DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th May 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Question bandwidth management problem...

After reading the openbsd altq howto I've decided to create my own rules for a bandwidth management...I'm not sure if I've created that I need really:

--------------------start
### macros
int_if = "re0"
ext_if = "pppoe0"

tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }"
udp_service = "{ 53, 5060 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }"

bnd_upstream="480Kb"
bnd_downstream="20480Kb"

host_usr8="192.168.0.8"
host_usr9="192.168.0.9"
host_usr10="192.168.0.10"
host_usr11="192.168.0.11"
host_usr12="192.168.0.12"
host_usr13="192.168.0.13"
host_usr14="192.168.0.14"
host_usr15="192.168.0.15"
host_usr16="192.168.0.16"



### options
set optimization normal
set block-policy return
set loginterface $ext_if
set skip on lo0



### scrub
scrub in all
scrub out on $ext_if max-mss 1440



### altq
altq on $ext_if cbq bandwidth $bnd_upstream queue { up_def }
altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def }

queue up_def bandwidth 100% cbq(default) { up_host1 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 }
queue up_host1 bandwidth 10% cbq(borrow)
queue up_host8 bandwidth 10% cbq(borrow)
queue up_host9 bandwidth 10% cbq(borrow)
queue up_host10 bandwidth 10% cbq(borrow)
queue up_host11 bandwidth 10% cbq(borrow)
queue up_host12 bandwidth 10% cbq(borrow)
queue up_host13 bandwidth 10% cbq(borrow)
queue up_host14 bandwidth 10% cbq(borrow)
queue up_host15 bandwidth 10% cbq(borrow)
queue up_host16 bandwidth 10% cbq(borrow)

queue dn_def bandwidth 100% cbq(default) { dn_host1 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 }
queue dn_host1 bandwidth 10% cbq(borrow)
queue dn_host8 bandwidth 10% cbq(borrow)
queue dn_host9 bandwidth 10% cbq(borrow)
queue dn_host10 bandwidth 10% cbq(borrow)
queue dn_host11 bandwidth 10% cbq(borrow)
queue dn_host12 bandwidth 10% cbq(borrow)
queue dn_host13 bandwidth 10% cbq(borrow)
queue dn_host14 bandwidth 10% cbq(borrow)
queue dn_host15 bandwidth 10% cbq(borrow)
queue dn_host16 bandwidth 10% cbq(borrow)



### nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)

#redirect per anima, xaser ed enjoy
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10



### filter rules
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $int_if proto { tcp udp } from 192.168.0.1 to any queue up_host1
pass in on $int_if proto { tcp udp } from $host_usr8 to any queue up_host8
pass in on $int_if proto { tcp udp } from $host_usr9 to any queue up_host9
pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10
pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11
pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12
pass in on $int_if proto { tcp udp } from $host_usr13 to any queue up_host13
pass in on $int_if proto { tcp udp } from $host_usr14 to any queue up_host14
pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any

pass out on $int_if proto { tcp udp } from any to 192.168.0.1 queue dn_host1
pass out on $int_if proto { tcp udp } from any to $host_usr8 queue dn_host8
pass out on $int_if proto { tcp udp } from any to $host_usr9 queue dn_host9
pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10
pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11
pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12
pass out on $int_if proto { tcp udp } from any to $host_usr13 queue dn_host13
pass out on $int_if proto { tcp udp } from any to $host_usr14 queue dn_host14
pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if from any to $int_if:network


###Deny spoofing
antispoof for $ext_if
antispoof for $int_if

-----------------------------end
I would give 10% of band to each host and let everyone to borrow band for each other.
Is the conf correct?
Thanks so much,
mb.
Reply With Quote
  #2   (View Single Post)  
Old 17th May 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

I'd make allowance for guaranteed highest priority bandwidth to the IP acks and other signaling traffic for the whole wire (subnet), regardless of host origins.

Code:
 pass in quick on $int_if inet proto { tcp udp } \
 from ($int_if:network) to any \
 queue (up_host1, up_highest)
You'll have to fit up_highest into your queue schema.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #3   (View Single Post)  
Old 17th May 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Default

Thanks for the fast answer s2scott.
Then, in my conf, are these lines correct:
---
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

---
???
I'm asking another time with more precision about these two rules because I've a doubt about need to queue them or not. As you can see, they are not queued...is this correct so?

Another question:
I'm thinking about the code you've let me to know and I've understod why I may add it in my firewall, but I don't understand why I've to queue the rule also at "up_host1" and not only to "up_higest" and I don't understand why it isn't needed also a "dn_higest"...
sorry if my questions can seem "stupid" for you; I've never used a pf altq.

The last question:
"192.168.0.1" is my gateway/router/firewall/server (where OpenBSD runs), where I'm configuring pf...how much band it need if it have "only" to work as apache/vsftpd/cucipop/bind/internalVoipSystem server? 10% is correct or can I reduce the band dedicated to it?

Thanks and thanks
mb.

Last edited by maurobottone; 17th May 2008 at 09:42 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IP Security Policy Management snap-in wesley OpenBSD Security 2 11th August 2009 04:34 AM
Learning Content Management System Oko General software and network 0 31st October 2008 04:02 AM
Help with OpenSolaris package management roddierod Solaris 2 6th August 2008 03:11 PM
OpenVPN management bichumo General software and network 0 15th July 2008 09:05 AM
best package management method TerryP Off-Topic 9 18th June 2008 03:57 PM


All times are GMT. The time now is 07:56 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick