DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd July 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default PF/ALTQ rules not working as intended

I am attempting to limit all clients on the network to 128Kbps down and 64Kbps up. This is *sort of* working, except that for some reason, ALL clients are falling under the "c1" queue (which is the default), instead of using the ones written specifically for them.

Here is my pf.conf:
Code:
$ cat /etc/pf.conf
int_if="rl0"
ext_if="nfe0"
int_net="192.168.2.0/24"

principal="192.168.2.2"
c1="192.168.2.3"
c2="192.168.2.4"
c3="192.168.2.5"
c4="192.168.2.6"
c5="192.168.2.7"
c6="192.168.2.8"
c7="192.168.2.9"
c8="192.168.2.10"
c9="192.168.2.11"


altq on $int_if cbq bandwidth 3Mb queue { principal_d,c1_d,c2_d,c3_d,c4_d,c5_d,c6_d,c7_d,c8_d,c9_d }
altq on $ext_if cbq bandwidth 1Mb queue { principal_u,c1_u,c2_u,c3_u,c4_u,c5_u,c6_u,c7_u,c8_u,c9_u }


queue principal_d bandwidth 192Kb cbq ( rio )
queue principal_u bandwidth 64Kb cbq ( rio )

queue c1_d bandwidth 128Kb cbq ( default rio )
queue c1_u bandwidth 64Kb cbq ( default rio )

queue c2_d bandwidth 128Kb cbq ( rio )
queue c2_u bandwidth 64Kb cbq ( rio )

queue c3_d bandwidth 128Kb cbq ( rio )
queue c3_u bandwidth 64Kb cbq ( rio )

queue c4_d bandwidth 128Kb cbq ( rio )
queue c4_u bandwidth 64Kb cbq ( rio )

queue c5_d bandwidth 128Kb cbq ( rio )
queue c5_u bandwidth 64Kb cbq ( rio )

queue c6_d bandwidth 128Kb cbq ( rio )
queue c6_u bandwidth 64Kb cbq ( rio )

queue c7_d bandwidth 128Kb cbq ( rio )
queue c7_u bandwidth 64Kb cbq ( rio )

queue c8_d bandwidth 1200Kb cbq ( rio )
queue c8_u bandwidth 64Kb cbq ( rio )

queue c9_d bandwidth 128Kb cbq ( rio )
queue c9_u bandwidth 64Kb cbq ( rio )


pass out on $int_if from any to $principal keep state queue principal_d
pass out on $int_if from any to $c1 keep state queue c1_d
pass out on $int_if from any to $c2 keep state queue c2_d
pass out on $int_if from any to $c3 keep state queue c3_d
pass out on $int_if from any to $c4 keep state queue c4_d
pass out on $int_if from any to $c5 keep state queue c5_d
pass out on $int_if from any to $c6 keep state queue c6_d
pass out on $int_if from any to $c7 keep state queue c7_d
pass out on $int_if from any to $c8 keep state queue c8_d
pass out on $int_if from any to $c9 keep state queue c9_d


pass out on $ext_if from $principal to any keep state queue principal_u
pass out on $ext_if from $c1 to any keep state queue c1_u
pass out on $ext_if from $c2 to any keep state queue c2_u
pass out on $ext_if from $c3 to any keep state queue c3_u
pass out on $ext_if from $c4 to any keep state queue c4_u
pass out on $ext_if from $c5 to any keep state queue c5_u
pass out on $ext_if from $c6 to any keep state queue c6_u
pass out on $ext_if from $c7 to any keep state queue c7_u
pass out on $ext_if from $c8 to any keep state queue c8_u
pass out on $ext_if from $c9 to any keep state queue c9_u
And here is "pftop" and pressing 8 on the keyboard:
Code:
pfTop: Up Queue 1-22/22, View: queue, Cache: 10000                                                                                     21:09:20

QUEUE                             BW SCH  PRIO     PKTS    BYTES   DROP_P   DROP_B QLEN BORROW SUSPEN     P/S     B/S
root_rl0                       3000K cbq     0      238    59029        0        0    0      0      0       9    2544
root_nfe0                      1000K cbq     0      275   212907        0        0    0      0      0      12    7886
 principal_d                    192K cbq              0        0        0        0    0      0      0       0       0
 principal_u                   64000 cbq              0        0        0        0    0      0      0       0       0
 c1_d                           128K cbq            238    59029        0        0    0      0      3       9    2544
 c1_u                          64000 cbq            275   212907       34    31105   33      0     65      12    7886
 c2_d                           128K cbq              0        0        0        0    0      0      0       0       0
 c2_u                          64000 cbq              0        0        0        0    0      0      0       0       0
 c3_d                           128K cbq              0        0        0        0    0      0      0       0       0
 c3_u                          64000 cbq              0        0        0        0    0      0      0       0       0
 c4_d                           128K cbq              0        0        0        0    0      0      0       0       0
 c4_u                          64000 cbq              0        0        0        0    0      0      0       0       0
 c5_d                           128K cbq              0        0        0        0    0      0      0       0       0
 c5_u                          64000 cbq              0        0        0        0    0      0      0       0       0
 c6_d                           128K cbq              0        0        0        0    0      0      0       0       0
 c6_u                          64000 cbq              0        0        0        0    0      0      0       0       0
 c7_d                           128K cbq              0        0        0        0    0      0      0       0       0
 c7_u                          64000 cbq              0        0        0        0    0      0      0       0       0
 c8_d                          1200K cbq              0        0        0        0    0      0      0       0       0
 c8_u                          64000 cbq              0        0        0        0    0      0      0       0       0
 c9_d                           128K cbq              0        0        0        0    0      0      0       0       0
 c9_u                          64000 cbq              0        0        0        0    0      0      0       0       0
Can anyone suggest what I am doing wrong?
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
  #2   (View Single Post)  
Old 29th July 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default

Well, clearly and unfortunately this thread never got a reply and I was forced to switch to ipfw/dummynet for the bandwidth limiting. I'd rather be using pf for its advanced packet shaping features, but sometimes we have to settle for what gets the most important part done.
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
  #3   (View Single Post)  
Old 29th July 2008
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 192
Default

I don't have means to simulate and try your config right now as I am on a Windows machine, but you could've tried to generate traffic and then run pfctl -vv -ss (and possibly pfctl -vv -sr) to see which rule(s) put traffic into default queue so you can investigate why.
I see you got the problem solved but It's worth knowing why it didn't work.
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
  #4   (View Single Post)  
Old 29th July 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Can you do an ascii-art network diagram (topology). I think the reason your rules aren't hitting are --perhaps-- because you have the inside-outside ip addresses and the to-from mis-aligned.

Code:
pfctl -vvsrules
will show you the rule "hit" counts. I suspect they'll be zero.

/Scott
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #5   (View Single Post)  
Old 6th August 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Default

Quote:
Originally Posted by s2scott View Post
Can you do an ascii-art network diagram (topology). I think the reason your rules aren't hitting are --perhaps-- because you have the inside-outside ip addresses and the to-from mis-aligned.
Ok.

( INTERNET ) --- ( ADSL modem ) --- ( <nfe0> FreeBSD gateway <rl0> ) --- ( switch ) --- ( clients )
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with pf rules TerranAce007 OpenBSD General 4 16th January 2009 10:14 PM
PF w/ ALTQ - Queue errors exceeding bandwidth plexter OpenBSD Security 11 26th October 2008 12:01 AM
ALTQ Question regarding RudiK FreeBSD Security 4 23rd July 2008 01:59 PM
[PF] Problem with ftp and ALTQ gotian FreeBSD Security 1 22nd July 2008 11:25 PM
Queuing with PF and ALTQ Weaseal FreeBSD Security 1 22nd July 2008 05:18 PM


All times are GMT. The time now is 04:15 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick