|
|||
PF Traffic Shaping question.
Alright this is probably an easy question. The wording in the PF handbook kind of confuses me a little bit.
"When using the queue keyword with rules that keep state such as: pass in on fxp0 proto tcp from any to any port 22 flags S/SA \ keep state queue ssh PF will record the queue in the state table entry so that packets traveling back out fxp0 that match the stateful connection will end up in the ssh queue. Note that even though the queue keyword is being used on a rule filtering incoming traffic, the goal is to specify a queue for the corresponding outgoing traffic; the above rule does not queue incoming packets." Does this mean when the traffic enters fxp0 and talks to the server and it sends information back that the information would get put into a download queue on fxp0? Or does it mean that the fxp0 will queue the traffic on the next outgoing interface in an upload fashion? |
|
||||
I've pulled in a real example -- my son's Torrent use on our home network. We have a 100Mbit LAN, and our Internet service is 12Mb/2Mb. Here is the queue definition, I give him no more than 50% of the Internet connection, if bandwidth needs to be constrained. Note I limit him to 6Mb on the outbound traffic to the internal network:
Code:
#################################### ### traffic shaping altq on $external_nic cbq bandwidth 2Mb queue {std-out, torrent-out} queue std-out on $external_nic bandwidth 1Mb cbq (borrow, default) queue torrent-out on $external_nic bandwidth 1Mb cbq (borrow,ecn) altq on $internal_nic cbq bandwidth 100Mb queue {std-in, torrent-in} queue std-in on $internal_nic bandwidth 94Mb cbq (borrow, default) queue torrent-in on $internal_nic bandwidth 6Mb cbq (borrow, ecn) Code:
match in proto {tcp udp} from any to any port $tor-low queue torrent-in match out proto {tcp udp} from any port $tor-low to any queue torrent-out match in proto {tcp udp} from any to any port $tor-high queue torrent-in match out proto {tcp udp} from any port $tor-high to any queue torrent-out pass in log quick on $external_nic proto {tcp udp} from any to any port $tor-low \ rdr-to 192.168.1.42 port $tor-low pass in log quick on $external_nic proto {tcp udp} from any to any port $tor-high \ rdr-to 192.168.1.42 port $tor-high |
|
|||
So the rule really means
pass out on fxp0 proto tcp from any to any port 22 flags S/SA \ keep state queue ssh for the return state traffic? |
|
||||
Return? All it does is -flag the state-, so that packets, in -any- direction, are assigned to the "ssh" queue. It is up to your altq rules to determine what to do with that queue.
See my example in post #3, above, where I limit my kid to 6Mb worth of -inbound- $external_nic inbound use, by limiting what goes -outbound- to his workstation on the $internal_nic. As Michael Lucas so eloquently described in his book, Absolute OpenBSD, think of PF as sitting on the CPU. Packets come in to the computer, through a NIC, and are given to PF to manage. PF can only shape traffic then goes outbound, through a NIC. The same NIC, or a different NIC, and where those packets are going make no difference. |
|
|||
Ok, now that makes sense I don't know why I couldn't grasp that from that little snippet.
Thank for helping me understand that! |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
See what process is generating DNS traffic? | Bruco | FreeBSD General | 3 | 2nd July 2009 05:57 PM |
[FreeBSD + PF cbq + borrow] Dynamic shaping | Enemy | FreeBSD General | 4 | 19th May 2009 08:56 AM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
Dynamic Traffic Shaping | LordZ | OpenBSD Security | 6 | 19th January 2009 04:30 PM |
Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |