trying to figure out how to altq single interface..
B. Cook
bcook at poughkeepsieschools.org
Sun Nov 29 16:05:41 UTC 2009
I'm trying to setup a valid test case on a single machine running
FreeBSD 8.0R. (amd64 and i386)
Seems all of the pf/altq examples assume that FreeBSD is the router, and
you are working with more than on interface.
I am trying to shape my traffic on a per physical server basis with on a
*single* interface where the NAT is performed elsewhere.
I understand the logic that you can only queue outgoing.
My goal is to have full bandwidth for the local network (interface
speed) with ack priq if possible - and - have queues for services when
the "not local network" users access them.
There are ASA devices further up the line from me which I have no
control over; they are providing NAT..
we have a large private network (10.20.0.0/18) but we have some machines
that serve the public as well as serves the lan.
(feel free to interject reality into my logic where need be.. )
here is what I have come up with as far as altq/queues is concerned:
pfctl -sq
queue root_bge0 on bge0 bandwidth 1Mb priority 0 cbq( wrr root ) {idef,
iack, http, dns, mua, icmp, smtp, ssh}
queue idef on bge0 bandwidth 100Kb cbq( borrow default )
queue iack on bge0 bandwidth 100Kb priority 7 cbq( borrow )
queue http on bge0 bandwidth 800Kb priority 5 cbq( borrow )
queue dns on bge0 bandwidth 200Kb priority 6 cbq( borrow )
queue mua on bge0 bandwidth 800Kb priority 2 cbq( borrow )
queue icmp on bge0 bandwidth 50Kb priority 6
queue smtp on bge0 bandwidth 500Kb cbq( borrow )
queue ssh on bge0 bandwidth 100Kb priority 6 cbq( borrow ) {scp, term}
queue scp on bge0 bandwidth 80Kb priority 0
queue term on bge0 bandwidth 20Kb priority 7
(or if it matters - directly from pf.conf.local)
48 altq on $ext_if cbq bandwidth 1Mb queue { idef, iack, http, dns,
mua, icmp, smtp, ssh }
49 queue idef bandwidth 10% cbq(default borrow)
50 queue iack bandwidth 10% cbq(borrow) priority 7
51 queue http bandwidth 80% cbq(borrow) priority 5
52 queue dns bandwidth 20% cbq(borrow) priority 6
53 queue mua bandwidth 80% cbq(borrow) priority 2
54 queue icmp bandwidth 5% priority 6
55 queue smtp bandwidth 50% cbq(borrow) priority 1
56 queue ssh bandwidth 10% cbq(borrow) priority 6 {
scp, term }
57 queue scp bandwidth 80% priority 0
58 queue term bandwidth 20% priority 7
My question(s) are:
When do I apply things to pass in and when do I apply to pass out?
It seems when I don't apply a queue rule to a pass in/out rule the
default kicks in, which is fine; but why does it 'queue on inbound' when
it can only 'queue on outbound'? - is keeping state what is altering that?
pfctl -sr | cat -n
1 scrub in all no-df random-id fragment reassemble
2 block return in log all
3 block return in log quick from <blocksshd> to any
4 pass out on bge0 inet proto icmp from (bge0) to any keep state
queue icmp
5 pass out on bge0 inet proto udp from (bge0) to any port = domain
keep state queue dns
6 pass out on bge0 inet proto udp from (bge0) to any port = ntp
keep state queue dns
7 pass out on bge0 inet proto udp from (bge0) to any port = snmp
keep state queue dns
8 pass out on bge0 inet proto tcp from (bge0) to any port = ssh
flags S/SA keep state queue(scp, term)
9 block drop in log quick on ! bge0 inet from 10.20.0.0/25 to any
10 block drop in log quick inet from 10.20.0.5 to any
11 block drop in log quick inet from 10.20.0.4 to any
12 block drop in log quick inet from 10.20.0.19 to any
13 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = domain keep state queue dns
14 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = ntp keep state queue dns
15 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = snmp keep state queue dns
16 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to
10.20.0.4 port = syslog keep state queue dns
17 pass in quick on bge0 inet proto udp from any to 10.20.0.19 port
= domain keep state queue dns
18 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0)
port = smtp flags S/SA keep state
19 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0)
port = rsync flags S/SA keep state
20 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= ssh flags S/SA keep state queue(scp, term)
21 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= http flags S/SA keep state queue(http, iack)
22 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= https flags S/SA keep state queue(http, iack)
23 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= 2359 flags S/SA keep state queue(http, iack)
24 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port
= 2812 flags S/SA keep state queue(http, iack)
25 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = domain keep state
26 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = ntp keep state
27 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = snmp keep state
28 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0)
port = syslog keep state
29 pass in quick on bge0 inet proto icmp from any to (bge0)
icmp-type echoreq code 0 keep state
All of these rules might not quite be valid public services, but I was
looking for real services that I could test with.
Also afaict FreeBSD 8 is running with (approximately) version 4.1 of
OpenBSDs PF; is that correct? Assumed from pftop compile output of:
cc -O2 -pipe -DHAVE_ALTQ=1 -fno-strict-aliasing -Wall -DOS_LEVEL=41
-std=gnu99 -fstack-protector -c pftop.c
More information about the freebsd-pf
mailing list