pf

Angel Todorov angel.todorov at i-u.de
Fri Jul 18 10:37:31 PDT 2003 

Sorry guys this was for the bulgarian FreeBSD stable list

i am very sorry for this *spam* again :)

regards,
Angel


----- Original Message -----
From: "Bosko Milekic" <bmilekic at technokratis.com>
To: "Angel Todorov" <atodorov at acm.org>
Cc: <stable at freebsd.org>
Sent: Friday, July 18, 2003 3:39 PM
Subject: Re: pf


>
> Sheesh.  This is an English forum, but here's my feeble attempt to
> translate (I don't know what language this is, but it appears to have
> some slavic-rooted words):
>
> On Fri, Jul 18, 2003 at 05:19:01PM +0200, Angel Todorov wrote:
> > ei tuka imam edin pf conf obache pravi mnogo nomera, kato se pusne
parvoto koeto e dropva paketi, timeoutva po serverite i t.n.. i speed-a e
mnogo baven, vijte ako nqkoi moje da otkrie generalna greshka da reply :)
vapreki che ne e freebsd-specific :P ne sym go pisal az a i ne sam mnogo
mnogo zapoznat s pf zatova ako nqkoi moje da pomogne e dobre doshyl :) btw
moje i neshto ot tia opcii kato set timeout i optimization da e :]
>
>  "I have a pf configuration file, something something drops packets,
>  times out servers and so on.... and the speed is very something.  See
>  if you can find where the general mistake is and reply.  I [think] this
>  may not be totally freebsd-specific, but if someone knows the answer,
>  you're welcome to help me out.  By the way, if you also know [I think]
>  something about the set timeout options or optimisations, let me know."
>
>  Now that we know roughly what he wants... anyone? :-)
>
>
>
> >  Macros: define common values, so they can be referenced and changed
easily.
> > extif="fxp1"    # replace with actual external interface name i.e., dc0
> > intif="fxp0"    # replace with actual internal interface name i.e., dc1
> > internal_net="172.16.0.0/16"
> > external_addr="192.168.173.34"
> >
> > loif="lo0"
> >
> > set timeout { interval 30, frag 10 }
> > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> > set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> > set timeout { icmp.first 20, icmp.error 10 }
> > set timeout { other.first 60, other.single 30, other.multiple 60 }
> > set limit { states 10000, frags 5000 }
> > set optimization normal
> > #set block-policy drop
> > #set require-order yes
> >
> >
> > ############ SHAPING goes here ###############################
> >
> > altq on $intif cbq bandwidth 100Mb queue {etherdown, downstream}
> >
> >
> > queue etherdown bandwidth 96% cbq(default)
> > queue downstream bandwidth 4% cbq
> >
> > altq on $extif cbq bandwidth 100Mb queue { etherup, upstream}
> >
> > queue etherup bandwidth 99Mb cbq(default)
> > queue upstream bandwidth 386Kb  cbq
> >
> >
> > pass in quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue
etherdown
> > pass out quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue
etherup
> > pass in on $intif proto tcp from 172.16.0.0/16 to any port 80 keep state
queue downstream
> > pass in on $intif proto tcp from 172.16.0.0/16 to any port 53 keep state
queue downstream
> > pass in on $intif proto tcp from 172.16.0.0/16 to any port 8080 keep
state queue downstream
> > pass in on $intif proto tcp from 172.16.0.0/16 to any port 5190 queue
downstream
> > pass in on $intif proto tcp from 172.16.0.0/16 to any port 443 queue
downstream
> > pass in on $intif proto tcp from 172.16.0.0/16 to any port 4000 queue
downstream
> > pass in on $intif proto tcp from 172.16.0.0/16 to any port 25 queue
downstream
> > pass in on $intif proto icmp from 172.16.0.0/16 to any queue downstream
> > pass in on $intif proto udp from 172.16.0.0/16 to any port 80 queue
downstream
> > pass in on $intif proto udp from 172.16.0.0/16 to any port 53 queue
downstream
> >
> >
> > ### manage upstream here
> >
> > pass out quick on $extif from 172.16.0.0/16 to 172.17.0.0/16 queue
etherup
> > pass out quick on $extif from 172.16.0.0/16 to 172.20.0.0/16 queue
etherup
> > pass out on $extif proto tcp from 172.16.0.0/16 to any port 80 keep
state queue upstream
> > pass out on $extif proto tcp from 172.16.0.0/16 to any port 53 keep
state queue upstream
> > pass out on $extif proto tcp from 172.16.0.0/16 to any port 8080 keep
state queue upstream
> > pass out on $extif proto tcp from 172.16.0.0/16 to any port 443 queue
upstream
> > pass out on $extif proto tcp from 172.16.0.0/16 to any port 4000 queue
upstream
> > pass out on $extif proto tcp from 172.16.0.0/16 to any port 25 queue
upstream
> >
> > pass out on $extif proto udp from 172.16.0.0/16 to any port 53 queue
upstream
> > pass out on $extif proto udp from 172.16.0.0/16 to any port 80 queue
upstream
> > pass out on $extif proto icmp from 172.16.0.0/16 to any queue upstream
>
> --
> Bosko Milekic  *  bmilekic at technokratis.com  *  bmilekic at FreeBSD.org
> TECHNOkRATIS Consulting Services  *  http://www.technokratis.com/
>

More information about the freebsd-stable mailing list