|
|||
bandwidth management problem...
After reading the openbsd altq howto I've decided to create my own rules for a bandwidth management...I'm not sure if I've created that I need really:
--------------------start ### macros int_if = "re0" ext_if = "pppoe0" tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }" udp_service = "{ 53, 5060 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }" bnd_upstream="480Kb" bnd_downstream="20480Kb" host_usr8="192.168.0.8" host_usr9="192.168.0.9" host_usr10="192.168.0.10" host_usr11="192.168.0.11" host_usr12="192.168.0.12" host_usr13="192.168.0.13" host_usr14="192.168.0.14" host_usr15="192.168.0.15" host_usr16="192.168.0.16" ### options set optimization normal set block-policy return set loginterface $ext_if set skip on lo0 ### scrub scrub in all scrub out on $ext_if max-mss 1440 ### altq altq on $ext_if cbq bandwidth $bnd_upstream queue { up_def } altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def } queue up_def bandwidth 100% cbq(default) { up_host1 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 } queue up_host1 bandwidth 10% cbq(borrow) queue up_host8 bandwidth 10% cbq(borrow) queue up_host9 bandwidth 10% cbq(borrow) queue up_host10 bandwidth 10% cbq(borrow) queue up_host11 bandwidth 10% cbq(borrow) queue up_host12 bandwidth 10% cbq(borrow) queue up_host13 bandwidth 10% cbq(borrow) queue up_host14 bandwidth 10% cbq(borrow) queue up_host15 bandwidth 10% cbq(borrow) queue up_host16 bandwidth 10% cbq(borrow) queue dn_def bandwidth 100% cbq(default) { dn_host1 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 } queue dn_host1 bandwidth 10% cbq(borrow) queue dn_host8 bandwidth 10% cbq(borrow) queue dn_host9 bandwidth 10% cbq(borrow) queue dn_host10 bandwidth 10% cbq(borrow) queue dn_host11 bandwidth 10% cbq(borrow) queue dn_host12 bandwidth 10% cbq(borrow) queue dn_host13 bandwidth 10% cbq(borrow) queue dn_host14 bandwidth 10% cbq(borrow) queue dn_host15 bandwidth 10% cbq(borrow) queue dn_host16 bandwidth 10% cbq(borrow) ### nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) #redirect per anima, xaser ed enjoy rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9 rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10 ### filter rules block all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $int_if proto { tcp udp } from 192.168.0.1 to any queue up_host1 pass in on $int_if proto { tcp udp } from $host_usr8 to any queue up_host8 pass in on $int_if proto { tcp udp } from $host_usr9 to any queue up_host9 pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10 pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11 pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12 pass in on $int_if proto { tcp udp } from $host_usr13 to any queue up_host13 pass in on $int_if proto { tcp udp } from $host_usr14 to any queue up_host14 pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15 pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16 pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any pass out on $int_if proto { tcp udp } from any to 192.168.0.1 queue dn_host1 pass out on $int_if proto { tcp udp } from any to $host_usr8 queue dn_host8 pass out on $int_if proto { tcp udp } from any to $host_usr9 queue dn_host9 pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10 pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11 pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12 pass out on $int_if proto { tcp udp } from any to $host_usr13 queue dn_host13 pass out on $int_if proto { tcp udp } from any to $host_usr14 queue dn_host14 pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15 pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16 pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state pass out on $int_if from any to $int_if:network ###Deny spoofing antispoof for $ext_if antispoof for $int_if -----------------------------end I would give 10% of band to each host and let everyone to borrow band for each other. Is the conf correct? Thanks so much, mb. |
|
|||
Thanks for the fast answer s2scott.
Then, in my conf, are these lines correct: --- pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state --- ??? I'm asking another time with more precision about these two rules because I've a doubt about need to queue them or not. As you can see, they are not queued...is this correct so? Another question: I'm thinking about the code you've let me to know and I've understod why I may add it in my firewall, but I don't understand why I've to queue the rule also at "up_host1" and not only to "up_higest" and I don't understand why it isn't needed also a "dn_higest"... sorry if my questions can seem "stupid" for you; I've never used a pf altq. The last question: "192.168.0.1" is my gateway/router/firewall/server (where OpenBSD runs), where I'm configuring pf...how much band it need if it have "only" to work as apache/vsftpd/cucipop/bind/internalVoipSystem server? 10% is correct or can I reduce the band dedicated to it? Thanks and thanks mb. Last edited by maurobottone; 17th May 2008 at 09:42 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IP Security Policy Management snap-in | wesley | OpenBSD Security | 2 | 11th August 2009 04:34 AM |
Learning Content Management System | Oko | General software and network | 0 | 31st October 2008 04:02 AM |
Help with OpenSolaris package management | roddierod | Solaris | 2 | 6th August 2008 03:11 PM |
OpenVPN management | bichumo | General software and network | 0 | 15th July 2008 09:05 AM |
best package management method | TerryP | Off-Topic | 9 | 18th June 2008 03:57 PM |