kb, upperlimit
> 256Kb)
>
> pass in log quick on $if_int inet from $teste to any queue u_teste
> pass out log quick on $if_int inet from any to $teste queue d_teste
> ### /etc/pf.conf ###
>
> ### pftop ###
> root_xl3                        100M
> hfsc    0        0        0        0        0    0
>   std_int                        2000
> hfsc           102     6102        0        0    0
>   u_teste                        128K
> hfsc             0        0        0        0    0
>   d_teste                        256K
> hfsc        295371 27163381        0        0    0
> ### pftop ###
>
> O que raio ainda estou fazendo de errado?
> Não há mais nenhuma regra para essa interface no /etc/pf.conf.
>
> At 19:40 03/07/2006, Christopher Giese - iRapida wrote:
> >Opa
> >
> >eh que o exemplo foi de um Firewall Aberto
> >
> >caso queira fechar ele e colocar situacoes dinamicas com keep
> >state....... sinta-se a vontade
> >
> >soh cuide na hora de formular para que os pacotes nao seja
> >contabilizados + de 1 vez ou sofram + de 1 filtro :)
> >
> >t+
> >
> >Christopher Giese <SkyWarrior>
> >bsdux at bsdux.com.br
> >
> >Mauricio Bonani escreveu:
> > > Sei que a thread é antiga, mas pintou uma dúvida agora.
> > >
> > > O controle de banda conforme o Giese sugeriu está
> > > funcionando corretamente, limita o upload e o download.
> > > Só não entendi onde foi parar o 'keep state'.
> > > Nesse caso se torna desnecessário?
> > >
> > > At 18:48 14/04/2006, you wrote:
> > >
> > >> Bom.... nao vou entrar em meritos linux/bsd... qdisk/altq (pq nao tem
> > >> nem como comparar ....)
> > >>
> > >> vou montar um exemplo bem simples para demonstrar como controlar o
> seu
> > >> problema:
> > >>
> > >> Veja bem que aqui apenas peguei um caso meu.... e dei uma recordada
> para
> > >> +/- demonstrar como controlar o IN (ou seja.... estamos controlando
> na
> > >> verdade o OUT.... porem mostrando que o IN da placa interna eh para
> ser
> > >> contabilizado no OUT da placa externa)
> > >>
> > >> ###############################
> > >> #/etc/pf.conf
> > >>
> > >> # VARIAVEIS DE AMBIENTE
> > >> ext_if  = "fxp1"
> > >> int_if  = "fxp0"
> > >> int_net = "192.168.3.0/24"
> > >> ext_net = "172.16.3.0/24"
> > >> ip_nat = "200.200.200.200"
> > >>
> > >> # Opcoes: melhora o comportamento do pf, os valores atuais sao os
> padroes.
> > >> set timeout { interval 10, frag 30 }
> > >> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> > >> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> > >> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> > >> set timeout { icmp.first 20, icmp.error 10 }
> > >> set timeout { other.first 60, other.single 30, other.multiple 60 }
> > >> set timeout { adaptive.start 0, adaptive.end 0 }
> > >> set limit { states 10000, frags 5000 }
> > >> set loginterface none
> > >> set optimization normal
> > >> set block-policy drop
> > >> set require-order yes
> > >>
> > >> # Normalizaçao: remonta fragmentos e resolve ou reduz ambiguidades de
> > >> trafego.
> > >> scrub in all
> > >>
> > >>
> >
> #########################################################################################
> > >> # FILAS
> > >>
> > >> # UPLOAD
> > >> altq on $ext_if hfsc bandwidth 102400Kb queue { qredeout, qpadraoout
> }
> > >>
> > >>         # Rede Interna
> > >>         queue qredeout bandwidth 2048Kb hfsc (linkshare 2048Kb,
> > >> upperlimit 2048Kb) { qtsout, qimpressaoout, qinternetout }
> > >>                 queue qtsout bandwidth 1400Kb hfsc (realtime 1400Kb,
> red)
> > >>                 queue qimpressaoout bandwidth 128Kb hfsc (realtime
> > >> 128Kb, red)
> > >>                 queue qinternetout bandwidth 512Kb hfsc (realtime
> 512Kb,
> > >> red)
> > >>
> > >>         # Padrao
> > >>         queue qpadraoout bandwidth 1Kb hfsc (upperlimit 1Kb,default)
> > >>
> > >>
> > >> # DOWNLOAD
> > >> altq on $int_if hfsc bandwidth 102400Kb queue { qredein, qpadraoin }
> > >>
> > >>
> > >>         # Rede Interna
> > >>         queue qinfip bandwidth 2048Kb hfsc (upperlimit 2048Kb) {
> qtsin,
> > >> qimpressaoin, qinternetin }
> > >>                 queue qtsin bandwidth 1400Kb hfsc (realtime 1400Kb,
> red)
> > >>                 queue qimpressaoin  bandwidth 128Kb hfsc (realtime
> > >> 128Kb, red)
> > >>                 queue qinternetin  bandwidth 512Kb hfsc (realtime
> 512Kb,
> > >> red)
> > >>
> > >>
> > >>         # Padrao
> > >>         queue qpadraoin bandwidth 1Kb hfsc (upperlimit 1Kb,default)
> > >>
> > >>
> >
> ###########################################################################################
> > >>
> > >> # NAT FIP
> > >> nat on $ext_if from $int_net to any_net -> $ip_nat
> > >>
> > >> # o ftp
> > >> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
> > >> ftp-proxy
> > >>
> > >>
> >
> ###########################################################################################
> > >>
> > >> ####Rede INTERNA###############
> > >>
> > >> # QOS DOWNLOAD
> > >> pass out quick on $int_if proto tcp from any to $int_net port 3389
> queue
> > >> qtsin
> > >> pass out quick on $int_if from $fip_ext_net to $int_net queue
> qimpressaoin
> > >> pass out quick on $int_if from any to $int_net queue qinternetin
> > >>
> > >> # QOS UPLOAD
> > >> pass in quick on $int_if proto tcp from $int_net port 3389 to any
> queue
> > >> qtsout
> > >> pass in quick on $int_if from $int_net to $ext_net queue
> qimpressaoout
> > >> pass in quick on $int_if from $int_net to any queue qinternetout
> > >>
> > >> ################################
> > >>
> > >> Espero ter auxiliado......
> > >>
> > >> Atenciosamente
> > >>
> > >> Christopher Giese
> > >> bsdux at bsdux.com.br
> > >>
> > >
> > >
> > > Unix is very simple, but it takes a genius to understand the
> simplicity.
> > > (Dennis Ritchie)
> > >
> > > --
> > > Mauricio Bonani
> > > mailto:mbonani at gmail.com
> > >
> > > --
> > > gter list    https://eng.registro.br/mailman/listinfo/gter
> > >
> >
> >--
> >gter list    https://eng.registro.br/mailman/listinfo/gter
>
>
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)
>
> --
> Mauricio Bonani
> LPIC-1 Linux Professional Institute Certified
> mailto:mbonani at gmail.com
>
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>

More information about the gter mailing list