Packet filter out of control upload traffic example rules

goose bla goosefreebsd at zoznam.sk
Thu Jan 27 03:56:31 PST 2005 

Hi,

pls.. can you check my PF rules for shapping. my idea was shape P2P and no
important traffic and make higher priority to important traffic.

download is working perfect.. if there is very big P2P download traffic and
somebody want to go to www,, www page is download very fast. 

but upload is set to 180Kbit/s  and it's working on full link. i don't know
why.. 

i have been using IPFW by now, but there was the same problem. traffic from
inet to network worked fine,, but traffic from us to inet was out of control.

i read about traffic can by shape only in one way per interface.. so i must
shape download traffic on one (external) and upload traffic on another
(internal) interface. but i don't understand why. 
well i have set pass rules for packet to size rules.. and size rules define
what will be with packet (drop,pass). 
so why i can't define download and upload traffic on the same interface?  

next problem is ,if i shutdown IPNAT , rdr and NAT rules are not working.
i think i have rules without format mistake.

thank you for your help.

ext="xl0"
int="fxp0"

ext_IP="{111.111.111.111}"
ext_net="{111.111.111.111/29}"

intIP1="{10.1.0.1}"
intIP2="{10.2.0.1}"
intIP192="{192.168.1.1}"
intIP101="{10.1.1.1}"

int_net1="{10.1.0.0/24}"
int_net2="{10.2.0.0/24}"
int_net101="{10.1.1.0/24}"
int_net192="{192.168.1.0/24}"


ip1="{192.168.1.3}"
ip2="{192.168.1.2}"

#queueing
altq on $int hfsc bandwidth 4Mb queue {skuska, zbyt}

queue skuska {dnu, von }



    queue dnu hfsc { vnut_net_in, von_in }
        queue vnut_net_in bandwidth 1Mb hfsc (ecn, upperlimit 1Mb)

        queue von_in bandwidth 512Kb hfsc (ecn, upperlimit 480Kb)
{spec_ip_in, ijur_in }

            queue spec_ip_in bandwidth 480Kb hfsc(linkshare (80% 60000 50%))

            queue ijur_in hfsc { top_in, special_port_in, normal_port_in,
block_port_in, stupid_pc_in }
                queue top_in hfsc (linkshare (10% 5000 32Kb))
                queue special_port_in hfsc (linkshare (10% 5000 32Kb))
                queue normal_port_in hfsc (linkshare (50% 3000 16Kb))
                queue block_port_in hfsc (linkshare (1% 1000 1Kb))
                queue stupid_pc_in hfsc (linkshare (1% 1000 1Kb))





    queue von hfsc {vnut_net_out, von_out }
        queue vnut_net_out bandwidth 1Mb hfsc (ecn, upperlimit 1Mb)

        queue von_out bandwidth 512Kb hfsc (ecn, upperlimit 180Kb)
{spec_ip_out, ijur_out}

            queue spec_ip_out hfsc (linkshare (80% 60000 50%))

            queue ijur_out hfsc { top_out, spec_port_out, normal_port_out,
block_port_out, stupid_pc_out }
                queue top_out hfsc (linkshare (10% 5000 32Kb))
                queue spec_port_out hfsc (linkshare (10% 5000 32Kb))
                queue normal_port_out hfsc (linkshare (50% 3000 16Kb))
                queue block_port_out hfsc (linkshare (1% 1000 1Kb))
                queue stupid_pc_out hfsc (linkshare (1% 1000 1Kb))



queue zbyt bandwidth 1Kb hfsc(default)




#NAT von
nat on $ext from 10.1.0.0/24 to any -> $ext_IP
nat on $ext from 10.2.0.0 to any -> $ext_IP
nat on $ext from 192.168.1.0 to any -> $ext_IP
nat on $ext from 10.1.1.0 to any -> $ext_IP

#FORWARD portov
#pc1
rdr on $ext proto tcp from any to $ext port 3333 -> $ip1 port 3333
rdr on $ext proto tcp from any to $ext port 2222 -> $ip1 port 2222
rdr on $ext proto tcp from  any to $ext port 2233 -> $ip1 port 2233
rdr on $ext proto {tcp udp} from  any to $ext port 3322 -> $ip1 port 3322

#pc2
rdr on $ext proto tcp from any to $ext port 4421 -> $ip2 port 4421
rdr on $ext proto tcp from any to $ext port 4433 -> $ip2 port 4433
rdr on $ext proto tcp from any to $ext port 4455 -> $ip2 port 4455
rdr on $ext proto {tcp udp} from any to $ext port 5555 -> $ip2 port 5555



pass out quick on $int from any to 10.1.1.10 keep state queue special_ip_in
pass in quick on $int from 10.1.1.10 to any keep state queue special_ip_out

pass out quick on $int from 10.1.1.0/24 to 10.1.0.0/24 keep state queue
vnut_net_in
pass in quick on $int from 10.1.0.0/24 to 10.1.1.0/24 keep state queue
vnut_net_out
pass out quick on $int from 10.1.1.0/24 to 10.2.0.0/24 keep state queue
vnut_net_in
pass in quick on $int from 10.2.0.0/24 to 10.1.1.0/24 keep state queue
vnut_net_out

pass out quick on $int proto {tcp udp} from any port {22 23} to any keep
state queue top_in
pass in quick on $int proto {tcp udp} from any to any port {22 23} keep
state queue top_out
pass out quick on $int proto {tcp udp} from any to any port {2493 2498 2021
2023 2080 3021 3023 3080 } keep state queue spec_ip_in
pass in quick on $int proto {tcp udp} from any  port {2493 2498 2021 2023
2080 3021 3023 3080 } to any keep state queue spec_ip_out
pass out quick on $int proto {tcp udp} from any port {80 5190 21 25 110 443
465 993 995 9000 27030} to any keep state queue normal_port_in
pass in quick on $int proto {tcp udp} from any to any port {80 5190 21 25
110 443 465 993 995 9000 27030} keep state queue normal_port_out
pass out quick on $int proto {tcp udp} from any to any keep state queue
block_port_in
pass in quick on $int proto {tcp udp} from any to any keep state queue
block_port_out
pass out quick on $int proto {tcp udp} from any to 10.1.1.40 keep state
queue stupid_pc_in
pass in quick on $int proto {tcp udp} from 10.1.1.40 to any keep state queue
stupid_pc_out


--- reklama -----------------------------------------------------
Pracovné ponuky aj zo zahraničia nájdete na Kariére.
http://kariera.zoznam.sk

More information about the freebsd-pf mailing list