[GTER] Limitar Upload com PF+HFSC
Christopher Giese - iRapida
chris at irapida.com.br
Wed Jul 12 08:28:26 -03 2006
Bom... pelo que eu li.... por estudos que eu fiz.... e por alguns emails
que troquei com o KENJIRO (kra que FEZ o altq)
isto eh impossivel..... com o altq
mas pelo email que vc mandou "Acabei de fazer um teste e está 100%." eu
entendi que vc tinha conseguido (rs)
t+
Chris
Mauricio Bonani wrote:
> Eu bem que tentei, mas não deu muito certo...heheheheheheh
>
> At 18:13 11/07/2006, Christopher Giese - iRapida wrote:
>> Vc aplicou in/out com apenas 1 INTERFACE
>>
>> USANDO ALTQ ????
>>
>>
>> Mauricio Bonani escreveu:
>>> Vi na antiga sugestão (risos) do Giese a definição em duas
>>> interfaces, mas teimei em tentar usar na mesma interface.
>>>
>>> Acabei de fazer um teste e está 100%. Querer fazer de tudo ao mesmo
>>> tempo é ruim por isso, você acaba não fazendo algumas coisas direito.
>>>
>>> Obrigado pela paciência de todos.
>>>
>>> At 09:49 10/07/2006, Gilberto Villani Brito wrote:
>>>
>>>> Eu não sei se o HFSC faz controle de upload na propria interface.
>>>> Aqui eu controlo o upload da seguinte maneira:
>>>>
>>>> altq on $ext_if hfsc bandwidth 100% queue ext_root
>>>> queue ext_root bandwidth 14Mb hfsc(red realtime 12Mb upperlimit
>>>> 14Mb) {
>>>> upload upload1 }
>>>> queue upload bandwidth 9Mb priority 1 hfsc(default)
>>>> queue upload1 bandwidth 5Mb priority 1 hfsc(realtime 4Mb
>>>> upperlimit 5Mb)
>>>>
>>>> altq on $int_if hfsc bandwidth 100% queue int_root
>>>> queue int_root bandwidth 14Mb hfsc(red realtime 12Mb upperlimit
>>>> 14Mb) {
>>>> download download1 }
>>>> queue download bandwidth 9Mb priority 1 hfsc(default)
>>>> queue download1 bandwidth 5Mb priority 1 hfsc(realtime 4Mb
>>>> upperlimit
>>>> 5Mb)
>>>>
>>>> pass in on $int_if from <ip interno> to any keep state queue upload1
>>>> pass in on $int_if from <ip interno> to any keep state queue download1
>>>>
>>>> Esse tipo de configuração, usando in nas 2 regras funciona com
>>>> certeza, pois
>>>> uso aqui para limitar meu upload de ips reservados.
>>>>
>>>> Abraços
>>>> Gilberto
>>>>
>>>> 2006/7/9, Mauricio Bonani <mbonani at gmail.com>:
>>>>
>>>>> Acho que me precipitei ao dizer que estava tudo funcionando.
>>>>> Infelizmente o tráfego de upload está passando pela fila padrão.
>>>>>
>>>>> Fiz um teste numa interface que tem apenas uma rede ligada a ela.
>>>>> Vejam a configuração do PF para essa interface:
>>>>>
>>>>> ### /etc/pf.conf ###
>>>>> altq on $if_int hfsc bandwidth 100000Kb queue { std_int, u_teste,
>>>>> d_teste
>>>>> }
>>>>>
>>>>> queue std_int bandwidth 2Kb hfsc(default)
>>>>> queue u_teste bandwidth 128Kb hfsc(realtime 64Kb, upperlimit
>>>>> 128Kb)
>>>>> queue d_teste bandwidth 256Kb hfsc(realtime 128Kb,
>>>>> upperlimit
>>>>> 256Kb)
>>>>>
>>>>> pass in log quick on $if_int inet from $teste to any queue u_teste
>>>>> pass out log quick on $if_int inet from any to $teste queue d_teste
>>>>> ### /etc/pf.conf ###
>>>>>
>>>>> ### pftop ###
>>>>> root_xl3 100M
>>>>> hfsc 0 0 0 0 0 0
>>>>> std_int 2000
>>>>> hfsc 102 6102 0 0 0
>>>>> u_teste 128K
>>>>> hfsc 0 0 0 0 0
>>>>> d_teste 256K
>>>>> hfsc 295371 27163381 0 0 0
>>>>> ### pftop ###
>>>>>
>>>>> O que raio ainda estou fazendo de errado?
>>>>> Não há mais nenhuma regra para essa interface no /etc/pf.conf.
>>>>>
>>>>> At 19:40 03/07/2006, Christopher Giese - iRapida wrote:
>>>>>
>>>>>> Opa
>>>>>>
>>>>>> eh que o exemplo foi de um Firewall Aberto
>>>>>>
>>>>>> caso queira fechar ele e colocar situacoes dinamicas com keep
>>>>>> state....... sinta-se a vontade
>>>>>>
>>>>>> soh cuide na hora de formular para que os pacotes nao seja
>>>>>> contabilizados + de 1 vez ou sofram + de 1 filtro :)
>>>>>>
>>>>>> t+
>>>>>>
>>>>>> Christopher Giese <SkyWarrior>
>>>>>> bsdux at bsdux.com.br
>>>>>>
>>>>>> Mauricio Bonani escreveu:
>>>>>>
>>>>>>> Sei que a thread é antiga, mas pintou uma dúvida agora.
>>>>>>>
>>>>>>> O controle de banda conforme o Giese sugeriu está
>>>>>>> funcionando corretamente, limita o upload e o download.
>>>>>>> Só não entendi onde foi parar o 'keep state'.
>>>>>>> Nesse caso se torna desnecessário?
>>>>>>>
>>>>>>> At 18:48 14/04/2006, you wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Bom.... nao vou entrar em meritos linux/bsd... qdisk/altq (pq
>>>>>>>> nao tem
>>>>>>>> nem como comparar ....)
>>>>>>>>
>>>>>>>> vou montar um exemplo bem simples para demonstrar como controlar o
>>>>>>>>
>>>>> seu
>>>>>
>>>>>>>> problema:
>>>>>>>>
>>>>>>>> Veja bem que aqui apenas peguei um caso meu.... e dei uma
>>>>>>>> recordada
>>>>>>>>
>>>>> para
>>>>>
>>>>>>>> +/- demonstrar como controlar o IN (ou seja.... estamos
>>>>>>>> controlando
>>>>>>>>
>>>>> na
>>>>>
>>>>>>>> verdade o OUT.... porem mostrando que o IN da placa interna eh
>>>>>>>> para
>>>>>>>>
>>>>> ser
>>>>>
>>>>>>>> contabilizado no OUT da placa externa)
>>>>>>>>
>>>>>>>> ###############################
>>>>>>>> #/etc/pf.conf
>>>>>>>>
>>>>>>>> # VARIAVEIS DE AMBIENTE
>>>>>>>> ext_if = "fxp1"
>>>>>>>> int_if = "fxp0"
>>>>>>>> int_net = "192.168.3.0/24"
>>>>>>>> ext_net = "172.16.3.0/24"
>>>>>>>> ip_nat = "200.200.200.200"
>>>>>>>>
>>>>>>>> # Opcoes: melhora o comportamento do pf, os valores atuais sao os
>>>>>>>>
>>>>> padroes.
>>>>>
>>>>>>>> set timeout { interval 10, frag 30 }
>>>>>>>> set timeout { tcp.first 120, tcp.opening 30, tcp.established
>>>>>>>> 86400 }
>>>>>>>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>>>>>>>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>>>>>>>> set timeout { icmp.first 20, icmp.error 10 }
>>>>>>>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>>>>>>>> set timeout { adaptive.start 0, adaptive.end 0 }
>>>>>>>> set limit { states 10000, frags 5000 }
>>>>>>>> set loginterface none
>>>>>>>> set optimization normal
>>>>>>>> set block-policy drop
>>>>>>>> set require-order yes
>>>>>>>>
>>>>>>>> # Normalizaçao: remonta fragmentos e resolve ou reduz
>>>>>>>> ambiguidades de
>>>>>>>> trafego.
>>>>>>>> scrub in all
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>> #########################################################################################
>>>>
>>>>
>>>>>>>> # FILAS
>>>>>>>>
>>>>>>>> # UPLOAD
>>>>>>>> altq on $ext_if hfsc bandwidth 102400Kb queue { qredeout,
>>>>>>>> qpadraoout
>>>>>>>>
>>>>> }
>>>>>
>>>>>>>> # Rede Interna
>>>>>>>> queue qredeout bandwidth 2048Kb hfsc (linkshare 2048Kb,
>>>>>>>> upperlimit 2048Kb) { qtsout, qimpressaoout, qinternetout }
>>>>>>>> queue qtsout bandwidth 1400Kb hfsc (realtime
>>>>>>>> 1400Kb,
>>>>>>>>
>>>>> red)
>>>>>
>>>>>>>> queue qimpressaoout bandwidth 128Kb hfsc (realtime
>>>>>>>> 128Kb, red)
>>>>>>>> queue qinternetout bandwidth 512Kb hfsc (realtime
>>>>>>>>
>>>>> 512Kb,
>>>>>
>>>>>>>> red)
>>>>>>>>
>>>>>>>> # Padrao
>>>>>>>> queue qpadraoout bandwidth 1Kb hfsc (upperlimit
>>>>>>>> 1Kb,default)
>>>>>>>>
>>>>>>>>
>>>>>>>> # DOWNLOAD
>>>>>>>> altq on $int_if hfsc bandwidth 102400Kb queue { qredein,
>>>>>>>> qpadraoin }
>>>>>>>>
>>>>>>>>
>>>>>>>> # Rede Interna
>>>>>>>> queue qinfip bandwidth 2048Kb hfsc (upperlimit 2048Kb) {
>>>>>>>>
>>>>> qtsin,
>>>>>
>>>>>>>> qimpressaoin, qinternetin }
>>>>>>>> queue qtsin bandwidth 1400Kb hfsc (realtime
>>>>>>>> 1400Kb,
>>>>>>>>
>>>>> red)
>>>>>
>>>>>>>> queue qimpressaoin bandwidth 128Kb hfsc (realtime
>>>>>>>> 128Kb, red)
>>>>>>>> queue qinternetin bandwidth 512Kb hfsc (realtime
>>>>>>>>
>>>>> 512Kb,
>>>>>
>>>>>>>> red)
>>>>>>>>
>>>>>>>>
>>>>>>>> # Padrao
>>>>>>>> queue qpadraoin bandwidth 1Kb hfsc (upperlimit
>>>>>>>> 1Kb,default)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>> ###########################################################################################
>>>>
>>>>
>>>>>>>> # NAT FIP
>>>>>>>> nat on $ext_if from $int_net to any_net -> $ip_nat
>>>>>>>>
>>>>>>>> # o ftp
>>>>>>>> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1
>>>>>>>> port
>>>>>>>> ftp-proxy
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>> ###########################################################################################
>>>>
>>>>
>>>>>>>> ####Rede INTERNA###############
>>>>>>>>
>>>>>>>> # QOS DOWNLOAD
>>>>>>>> pass out quick on $int_if proto tcp from any to $int_net port 3389
>>>>>>>>
>>>>> queue
>>>>>
>>>>>>>> qtsin
>>>>>>>> pass out quick on $int_if from $fip_ext_net to $int_net queue
>>>>>>>>
>>>>> qimpressaoin
>>>>>
>>>>>>>> pass out quick on $int_if from any to $int_net queue qinternetin
>>>>>>>>
>>>>>>>> # QOS UPLOAD
>>>>>>>> pass in quick on $int_if proto tcp from $int_net port 3389 to any
>>>>>>>>
>>>>> queue
>>>>>
>>>>>>>> qtsout
>>>>>>>> pass in quick on $int_if from $int_net to $ext_net queue
>>>>>>>>
>>>>> qimpressaoout
>>>>>
>>>>>>>> pass in quick on $int_if from $int_net to any queue qinternetout
>>>>>>>>
>>>>>>>> ################################
>>>>>>>>
>>>>>>>> Espero ter auxiliado......
>>>>>>>>
>>>>>>>> Atenciosamente
>>>>>>>>
>>>>>>>> Christopher Giese
>>>>>>>> bsdux at bsdux.com.br
>>>>>>>>
>>>>>>>>
>>>>>>> Unix is very simple, but it takes a genius to understand the
>>>>>>>
>>>>> simplicity.
>>>>>
>>>>>>> (Dennis Ritchie)
>>>>>>>
>>>>>>> --
>>>>>>> Mauricio Bonani
>>>>>>> mailto:mbonani at gmail.com
>>>>>>>
>>>>>>> --
>>>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>>>
>>>>> Unix is very simple, but it takes a genius to understand the
>>>>> simplicity.
>>>>> (Dennis Ritchie)
>>>>>
>>>>> --
>>>>> Mauricio Bonani
>>>>> LPIC-1 Linux Professional Institute Certified
>>>>> mailto:mbonani at gmail.com
>>>>>
>>>>> --
>>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>>
>>>>>
>>>> --
>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>
>>>
>>>
>>> Unix is very simple, but it takes a genius to understand the
>>> simplicity.
>>> (Dennis Ritchie)
>>>
>>> --
>>> Mauricio Bonani
>>> LPIC-1 Linux Professional Institute Certified
>>> mailto:mbonani at gmail.com
>>>
>>> --
>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>
>
>
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)
>
> --
> Mauricio Bonani
> LPIC-1 Linux Professional Institute Certified
> mailto:mbonani at gmail.com
>
More information about the gter
mailing list