DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 15th October 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Default pf, hfsc and load balancing

Hi

I have a bit of a problem getting hfsc to work properly in pf with load balancing.
For some reason ssh_login and ssh_bulk doesn't work.

Here are the rules from my pf.conf
Code:
# Quees for upload bandwidth
altq on { $ext_if1, $ext_if2 } bandwidth 550Kb hfsc queue { ack, dns, ssh, bulk }
    queue ack        bandwidth 80% priority 7 qlimit 500 hfsc (realtime 50%)
    queue dns        bandwidth  7% priority 6 qlimit 500 hfsc (realtime  5%)
    queue ssh        bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%) {ssh_login, ssh_bulk}
      queue ssh_login bandwidth 90% priority 5 qlimit 500 hfsc
      queue ssh_bulk  bandwidth 10% priority 4 qlimit 500 hfsc
    queue bulk       bandwidth  1% priority 4 qlimit 500 hfsc (realtime 5% default)

# SSH OUT
pass in quick on $int_if  route-to { ( $ext_if2 $ext_gw2 ) } proto tcp from $lan_net to any port $ssh_ports queue (ssh_bulk, ssh_login)

#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any queue (bulk, ack)
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any port $ssh_ports queue (ssh_bulk, ssh_login)

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any flags S/SA modulate state queue (bulk, ack)
pass out on $ext_if1 proto tcp from any port $ssh_ports flags S/SA modulate state queue (ssh_bulk, ssh_login)
pass out on $ext_if2 proto tcp from any flags S/SA modulate state queue (bulk, ack)
pass out on $ext_if2 proto tcp from any port $ssh_ports flags S/SA modulate state queue (ssh_bulk, ssh_login)
And this is what I see when running pfctl
Code:
# pfctl -vs queue
queue root_ng0 on ng0 bandwidth 550Kb priority 0 {ack, dns, ssh, bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue  ack on ng0 bandwidth 440Kb priority 7 qlimit 500 hfsc( realtime 275Kb )
  [ pkts:     685566  bytes:   29700254  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  dns on ng0 bandwidth 38.50Kb priority 6 qlimit 500 hfsc( realtime 27.50Kb )
  [ pkts:       7907  bytes:     586194  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  ssh on ng0 bandwidth 55Kb priority 5 qlimit 500 hfsc( realtime 55Kb ) {ssh_login, ssh_bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_login on ng0 bandwidth 49.50Kb priority 5 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_bulk on ng0 bandwidth 5.50Kb priority 4 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  bulk on ng0 bandwidth 5.50Kb priority 4 qlimit 500 hfsc( default realtime 27.50Kb )
  [ pkts:     273706  bytes:   77178876  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue root_ng1 on ng1 bandwidth 550Kb priority 0 {ack, dns, ssh, bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue  ack on ng1 bandwidth 440Kb priority 7 qlimit 500 hfsc( realtime 275Kb )
  [ pkts:     649871  bytes:   28008679  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  dns on ng1 bandwidth 38.50Kb priority 6 qlimit 500 hfsc( realtime 27.50Kb )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  ssh on ng1 bandwidth 55Kb priority 5 qlimit 500 hfsc( realtime 55Kb ) {ssh_login, ssh_bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_login on ng1 bandwidth 49.50Kb priority 5 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_bulk on ng1 bandwidth 5.50Kb priority 4 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  bulk on ng1 bandwidth 5.50Kb priority 4 qlimit 500 hfsc( default realtime 27.50Kb )
  [ pkts:     848882  bytes:  379008486  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
Or from pftop
Code:
QUEUE                             BW SCH  PRIO     PKTS    BYTES   DROP_P   DROP_B QLEN BORROW SUSPEN     P/S     B/S
root_ng0                        550K hfsc    0        0        0        0        0    0                     0       0
root_ng1                        550K hfsc    0        0        0        0        0    0                     0       0
 ack                            440K hfsc    7   416042 18048590        0        0    0                    76    3303
 ack                            440K hfsc    7   402913 17342565        0        0    0                    67    2863
 dns                           38500 hfsc    6     5461   404573        0        0    0                     1     103
 dns                           38500 hfsc    6        0        0        0        0    0                     0       0
 ssh                           55000 hfsc    5        0        0        0        0    0                     0       0
 ssh                           55000 hfsc    5        0        0        0        0    0                     0       0
  ssh_login                    49500 hfsc    5        0        0        0        0    0                     0       0
  ssh_login                    49500 hfsc    5        0        0        0        0    0                     0       0
  ssh_bulk                      5500 hfsc    4        0        0        0        0    0                     0       0
  ssh_bulk                      5500 hfsc    4        0        0        0        0    0                     0       0
 bulk                           5500 hfsc    4   123264 46077552        0        0    0                    37   16096
 bulk                           5500 hfsc    4   595013  262099K        0        0   37                   219   65886
As you can see ack and bulk are working fine as well as dns but ssh see no traffic at all.
Does anyone have an idea as to why this is happening and maybe can offer a possible solution.

Thanks
hamba
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FreeBSD 7.1 Rel install on 1TB won't load bsdme2 FreeBSD General 2 2nd November 2023 08:19 AM
Can't load any scripts in ircII guitarscn General software and network 4 22nd November 2010 12:06 AM
Load balancing on fbsd drhowarddrfine General software and network 2 28th December 2008 03:49 AM
RtGUI load very slow mfaridi FreeBSD Ports and Packages 0 25th November 2008 01:47 PM
Load balancing cluster. bigb89 General software and network 16 3rd July 2008 09:28 PM


All times are GMT. The time now is 02:56 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick