DaemonForums - View Single Post

maurobottone · #1 **(View Single Post)** 16th May 2008

After reading the openbsd altq howto I've decided to create my own rules for a bandwidth management...I'm not sure if I've created that I need really:

--------------------start
### macros
int_if = "re0"
ext_if = "pppoe0"

tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }"
udp_service = "{ 53, 5060 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }"

bnd_upstream="480Kb"
bnd_downstream="20480Kb"

host_usr8="192.168.0.8"
host_usr9="192.168.0.9"
host_usr10="192.168.0.10"
host_usr11="192.168.0.11"
host_usr12="192.168.0.12"
host_usr13="192.168.0.13"
host_usr14="192.168.0.14"
host_usr15="192.168.0.15"
host_usr16="192.168.0.16"

### options
set optimization normal
set block-policy return
set loginterface $ext_if
set skip on lo0

### scrub
scrub in all
scrub out on $ext_if max-mss 1440

### altq
altq on $ext_if cbq bandwidth $bnd_upstream queue { up_def }
altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def }

queue up_def bandwidth 100% cbq(default) { up_host1 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 }
queue up_host1 bandwidth 10% cbq(borrow)
queue up_host8 bandwidth 10% cbq(borrow)
queue up_host9 bandwidth 10% cbq(borrow)
queue up_host10 bandwidth 10% cbq(borrow)
queue up_host11 bandwidth 10% cbq(borrow)
queue up_host12 bandwidth 10% cbq(borrow)
queue up_host13 bandwidth 10% cbq(borrow)
queue up_host14 bandwidth 10% cbq(borrow)
queue up_host15 bandwidth 10% cbq(borrow)
queue up_host16 bandwidth 10% cbq(borrow)

queue dn_def bandwidth 100% cbq(default) { dn_host1 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 }
queue dn_host1 bandwidth 10% cbq(borrow)
queue dn_host8 bandwidth 10% cbq(borrow)
queue dn_host9 bandwidth 10% cbq(borrow)
queue dn_host10 bandwidth 10% cbq(borrow)
queue dn_host11 bandwidth 10% cbq(borrow)
queue dn_host12 bandwidth 10% cbq(borrow)
queue dn_host13 bandwidth 10% cbq(borrow)
queue dn_host14 bandwidth 10% cbq(borrow)
queue dn_host15 bandwidth 10% cbq(borrow)
queue dn_host16 bandwidth 10% cbq(borrow)

### nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)

#redirect per anima, xaser ed enjoy
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10

### filter rules
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $int_if proto { tcp udp } from 192.168.0.1 to any queue up_host1
pass in on $int_if proto { tcp udp } from $host_usr8 to any queue up_host8
pass in on $int_if proto { tcp udp } from $host_usr9 to any queue up_host9
pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10
pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11
pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12
pass in on $int_if proto { tcp udp } from $host_usr13 to any queue up_host13
pass in on $int_if proto { tcp udp } from $host_usr14 to any queue up_host14
pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any

pass out on $int_if proto { tcp udp } from any to 192.168.0.1 queue dn_host1
pass out on $int_if proto { tcp udp } from any to $host_usr8 queue dn_host8
pass out on $int_if proto { tcp udp } from any to $host_usr9 queue dn_host9
pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10
pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11
pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12
pass out on $int_if proto { tcp udp } from any to $host_usr13 queue dn_host13
pass out on $int_if proto { tcp udp } from any to $host_usr14 queue dn_host14
pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if from any to $int_if:network

###Deny spoofing
antispoof for $ext_if
antispoof for $int_if

-----------------------------end
I would give 10% of band to each host and let everyone to borrow band for each other.
Is the conf correct?
Thanks so much,
mb.