DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th October 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Thanked 5 Times in 4 Posts
Default pf, hfsc and load balancing

Hi

I have a bit of a problem getting hfsc to work properly in pf with load balancing.
For some reason ssh_login and ssh_bulk doesn't work.

Here are the rules from my pf.conf
Code:
# Quees for upload bandwidth
altq on { $ext_if1, $ext_if2 } bandwidth 550Kb hfsc queue { ack, dns, ssh, bulk }
    queue ack        bandwidth 80% priority 7 qlimit 500 hfsc (realtime 50%)
    queue dns        bandwidth  7% priority 6 qlimit 500 hfsc (realtime  5%)
    queue ssh        bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%) {ssh_login, ssh_bulk}
      queue ssh_login bandwidth 90% priority 5 qlimit 500 hfsc
      queue ssh_bulk  bandwidth 10% priority 4 qlimit 500 hfsc
    queue bulk       bandwidth  1% priority 4 qlimit 500 hfsc (realtime 5% default)

# SSH OUT
pass in quick on $int_if  route-to { ( $ext_if2 $ext_gw2 ) } proto tcp from $lan_net to any port $ssh_ports queue (ssh_bulk, ssh_login)

#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any queue (bulk, ack)
pass in on $int_if route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin proto tcp from $lan_net to any port $ssh_ports queue (ssh_bulk, ssh_login)

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any flags S/SA modulate state queue (bulk, ack)
pass out on $ext_if1 proto tcp from any port $ssh_ports flags S/SA modulate state queue (ssh_bulk, ssh_login)
pass out on $ext_if2 proto tcp from any flags S/SA modulate state queue (bulk, ack)
pass out on $ext_if2 proto tcp from any port $ssh_ports flags S/SA modulate state queue (ssh_bulk, ssh_login)
And this is what I see when running pfctl
Code:
# pfctl -vs queue
queue root_ng0 on ng0 bandwidth 550Kb priority 0 {ack, dns, ssh, bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue  ack on ng0 bandwidth 440Kb priority 7 qlimit 500 hfsc( realtime 275Kb )
  [ pkts:     685566  bytes:   29700254  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  dns on ng0 bandwidth 38.50Kb priority 6 qlimit 500 hfsc( realtime 27.50Kb )
  [ pkts:       7907  bytes:     586194  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  ssh on ng0 bandwidth 55Kb priority 5 qlimit 500 hfsc( realtime 55Kb ) {ssh_login, ssh_bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_login on ng0 bandwidth 49.50Kb priority 5 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_bulk on ng0 bandwidth 5.50Kb priority 4 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  bulk on ng0 bandwidth 5.50Kb priority 4 qlimit 500 hfsc( default realtime 27.50Kb )
  [ pkts:     273706  bytes:   77178876  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue root_ng1 on ng1 bandwidth 550Kb priority 0 {ack, dns, ssh, bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue  ack on ng1 bandwidth 440Kb priority 7 qlimit 500 hfsc( realtime 275Kb )
  [ pkts:     649871  bytes:   28008679  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  dns on ng1 bandwidth 38.50Kb priority 6 qlimit 500 hfsc( realtime 27.50Kb )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  ssh on ng1 bandwidth 55Kb priority 5 qlimit 500 hfsc( realtime 55Kb ) {ssh_login, ssh_bulk}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_login on ng1 bandwidth 49.50Kb priority 5 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue   ssh_bulk on ng1 bandwidth 5.50Kb priority 4 qlimit 500
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
queue  bulk on ng1 bandwidth 5.50Kb priority 4 qlimit 500 hfsc( default realtime 27.50Kb )
  [ pkts:     848882  bytes:  379008486  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/500 ]
Or from pftop
Code:
QUEUE                             BW SCH  PRIO     PKTS    BYTES   DROP_P   DROP_B QLEN BORROW SUSPEN     P/S     B/S
root_ng0                        550K hfsc    0        0        0        0        0    0                     0       0
root_ng1                        550K hfsc    0        0        0        0        0    0                     0       0
 ack                            440K hfsc    7   416042 18048590        0        0    0                    76    3303
 ack                            440K hfsc    7   402913 17342565        0        0    0                    67    2863
 dns                           38500 hfsc    6     5461   404573        0        0    0                     1     103
 dns                           38500 hfsc    6        0        0        0        0    0                     0       0
 ssh                           55000 hfsc    5        0        0        0        0    0                     0       0
 ssh                           55000 hfsc    5        0        0        0        0    0                     0       0
  ssh_login                    49500 hfsc    5        0        0        0        0    0                     0       0
  ssh_login                    49500 hfsc    5        0        0        0        0    0                     0       0
  ssh_bulk                      5500 hfsc    4        0        0        0        0    0                     0       0
  ssh_bulk                      5500 hfsc    4        0        0        0        0    0                     0       0
 bulk                           5500 hfsc    4   123264 46077552        0        0    0                    37   16096
 bulk                           5500 hfsc    4   595013  262099K        0        0   37                   219   65886
As you can see ack and bulk are working fine as well as dns but ssh see no traffic at all.
Does anyone have an idea as to why this is happening and maybe can offer a possible solution.

Thanks
hamba
Reply With Quote
  #2   (View Single Post)  
Old 15th October 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

A quick look makes this jump out:

tcp from any port $ssh_ports

This designates tcp traffic with source port 22, which is probably not what you want.
Reply With Quote
  #3   (View Single Post)  
Old 15th October 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Thanked 5 Times in 4 Posts
Default

Correct me if I'm wrong but as far as I understand in FreeBSD 7 from any port $ssh_ports = from any to any port $ssh_ports

I'll add to any and see what happens
Reply With Quote
  #4   (View Single Post)  
Old 15th October 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

I'll have to correct you then. That's "all", not "any".

When you use 'from any' and/or 'to any', direction is implied, and a port becomes associated with that direction, i.e. a source port or a destination port.
Reply With Quote
  #5   (View Single Post)  
Old 15th October 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Thanked 5 Times in 4 Posts
Default

ah thanks for that, just learned something new :-)

I've made the change from any to any, lets see what happens
Reply With Quote
  #6   (View Single Post)  
Old 15th October 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Thanked 5 Times in 4 Posts
Default

you were right, I made the changes and now its working

Thanks for the help
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't load any scripts in ircII guitarscn General software and network 4 22nd November 2010 12:06 AM
FreeBSD 7.1 Rel install on 1TB won't load bsdme2 FreeBSD General 0 5th January 2009 01:58 AM
Load balancing on fbsd drhowarddrfine General software and network 2 28th December 2008 03:49 AM
RtGUI load very slow mfaridi FreeBSD Ports and Packages 0 25th November 2008 01:47 PM
Load balancing cluster. bigb89 General software and network 16 3rd July 2008 09:28 PM


All times are GMT. The time now is 09:17 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick