Hi all,
I have a problem with altq on OpenBSD 4.4 firewall, but I can not be properly
understood how altq works. I need to guarantee 80% bandwidth to http, smtp, etc
(not udp services) of my DSL line. And the rest of this bandwidth to use for
udp
or other protocols. Of course, if any udp service is requested, I would like to
use all bandwidth for tcp, but first I will know how to fix tcp outgoing
traffic
to 80% of bandwidth.
I am doing several tests like download and iso image file from public http
server and this action consumes all of bandwidth. And i don't understand why. I
have tested rules using hfsc and cbq and all results are the same. Every tcp or
udp service consumes all bandwidth.
I have attached my pf.conf
Many thanks to all and sorry for my poor english.
--
CL Martinez
carlopmart {at} gmail {d0t} com
# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
lo_if = "lo0"
ext_if = "em2"
lan_if = "em0"
honey_if = "vlan15"
sync_if = "em3"
mgmt_if = "vlan45"
ipsec_if = "vlan25"
vpn_if = "vlan35"
carpext_if = "carp2"
prodlan = "172.25.50.0/27"
pfsynclan = "172.25.85.0/30"
honeylan = "172.25.75.0/29"
ipseclan = "172.25.55.0/29"
vpnlan = "192.168.100.64/29"
mgmtlan = "172.25.65.0/28"
thranduil = "172.25.50.10"
santgraal = "172.25.50.11"
parsifal = "172.25.50.12"
savannah = "172.25.50.28"
imrahil = "172.25.50.29"
minastirith = "172.25.50.30"
mithlond = "172.25.65.6"
ks = "keep state"
ms = "modulate state"
ss = "synproxy state"
bruteforce_ssh = "(max-src-conn 10, max-src-conn-rate 3/3, overload
<SSH_Abusive_Hosts> flush global)"
table <Internal_Networks> const { $prodlan $honeylan $ipseclan $vpnlan $mgmtlan
}
table <All_Internal_Networks> const { $prodlan $pfsynclan $honeylan $ipseclan
$vpnlan $mgmtlan }
table <RhelClients> const { $thranduil $parsifal $savannah }
table <Management_Servers> const { $mithlond }
table <WindowsServers> const { $imrahil $minastirith }
table <DShield> persist file "/etc/fwtables/dshield"
set skip on $lo_if
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization profile
set loginterface $ext_if
scrub on $ext_if reassemble tcp
scrub in on $ext_if all min-ttl 2
scrub out on $ext_if all no-df random-id max-mss 1440
altq on $ext_if bandwidth 310Kb hfsc queue { q_tcp, q_def, q_udp }
queue q_tcp bandwidth 80% priority 2 qlimit 100 hfsc (realtime 65%
upperlimit 80%)
queue q_udp bandwidth 17% priority 3 qlimit 100 hfsc (realtime 15%
upperlimit 17%)
queue q_def bandwidth 3% priority 1 qlimit 100 hfsc (upperlimit 10%
default)
nat on egress inet from <Internal_Networks> to ! <All_Internal_Networks> ->
($carpext_if:0) port 1024:65535
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $lan_if inet proto tcp from $savannah to ! <All_Internal_Networks>
port ftp -> 127.0.0.1 port 8021
no rdr
block drop log all label "Traffic Denied"
block drop in from no-route to any label "Traffic Denied"
block quick inet6 all label "IPV6 Traffic Denied"
antispoof quick for { $lo_if $lan_if $honey_if $sync_if $mgmt_if $ipsec_if
$vpn_if } inet label "AntiSpoofing Rule"
pass quick on $sync_if proto pfsync keep state (no-sync)
pass quick log on { $ext_if $lan_if $honey_if $mgmt_if $ipsec_if $vpn_if }
proto carp keep state (no-sync)
block in quick on egress inet proto tcp from any to any flags /S label "Traffic
Denied"
block in quick on egress inet proto tcp from any to any flags /SFRA label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags /SFRAU label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags A/A label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags F/SFRA label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags U/SFRAU label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SF/SF label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SF/SFRA label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SR/SR label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags FUP/FUP label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags FUP/SFRAUPEW
label "Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SFRAU/SFRAU label
"Traffic Denied"
block in quick on egress inet proto tcp from any to any flags SFRAUP/SFRAUP
label "Traffic Denied"
block in log quick on egress from <Dshield> label "DShield BlackList"
block log quick from <SSH_Abusive_Hosts> label "SSH Abusive Hosts"
anchor "ftp-proxy/*"
pass out quick on $lan_if inet proto udp from $lan_if to $thranduil port domain
$ks
pass in quick log on $lan_if inet proto tcp from $savannah to $lan_if port ssh
flags S/SA $ks \
$bruteforce_ssh tag admin_rule label "Administration Rule"
pass in quick log on $lan_if inet proto tcp from $savannah to { $mgmtlan
$honeylan $vpnlan } port ssh flags S/SA $ks \
$bruteforce_ssh tag admin_rule label "Administration Rule"
pass in quick on $lan_if inet from $savannah to $mgmtlan tag admin_rule
pass in on $lan_if inet proto udp from $thranduil to ! <All_Internal_Networks>
port domain $ks tag prodlan_to_inet
pass in on $lan_if inet proto udp from $parsifal to ! <All_Internal_Networks>
port ntp $ks tag prodlan_to_inet
pass in on $lan_if inet proto tcp from <RhelClients> to $mithlond port http
flags S/SA $ks tag prodlan_to_mgmtlan
pass in on $lan_if inet proto tcp from $prodlan to ! <All_Internal_Networks>
port smtp flags S/SA $ks tag prodlan_to_inet
pass in on $lan_if inet from $savannah to ! <All_Internal_Networks> flags S/SA
$ks tag prodlan_to_inet
pass out on $lan_if tagged mgmtlan_to_inet
pass in on $mgmt_if inet proto udp from <Management_Servers> to $thranduil port
domain $ks tag mgmtlan_to_inet
pass in on $mgmt_if inet proto udp from <Management_Servers> to $parsifal port
ntp $ks tag mgmtlan_to_inet
pass in on $mgmt_if inet proto tcp from $mithlond to ! <All_Internal_Networks>
port { https rsync } flags S/SA $ms tag mgmtlan_to_inet
pass in on $mgmt_if inet proto tcp from $mgmtlan to ! <All_Internal_Networks>
port smtp flags S/SA $ks tag mgmtlan_to_inet
pass out on $mgmt_if tagged admin_rule
pass out on $mgmt_if tagged prodlan_to_mgmtlan
pass out on $vpn_if tagged admin_rule
pass out quick on egress inet proto tcp from $ext_if to ! <Internal_Networks>
port { http smtp ssh } flags S/SA $ms tag fw_to_inet
pass out quick on egress inet proto udp from $ext_if to ! <Internal_Networks>
port ntp tag fw_to_inet
pass out on egress tagged prodlan_to_inet queue q_def
pass out on egress proto tcp tagged prodlan_to_inet queue (q_def,q_tcp)
pass out on egress proto udp tagged prodlan_to_inet queue q_udp
pass out on egress tagged mgmtlan_to_inet queue q_def
pass out on egress proto tcp tagged mgmtlan_to_inet queue (q_def, q_ack)
pass out on egress proto udp tagged mgmtlan_to_inet queue q_udp
pass out on egress proto tcp tag ftp_proxy queue q_tcp
block proto igmp all label "IGMP Traffic Denied"
block inet proto { tcp udp } from any to any port { epmap netbios-ns
netbios-dgm netbios-ssn } label "No Audit Traffic"
