DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st August 2009
ultranothing ultranothing is offline
New User
 
Join Date: Aug 2009
Posts: 3
Thanked 0 Times in 0 Posts
Default PF-queue

Hi to ALL
Im very happy to join to this forums and what to upgrade my knowledge with your help . please help me .

I have some questions about PF&queue :

in queueing we have queue incoming or outgoing traffic ??
i what and i need control bandwidth for internal lan users who are about 200 clients ( 192.168.0.0/24) ,which thay must have only 10Kb/s ( for each nod )
for download and 10Kb/s for upload ,, it is maybe with PF or no ??

please help me
thanks a lot
bye
Reply With Quote
  #2   (View Single Post)  
Old 21st August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,634
Thanked 214 Times in 189 Posts
Default

1. The PF User's Guide has a chapter on Packet Queueing and Prioritization, also called "Traffic Shaping".

2. Class based queing can be used to easily configure bandwidth limitations.

3. Controlling bandwidth can only be done for outbound packets. ( Inbound packets cannot be limited, as they have already arrived at the router.) For "downloading", control bandwith from the router to your LAN. For "uploading", control bandwidth from the router to your ISP.
Reply With Quote
  #3   (View Single Post)  
Old 30th August 2009
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default

I didn't want to open the new topic. I am trying to get better performance out of my laptop with altq. I was wondering if you guys could check out my pf.conf and comment on it.

Best,
OKO


Code:
ext_if="rl0"

tcp_services = "{imap, imaps, pop3s, smtp, 587,\
                               ntp, www, https}"
udp_services= "{ntp, rtsp}"
set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble 
scrub out all random-id fragment reassemble

altq on $ext_if priq bandwidth 256Kb queue { std_out, ssh_im_out, dns_out, \
        tcp_ack_out }
queue std_out     priq(default)
queue ssh_im_out  priority 4 priq(red)
queue dns_out     priority 5
queue tcp_ack_out priority 6

block log all
antispoof quick for { lo $ext_if }
block drop in quick from no-route to any
block drop in quick from urpf-failed to any
block drop in quick on $ext_if from any to 255.255.255.255
block drop in quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any
pass out on $ext_if proto udp to any port $udp_services
pass out on $ext_if proto tcp to any port $tcp_services flags S/SA \
                                     keep state queue(std_out, tcp_ack_out)
pass  out on $ext_if inet proto { tcp udp } from any to any port domain \
        keep state queue dns_out
pass  out on $ext_if inet proto tcp from any to any port {ssh, sftp} \
        flags S/SA keep state queue(std_out, ssh_im_out)

Last edited by Oko; 2nd September 2009 at 03:58 PM.
Reply With Quote
  #4   (View Single Post)  
Old 1st September 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

  1. What you have is not in any way wrong, but I would make all your queue(<whatever-priority>,tcp_ack_out); and
  2. I did not see any pass in ...
Consider...
Code:
#
pass in log quick on $ext_if inet \
 from any to ($ext_if) keep state queue(<default-queue>,tcp_ack_out)
#
Reason being, when INBOUND traffic arrives and creates STATE, then, with the QUEUE in play, STATEFUL outbound/reply traffic is QUEUED/PRIORITIZED; otherwise it is not.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Webserver email queue Yuka FreeBSD General 5 12th November 2008 12:52 AM
PF w/ ALTQ - Queue errors exceeding bandwidth plexter OpenBSD Security 11 26th October 2008 12:01 AM


All times are GMT. The time now is 04:59 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick