DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th May 2015
denriktiga denriktiga is offline
New User
 
Join Date: Oct 2014
Posts: 6
Default PF altq - "special" download limit for selected hosts

I'm looking to extend my PF setup on my OBSD 5.5 firewall. Right now I can set the max upload and download speed for hosts without using ip-addresses, which is super! The ability I need is to set a higher download limit for selected hosts.

Right now the host with the ip 192.168.1.84 is unaffected by the bandwidth increase and downloads steady at 5Mb.

I can't seem to figure it out! Thanks in advance for any help or feedback!

The altq part
/etc/pf.conf
Code:
#QUEUEING


#server_ip = " { 192.168.2.11, 192.168.2.14 } "
admin_ip = "192.168.1.84"
#elev_ip = "{ 192.168.5.4 }"

#UPLOAD

altq on $ext_if cbq bandwidth 10Mb queue { std_out, sim_out } #TOTAL UPP

oldqueue std_out bandwidth 1Mb cbq(default)
oldqueue sim_out bandwidth 100Kb cbq

#DOWNLOAD
#Separate students from administration
altq on $admin_if cbq bandwidth 30Mb queue { adm_in, adm_in_high } #ADMIN NER
altq on { $elev_if, $grottan_if, $larare_if } cbq bandwidth 70Mb queue elv_in #ANDRA NER

oldqueue adm_in bandwidth 5Mb cbq(default)
#Allow for higher bandwidth on selected hosts
oldqueue adm_in_high bandwidth 10Mb cbq

#Students bandwidth
oldqueue elv_in bandwidth 5Mb cbq(default)

pass on $ext_if all
pass on { em1, em2, em3, em4, em5 } all

#Higher bandwidth hosts?
pass in on $admin_if from $admin_ip queue adm_in_high
pass out on $admin_if from $admin_ip queue adm_in_high
#
Full config

Code:
##tODO
#LABELS s169
#TRAFFIC SHAPING s139

# macros

ext_if="em0"
admin_if="em1"
admin_net=$admin_if:network

servers_if="em2"
server_net=$servers_if:network

grottan_if="em3"
grottan_net=$grottan_if:network

larare_if="em4"
larar_net=$larare_if:network

elev_if="em5"
elev_net=$elev_if:network


tcp_services="{ 22, 113 }"
udp_services = "{ domain, ntp }"
elev_ports = "{ ssh, http, https, imaps, imap, pop3 }"
icmp_types="echoreq"

# options

set block-policy return
set loginterface egress
set skip on lo

# match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)

# filter rules

block all
pass out quick

antispoof quick for { lo $admin_if }

#pass in on egress inet proto tcp from any to (egress) \
#    port $tcp_services

pass in log on egress inet proto tcp to (egress) port 22 rdr-to 192.168.1.1
pass in log on egress inet proto tcp to (egress) port 443 rdr-to 192.168.1.1


#QUEUEING


#server_ip = " { 192.168.2.11, 192.168.2.14 } "
admin_ip = "192.168.1.84"
#elev_ip = "{ 192.168.5.4 }"

#UPLOAD

altq on $ext_if cbq bandwidth 50Mb queue { std_out, sim_out } #TOTAL UPP

oldqueue std_out bandwidth 0.5Mb cbq(default)
oldqueue sim_out bandwidth 100Kb cbq

#DOWNLOAD
#Separate students from administration
altq on $admin_if cbq bandwidth 30Mb queue { adm_in, adm_in_high } #ADMIN NER
altq on { $elev_if, $grottan_if, $larare_if } cbq bandwidth 70Mb queue elv_in #ANDRA NER

oldqueue adm_in bandwidth 5Mb cbq(default) 
#Allow for higher bandwidth on selected hosts
oldqueue adm_in_high bandwidth 10Mb cbq

#Students bandwidth
oldqueue elv_in bandwidth 5Mb cbq(default)

pass on $ext_if all
pass on { em1, em2, em3, em4, em5 } all

#Higher bandwidth hosts
pass in on $admin_if from $admin_ip queue adm_in_high
pass out on $admin_if from $admin_ip queue adm_in_high
#

#Isolate networks

#admin_net
pass in on $admin_if

#server_net
pass in on $servers_if

block in log on $servers_if to { $larar_net, $admin_net, $grottan_net, $elev_net }
#pass in log on $servers_if proto tcp from $server_net to 192.168.1.1 port 22

#grottan_net
pass in on $grottan_if

block in log on $grottan_if to { $server_net, $admin_net, $larar_net $elev_net }
#pass in log on $grottan_if proto tcp from $grottan_net to 192.168.1.1 port 22

#larar_net
pass in on $larare_if

block in log on $larare_if to { $server_net, $admin_net, $grottan_net, $elev_net }
#pass in log on $larare_if proto tcp from larar_net to 192.168.1.1 port 22

#elev_net
pass in on $elev_if

block in log on $elev_if to { $server_net, $admin_net, $grottan_net, $larar_net } 
pass in log on $elev_if proto tcp from $elev_net to 192.168.3.4 port 22
#pass proto tcp from $elev_net to port $elev_ports #Filtrera portar ut


#DHCP

pass out on any proto {udp,tcp} from any port 68 to any port 67 keep state
pass in on any proto {udp,tcp} from any port 67 to any port 68 keep state

#DNS + NTP

pass quick inet proto { tcp, udp } to any port $udp_services keep state

#ICMP

pass in inet proto icmp all icmp-type $icmp_types


#AD BLOCKER

table <ad-servers> persist
block return in quick on {em1, em2, em3, em4, em5} from any to <ad-servers>

Last edited by denriktiga; 25th May 2015 at 04:03 PM.
Reply With Quote
  #2   (View Single Post)  
Old 26th May 2015
denriktiga denriktiga is offline
New User
 
Join Date: Oct 2014
Posts: 6
Thumbs up Solved!

Solved it with help from The Book of PF!
Code:
#QUEUEING


#server_ip = " { 192.168.2.11, 192.168.2.14 } "
admin_ip = "192.168.1.84"
elev_ip = "{ 192.168.5.4 }"

altq on $admin_if cbq bandwidth 30Mb queue { adm_in, adm_in_high  }
        oldqueue adm_in bandwidth 1Mb cbq(default, red)
        oldqueue adm_in_high bandwidth 2Mb cbq(red)

block in on $admin_if from $admin_ip
pass in on $admin_if queue adm_in
pass in on $admin_if from $admin_ip queue adm_in_high

#Students

altq on $elev_if cbq bandwidth 70Mb queue { elv_in, elv_in_high  }
        oldqueue elv_in bandwidth 2Mb cbq(default, red)
        oldqueue elv_in_high bandwidth 3Mb cbq(red)

block in on $elev_if from $elev_ip
pass in on $elev_if queue main_in
pass in on $elev_if from $elev_ip queue elv_in_high
Reply With Quote
Reply

Tags
altq, pf, shaping, traffic

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Difference between"arp info overwritten" and " duplicate IP address " varag OpenBSD Security 1 6th April 2015 02:57 PM
How to replace "ectags" with "ctags"? fender0107401 OpenBSD Packages and Ports 5 16th April 2013 10:01 AM
Download.com accused of wrapping nmap in a "trojan installer" J65nko News 2 8th December 2011 08:17 PM
"Patent Absurdity" documentary available as free download J65nko News 0 20th April 2010 12:39 AM
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM


All times are GMT. The time now is 08:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick