outra coisa altq so faz da saida da placa e nao do in
entao faça queue nas duas interfaces na interna e externa
esse é um exemplo:
# interfaces
ext_if="re0"
int_if="re1"
# configuracao de ips e portas
internal_net="10.0.0.0/24"
external_addr="200.250.x.x"
me="{ 200.250.x.1, 10.x.x.2, 127.0.0.1 }"
confiavel="{ 200.250.x.x 10.0.0.0/24}"
ns="{ 200.250.x.9, 200.250.x.2 }"
voip="{ 200.250.x.4, 200.250.x.7 }"
port_serv="{ 20, 21, 22, 25, 53, 80, 81, 110, 143, 443, 8080 }"
port_ssh="22"
port_voip="{ 5060 >< 5063 }"
port_h323="{ 1718 >< 1721 }"
portudp_voip="{5999 >< 65000 }"
port_drop="{134 >< 139, 445, 1025 >< 1027, 444, 3456, 1234, 666 }"
port_all="{ 1><65535 }"
redes="{ 10.0.0.0/24, 200.250.x.x/24 }"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set skip on lo
#set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
#scrub in all
# Queue out interface externa upload.
altq on $ext_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { eresto,
evoip, eserv }
queue eresto bandwidth 800Kb priority 1 cbq (default borrow)
queue evoip bandwidth 1.2Mb priority 3 cbq(borrow)
queue eserv bandwidth 2.0Mb priority 2 cbq(borrow)
# Queue out interface interface download.
altq on $int_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { iresto,
ivoip, iserv }
queue iresto bandwidth 800Kb priority 1 cbq (default borrow)
queue ivoip bandwidth 1.2Mb priority 3 cbq(borrow)
queue iserv bandwidth 2.0Mb priority 2 cbq(borrow)
# nat da rede cliente
nat on $ext_if from $internal_net to any -> ($ext_if)
# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
## squid
#no rdr on $int_if proto tcp from 200.250.x.x to any port 80
rdr on $int_if proto tcp from 200.250.x.8 to any port 80 -> 127.0.0.1 port
3128
# Filtering: the implicit first two rules are
block in all
block out all
# libera acesso receita
pass proto tcp from $redes to 161.148.0.0/16 keep state queue eserv
pass proto tcp from 161.148.0.0/16 to $redes keep state queue iserv
pass quick proto tcp from $redes to 161.148.0.0/16 port 3456 keep state
queue eserv
pass quick proto tcp from 161.148.0.0/16 port 3456 to $redes keep state
queue iserv
# block de spoof e brodcast vindos de fora da rede
block quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
255.255.255.255/32 } to any
block quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, 255.255.255.255/32 }
# aceita trafego da rede para o local
pass in on lo from $redes to 127.0.0.1 keep state
# libera o acesso da rede para proxy
#pass quick proto {tcp,udp } from $redes to $me port 3128 keep state
#pass quick proto {tcp,udp } from $me to $redes keep state
# block portas spoofadas windows
block quick proto { tcp,udp } from any to any port $port_drop
# aceitar ssh somente dos confiaveis
pass in quick on $int_if proto { tcp,udp } from $confiavel to $me port
$port_ssh keep state
pass out quick on $int_if proto { tcp,udp } from $me port $port_ssh to
$confiavel keep state
# fecha ssh de outros que nao seja confiaveis
block in quick proto { tcp,udp } from any to $me port $port_ssh
block out quick proto { tcp,udp } from $me port $port_ssh to any
# aceitar ssh para 2
pass quick proto { tcp,udp } from any to 200.250.x.2 port $port_ssh keep
state
pass quick proto { tcp,udp } from 200.250.x.2 to any keep state
# Prioridade de 1024 para voips
pass out quick on $int_if proto tcp from any to $voip flags S/SAU keep state
queue ivoip
pass in quick on $int_if proto tcp from $voip to any flags S/SAU keep state
queue evoip
pass out quick on $ext_if proto tcp from $voip to any flags S/SAU keep state
queue evoip
pass in quick on $ext_if proto tcp from any to $voip flags S/SAU keep state
queue ivoip
# prio das portas voip sip: tcp
pass out quick on $int_if proto tcp from any to $redes port $port_voip flags
S/SAU keep state queue ivoip
pass in quick on $int_if proto tcp from $redes to any port $port_voip flags
S/SAU keep state queue evoip
pass out quick on $ext_if proto tcp from $redes to any port $port_voip flags
S/SAU keep state queue evoip
pass in quick on $ext_if proto tcp from any to $redes port $port_voip flags
S/SAU keep state queue ivoip
# Prioridade das portas voip
# prio das portas voip sip: udp
pass out quick on $int_if proto udp from any to $redes port $port_voip keep
state queue iserv
pass in quick on $int_if proto udp from $redes to any port $port_voip keep
state queue eserv
pass out quick on $ext_if proto udp from $redes to any port $port_voip keep
state queue eserv
pass in quick on $ext_if proto udp from any to $redes port $port_voip keep
state queue iserv
# portas udp de sip 506x
pass out quick on $int_if proto udp from any to $redes port $portudp_voip
keep state queue iserv
pass in quick on $int_if proto udp from $redes to any port $portudp_voip
keep state queue eserv
pass out quick on $ext_if proto udp from $redes to any port $portudp_voip
keep state queue eserv
pass in quick on $ext_if proto udp from any to $redes port $portudp_voip
keep state queue iserv
# portas h323
pass out quick on $int_if proto { tcp,udp } from any to $redes port
$port_h323 keep state queue iserv
pass in quick on $int_if proto {tcp,udp } from $redes to any port $port_h323
keep state queue eserv
pass out quick on $ext_if proto { tcp,udp } from $redes to any port
$port_h323 keep state queue eserv
pass in quick on $ext_if proto {tcp,udp } from any to $redes port $port_h323
keep state queue iserv
#portas dos nosso ssh
pass out quick on $int_if proto { tcp,udp } from any to any port $port_ssh
keep state queue iserv
pass in quick on $int_if proto {tcp,udp } from any port $port_ssh to any
keep state queue eserv
pass out quick on $ext_if proto { tcp,udp } from any port $port_ssh to any
keep state queue eserv
pass in quick on $ext_if proto {tcp,udp } from any to any port $port_ssh
keep state queue iserv
#libera o trafego de serviços +comuns
#int int +comuns
pass out quick on $int_if proto { tcp,udp } from any to $redes port
$port_serv keep state queue iserv
pass in quick on $int_if proto { tcp,udp } from $redes port $port_serv to
any keep state queue eserv
#int ext +comuns
pass out quick on $ext_if proto { tcp,udp } from $redes port $port_serv to
any keep state queue eserv
pass in quick on $ext_if proto { tcp,udp } from any to $redes port
$port_serv keep state queue iserv
## libera icmp
#icmp para interface interna
pass out quick on $int_if proto icmp from any to $redes queue iserv
pass in quick on $int_if proto icmp from $redes to any queue eserv
#icmp para interface externa
pass out quick on $ext_if proto icmp from $redes to any queue eserv
pass in quick on $ext_if proto icmp from any to $redes queue iserv
# libera todas portas para o resto do link que sobrar
pass out quick on $int_if from any to $redes queue irest
pass in quick on $int_if from $redes to any queue erest
pass out quick on $ext_if from $redes to any queue erest
pass in quick on $ext_if from any to $redes queue irest
----- Original Message -----
From: "Fabiano (BiGu)" <[EMAIL PROTECTED]>
To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)""
<freebsd@fug.com.br>
Sent: Tuesday, June 19, 2007 12:08 PM
Subject: Re: [FUG-BR] ALTQ não controla banda
Gilberto Villani Brito escreveu:
> On 19/06/07, Fabiano (BiGu) <[EMAIL PROTECTED]> wrote:
>
>> Pois eh, mas aqui nao funciona...nao sei o q estou fazendo errado...
>> Ja vasculhei o manual do PF de cabo a rabo...e estou fazendo a
>> configuracao exata como esta no manual...
>>
>> Gilberto Villani Brito escreveu:
>>
>>> On 17/06/07, Fabiano (BiGu) <[EMAIL PROTECTED]> wrote:
>>>
>>>
>>>> Oi Galera,
>>>>
>>>> Montei um ALTQ + PF aqui mas nao estou conseguindo controlar banda
>>>> de um IP
>>>>
>>>> fiz o seguinte:
>>>>
>>>> altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }
>>>>
>>>> queue std bandwidth 128Kb priority 0 \
>>>> cbq(default borrow)
>>>>
>>>> queue voip bandwidth 512Kb priority 7 \
>>>> cbq(red ecn)
>>>>
>>>> queue email bandwidth 128Kb priority 0 \
>>>> cbq(red ecn borrow)
>>>>
>>>> queue rede bandwidth 512Kb priority 0 \
>>>> cbq(red ecn)
>>>>
>>>>
>>>> E coloquei essas regras
>>>>
>>>> pass out quick proto { tcp icmp udp } from x.x.x.x to any \
>>>> queue rede
>>>> pass in quick proto { tcp udp icmp } from any to x.x.x.x \
>>>> queue rede
>>>>
>>>>
>>>> O problema que nao constrola a banda de jeito nenhum, esse ip utiliza
>>>> toda a banda disponível do link...
>>>> Quando rodo o pftop existe trafego nessas duas filas, q é exatamente
>>>> desse IP...mas ele nao segura a banda..
>>>>
>>>> O que posso estar fazendo errado?
>>>>
>>>> uso freebsd 6.2-RELEASE
>>>>
>>>> Obrigado
>>>> -------------------------
>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>>>
>>>>
>>>>
>>> Funciona sim.
>>> Verifique o histórico da lista que você vai encontrar um e-mail meu
>>> com exemplos.
>>>
>>>
>>> Abraços
>>>
>>>
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>>
> Tente isso:
> pass in (interface da rede interna) quick proto { tcp udp icmp } from
> x.x.x.x to any queue rede
>
> Abraços
>
opa, tentei isso ...sem sucesso tambem:
vou mandar todo meu pf.conf
ext_if=fxp1
int_if=fxp0
set optimization normal
set block-policy drop
set loginterface fxp1
set loginterface fxp0
set debug misc
set skip on lo0
scrub in all
scrub out all
altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede }
queue std bandwidth 128Kb priority 1 \
cbq(default)
queue voip bandwidth 512Kb priority 7 \
cbq(red ecn borrow)
queue email bandwidth 256Kb priority 2 \
cbq(red ecn borrow)
queue rede bandwidth 512Kb priority 1 \
cbq(red ecn)
rdr on $int_if proto tcp from $rede_1 to any port 80 -> localhost port 3128
block in on fxp1
block out on fxp1
pass out quick proto { tcp udp icmp } from x.x.x.x to any \
queue rede
pass in quick proto { tcp udp icmp } from any to x.x.x.x \
queue rede
Se eu colocar a regra que o amigo citou acima, num consigo nem
navegar...e desse jeito ele nao controla banda...ou seja, nao segura a
conexao nos 512K
Já estou quase pirando e num consigo resolver isso..eheheh
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
