Date: Sun, 29 Nov 2009 10:20:11 -0500 From: "B. Cook" <bcook@poughkeepsieschools.org> To: freebsd-pf@freebsd.org Subject: trying to figure out how to altq single interface.. Message-ID: <4B12912B.6080900@poughkeepsieschools.org>
next in thread | raw e-mail | index | archive | help
I'm trying to setup a valid test case on a single machine running FreeBSD 8.0R. (amd64 and i386) Seems all of the pf/altq examples assume that FreeBSD is the router, and you are working with more than on interface. I am trying to shape my traffic on a per physical server basis with on a *single* interface where the NAT is performed elsewhere. I understand the logic that you can only queue outgoing. My goal is to have full bandwidth for the local network (interface speed) with ack priq if possible - and - have queues for services when the "not local network" users access them. There are ASA devices further up the line from me which I have no control over; they are providing NAT.. we have a large private network (10.20.0.0/18) but we have some machines that serve the public as well as serves the lan. (feel free to interject reality into my logic where need be.. ) here is what I have come up with as far as altq/queues is concerned: pfctl -sq queue root_bge0 on bge0 bandwidth 1Mb priority 0 cbq( wrr root ) {idef, iack, http, dns, mua, icmp, smtp, ssh} queue idef on bge0 bandwidth 100Kb cbq( borrow default ) queue iack on bge0 bandwidth 100Kb priority 7 cbq( borrow ) queue http on bge0 bandwidth 800Kb priority 5 cbq( borrow ) queue dns on bge0 bandwidth 200Kb priority 6 cbq( borrow ) queue mua on bge0 bandwidth 800Kb priority 2 cbq( borrow ) queue icmp on bge0 bandwidth 50Kb priority 6 queue smtp on bge0 bandwidth 500Kb cbq( borrow ) queue ssh on bge0 bandwidth 100Kb priority 6 cbq( borrow ) {scp, term} queue scp on bge0 bandwidth 80Kb priority 0 queue term on bge0 bandwidth 20Kb priority 7 (or if it matters - directly from pf.conf.local) 48 altq on $ext_if cbq bandwidth 1Mb queue { idef, iack, http, dns, mua, icmp, smtp, ssh } 49 queue idef bandwidth 10% cbq(default borrow) 50 queue iack bandwidth 10% cbq(borrow) priority 7 51 queue http bandwidth 80% cbq(borrow) priority 5 52 queue dns bandwidth 20% cbq(borrow) priority 6 53 queue mua bandwidth 80% cbq(borrow) priority 2 54 queue icmp bandwidth 5% priority 6 55 queue smtp bandwidth 50% cbq(borrow) priority 1 56 queue ssh bandwidth 10% cbq(borrow) priority 6 { scp, term } 57 queue scp bandwidth 80% priority 0 58 queue term bandwidth 20% priority 7 My question(s) are: When do I apply things to pass in and when do I apply to pass out? It seems when I don't apply a queue rule to a pass in/out rule the default kicks in, which is fine; but why does it 'queue on inbound' when it can only 'queue on outbound'? - is keeping state what is altering that? pfctl -sr | cat -n 1 scrub in all no-df random-id fragment reassemble 2 block return in log all 3 block return in log quick from <blocksshd> to any 4 pass out on bge0 inet proto icmp from (bge0) to any keep state queue icmp 5 pass out on bge0 inet proto udp from (bge0) to any port = domain keep state queue dns 6 pass out on bge0 inet proto udp from (bge0) to any port = ntp keep state queue dns 7 pass out on bge0 inet proto udp from (bge0) to any port = snmp keep state queue dns 8 pass out on bge0 inet proto tcp from (bge0) to any port = ssh flags S/SA keep state queue(scp, term) 9 block drop in log quick on ! bge0 inet from 10.20.0.0/25 to any 10 block drop in log quick inet from 10.20.0.5 to any 11 block drop in log quick inet from 10.20.0.4 to any 12 block drop in log quick inet from 10.20.0.19 to any 13 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = domain keep state queue dns 14 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = ntp keep state queue dns 15 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = snmp keep state queue dns 16 pass in quick on bge0 inet proto udp from 10.20.0.0/23 to 10.20.0.4 port = syslog keep state queue dns 17 pass in quick on bge0 inet proto udp from any to 10.20.0.19 port = domain keep state queue dns 18 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0) port = smtp flags S/SA keep state 19 pass in quick on bge0 inet proto tcp from 10.20.0.0/25 to (bge0) port = rsync flags S/SA keep state 20 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = ssh flags S/SA keep state queue(scp, term) 21 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = http flags S/SA keep state queue(http, iack) 22 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = https flags S/SA keep state queue(http, iack) 23 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = 2359 flags S/SA keep state queue(http, iack) 24 pass in quick on bge0 inet proto tcp from any to 10.20.0.5 port = 2812 flags S/SA keep state queue(http, iack) 25 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = domain keep state 26 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = ntp keep state 27 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = snmp keep state 28 pass in quick on bge0 inet proto udp from 10.20.0.0/25 to (bge0) port = syslog keep state 29 pass in quick on bge0 inet proto icmp from any to (bge0) icmp-type echoreq code 0 keep state All of these rules might not quite be valid public services, but I was looking for real services that I could test with. Also afaict FreeBSD 8 is running with (approximately) version 4.1 of OpenBSDs PF; is that correct? Assumed from pftop compile output of: cc -O2 -pipe -DHAVE_ALTQ=1 -fno-strict-aliasing -Wall -DOS_LEVEL=41 -std=gnu99 -fstack-protector -c pftop.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B12912B.6080900>