From owner-freebsd-pf@FreeBSD.ORG Sun Nov 20 18:56:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFB1216A41F for ; Sun, 20 Nov 2005 18:56:21 +0000 (GMT) (envelope-from mnag@FreeBSD.org) Received: from mail.grupos.com.br (mail.grupos.com.br [200.203.183.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5676843D45 for ; Sun, 20 Nov 2005 18:56:21 +0000 (GMT) (envelope-from mnag@FreeBSD.org) Received: from corp.grupos.com.br (201-3-244-86.fnsce701.e.brasiltelecom.net.br [201.3.244.86]) by mail.grupos.com.br (Postfix) with ESMTP id 695F311E10D for ; Sun, 20 Nov 2005 16:56:19 -0200 (BRST) Received: from [192.168.1.3] (201-24-94-201.fnsce703.dsl.brasiltelecom.net.br [201.24.94.201]) (Authenticated sender: marcus@corp.grupos.com.br) by corp.grupos.com.br (Postfix) with ESMTP id 171765500 for ; Sun, 20 Nov 2005 16:56:19 -0200 (BRST) Message-ID: <4380C6CC.2080102@FreeBSD.org> Date: Sun, 20 Nov 2005 16:56:12 -0200 From: Marcus Alves Grando User-Agent: Thunderbird 1.5 (Windows/20051025) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf + ALTQ + hfsc X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 18:56:21 -0000 Hi list, I don't know if my pf.conf is correct, but... I trying to limit one interface "rl0" to 256Kb, but when i test with iperf he say limit is "7.29 Mbits/sec". What's wrong? Whay iperf say 7Mb/s? Below my conf and iperf test: root@test:~# /etc/rc.d/pf restart Disabling pf. pf disabled Enabling pf. pf enabled root@test:~# cat /etc/pf.conf altq on rl0 bandwidth 512Kb hfsc queue test queue test bandwidth 256Kb hfsc (default upperlimit 256Kb) pass in on rl0 from any to any queue test pass out on rl0 from any to any queue test root@test:~# iperf -s ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 4] local 150.162.166.75 port 5001 connected with 150.162.166.51 port 52278 [ 4] 0.0-10.0 sec 8.71 MBytes 7.29 Mbits/sec Regards -- Marcus Alves Grando marcus(at)corp.grupos.com.br | Grupos Internet S/A mnag(at)FreeBSD.org | FreeBSD.org From owner-freebsd-pf@FreeBSD.ORG Sun Nov 20 19:59:36 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B8A916A420 for ; Sun, 20 Nov 2005 19:59:36 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9011343D58 for ; Sun, 20 Nov 2005 19:59:35 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp1-g19.free.fr (Postfix) with ESMTP id 7E8845E3A7; Sun, 20 Nov 2005 20:59:33 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 95DA6405A; Sun, 20 Nov 2005 20:59:06 +0100 (CET) Date: Sun, 20 Nov 2005 20:59:06 +0100 From: Jeremie Le Hen To: Daniel Hartmeier Message-ID: <20051120195906.GZ5197@obiwan.tataz.chchile.org> References: <437BB031.9090504@seton.org> <20051116233537.GT29615@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051116233537.GT29615@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 Cc: Matthew Grooms , freebsd-pf@freebsd.org Subject: Re: Traffic Shaping with pf ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 19:59:36 -0000 Hi, Daniel, Matthew, On Thu, Nov 17, 2005 at 12:35:37AM +0100, Daniel Hartmeier wrote: > [...] > > If you want to do this with ALTQ, you can do so by limiting outgoing > packets on the "other" interface, assuming the box is forwarding all > packets between two interfaces. If a browser (on a separate local box) > is downloading a file from an external web server _through_ the ALTQ > box, you rate-limit packets going out through the internal interface. > Every packet coming in on the external interface obviously goes out > through the internal interface, hence rate-limiting outgoing packets on > the internal interface has the same effect as rate-limiting incoming > packets on the external interface. > > This does not work if the client is on the ALTQ box itself, obviously > (there is no "other" interface to rate-limit on). In this case you're > facing a limitation of ALTQ itself. You might have to move ALTQ onto an > additional intermediate box, just so you do have a second interface. I > don't think there are any plans to introduce incoming queues in ALTQ. First, thank you for this very clear explanation. I'm going to bookmark it and will serve it as a reference whenever this kind of question arises. Next, I would like to add a small note on Dummynet, for the sake of completeness. It does not have the same capabilities as ALTQ, but it is very efficient in the latter case you described (non-DoS) and can work on both inbound and outgoing paths (actually, it does not even need to be bound to a particular interface, which may be worth if you have multiple internal interfaces and this also means this can be used to rate limit connections with the box itself). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-pf@FreeBSD.ORG Mon Nov 21 11:02:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA90416A41F for ; Mon, 21 Nov 2005 11:02:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4284643D70 for ; Mon, 21 Nov 2005 11:02:39 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jALB2cj3090145 for ; Mon, 21 Nov 2005 11:02:38 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jALB2cGD090139 for freebsd-pf@freebsd.org; Mon, 21 Nov 2005 11:02:38 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 21 Nov 2005 11:02:38 GMT Message-Id: <200511211102.jALB2cGD090139@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 11:02:47 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 21 19:47:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D067E16A41F for ; Mon, 21 Nov 2005 19:47:43 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2054843D5D for ; Mon, 21 Nov 2005 19:47:40 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by xproxy.gmail.com with SMTP id s12so781882wxc for ; Mon, 21 Nov 2005 11:47:39 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cbwf4Bqbsj63aNeoVJqkJpDMNiW1yh+oH8LLxkdVvppwh4qSUJM0psdurihAqUu1sfFWsTVSxuYPCuNmE6fKKPewGeMVQYLcLS0jXqVTJeHhwlmO2eBOb8keOYUgFQNLCk8qCV5xLuipUOSYpPd8cYqBcpE3Q04j6OeMv5Fqwxk= Received: by 10.64.220.2 with SMTP id s2mr3495284qbg; Mon, 21 Nov 2005 11:47:37 -0800 (PST) Received: by 10.65.150.7 with HTTP; Mon, 21 Nov 2005 11:47:36 -0800 (PST) Message-ID: <8eea04080511211147o689f13e0m3e50a52673514410@mail.gmail.com> Date: Mon, 21 Nov 2005 11:47:36 -0800 From: Jon Simola Sender: jsimola@gmail.com To: Marcus Alves Grando In-Reply-To: <4380C6CC.2080102@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4380C6CC.2080102@FreeBSD.org> Cc: freebsd-pf@freebsd.org Subject: Re: pf + ALTQ + hfsc X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 19:47:44 -0000 On 11/20/05, Marcus Alves Grando wrote: > I trying to limit one interface "rl0" to 256Kb, but when i test with > iperf he say limit is "7.29 Mbits/sec". What's wrong? Whay iperf say 7Mb/= s? > altq on rl0 bandwidth 512Kb hfsc queue test > queue test bandwidth 256Kb hfsc (default upperlimit 256Kb) > > pass in on rl0 from any to any queue test > pass out on rl0 from any to any queue test You cannot queue inbound traffic, only outbound. For simple PF configs, only use queue on "pass out" rules until you get the hang of it. For advanced configs, you can queue inbound traffic on an outbound interface if it leaves the router/bridge on a different interface than it entered on. (simple and advanced are, of course, subjective terms) -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-pf@FreeBSD.ORG Tue Nov 22 02:00:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA00D16A425 for ; Tue, 22 Nov 2005 02:00:39 +0000 (GMT) (envelope-from ced@grumly.eu.org) Received: from spike.grumly.eu.org (spike.grumly.eu.org [195.5.253.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D90643D5C for ; Tue, 22 Nov 2005 02:00:08 +0000 (GMT) (envelope-from ced@grumly.eu.org) Received: by spike.grumly.eu.org (Postfix, from userid 1001) id 9E532114DC; Tue, 22 Nov 2005 02:57:31 +0100 (CET) Date: Tue, 22 Nov 2005 02:57:31 +0100 From: Cedric Tabary To: freebsd-pf@freebsd.org Message-ID: <20051122015731.GF60809@efrei.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: 8bit Subject: bridge and pf working a few seconds only X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 02:00:40 -0000 I am using freebsd RELENG_6 (cvsuped 2 days ago) with bridge between em2 and em3. (dell PE 1850, no smp) The firewall is firewalling (keeping states) during a few seconds and then stops learning states and start passing all !!! pfctl -s state becomes empty a few seconds later when states expires pfctl -d then pfctl -e does nothing the only way to reenable it is to ifconfig down and up the bridge0 interface, and a few seconds later it stops working again ! I can provide more details in private mails if you want ... Cédric From owner-freebsd-pf@FreeBSD.ORG Tue Nov 22 03:39:50 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E52816A425 for ; Tue, 22 Nov 2005 03:39:50 +0000 (GMT) (envelope-from tdamas@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF2CC43D58 for ; Tue, 22 Nov 2005 03:39:49 +0000 (GMT) (envelope-from tdamas@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so830336nzo for ; Mon, 21 Nov 2005 19:39:49 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Z9HTPD2n39ZAYzKORoZ/JjFN/kgcN2YBK7YsUjTpg85XAX5DOsyRfS2HoajA4uPNbGfDcgD90tj8X3lbvK55EVd4M7QJkBkH2g7CEaOtZvYpGqRZttjyvZhzGXfE2J02UsOrlr+XU7mkhjBsh7gvWOYXUtHGzeBX61ZPIcFzOuI= Received: by 10.36.220.6 with SMTP id s6mr3623565nzg; Mon, 21 Nov 2005 19:39:49 -0800 (PST) Received: by 10.36.148.7 with HTTP; Mon, 21 Nov 2005 19:39:49 -0800 (PST) Message-ID: Date: Tue, 22 Nov 2005 01:39:49 -0200 From: Thiago Damas To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: changing queue using /dev/pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 03:39:50 -0000 Hi, how can I change a queue of an active state, using /dev/pf? It=B4s possib= le? Can someone give-me an example of that? []s From owner-freebsd-pf@FreeBSD.ORG Tue Nov 22 11:11:49 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 928C416A41F for ; Tue, 22 Nov 2005 11:11:49 +0000 (GMT) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0493A43D79 for ; Tue, 22 Nov 2005 11:11:41 +0000 (GMT) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1EeW3X-0002Zr-8y for freebsd-pf@freebsd.org; Tue, 22 Nov 2005 12:11:23 +0100 Received: from 2.unnet.nienschanz.ru ([81.222.51.2]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 22 Nov 2005 12:11:23 +0100 Received: from rick by 2.unnet.nienschanz.ru with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 22 Nov 2005 12:11:23 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Rick Atreides Date: Tue, 22 Nov 2005 12:13:56 +0300 Lines: 17 Message-ID: References: <4380C6CC.2080102@FreeBSD.org> <8eea04080511211147o689f13e0m3e50a52673514410@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 2.unnet.nienschanz.ru User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en In-Reply-To: <8eea04080511211147o689f13e0m3e50a52673514410@mail.gmail.com> Sender: news Subject: Re: pf + ALTQ + hfsc X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 11:11:49 -0000 > For advanced configs, you can queue inbound traffic on an outbound > interface if it leaves the router/bridge on a different interface than > it entered on. Can you show exmaple of this configuration, with some comments about what that config do ? I am interested in solution for this network config -- rl0 --- client 1 internet --- fxp0 ---- router < -- rl1 --- client 2 inet - 10 Mb client 1 have garanted bandwidth of 2 Mb client 2 have all avaible bandwidth (from 8 to 10 Mbit) Are you talking about solution for this task ? From owner-freebsd-pf@FreeBSD.ORG Wed Nov 23 13:42:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D35F716A420 for ; Wed, 23 Nov 2005 13:42:29 +0000 (GMT) (envelope-from alextols@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id D25D243D79 for ; Wed, 23 Nov 2005 13:42:17 +0000 (GMT) (envelope-from alextols@gmail.com) Received: by zproxy.gmail.com with SMTP id 13so198441nzp for ; Wed, 23 Nov 2005 05:42:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:subject:from:to:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=GXScwrSzffnGtazRd9IK8E6jlm6gkC0NNrRQY+lmAAixhkGJlwSP3AXA2jy5zJ8Zr1SdU0c61vZx7NZyciiflwu8hJM/5PY0c7Y2jEbizhc/Cac8kHnTDZKYZwMtdhb2v/ooif39ockBAmGJkImJSgY1DPKAX8yfCxIfTopxqeg= Received: by 10.65.181.10 with SMTP id i10mr724349qbp; Wed, 23 Nov 2005 05:42:15 -0800 (PST) Received: from ?10.21.50.3? ( [213.221.7.36]) by mx.gmail.com with ESMTP id m3sm348086qbe.2005.11.23.05.42.12; Wed, 23 Nov 2005 05:42:14 -0800 (PST) From: Alex To: freebsd-pf@freebsd.org Content-Type: text/plain Date: Wed, 23 Nov 2005 16:42:19 +0300 Message-Id: <1132753339.649.48.camel@diablo> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: pf synproxy in 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 13:42:30 -0000 In contrast, looks like synproxy is _not_ working in 6-stable from November, 22nd. The same ruleset for inbound traffic is working successfully on 5.4-STABLE. The workaround I've done is a change 'synproxy' option to 'modulate' Any ideas and info? -- Alex From owner-freebsd-pf@FreeBSD.ORG Wed Nov 23 13:56:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 709F316A41F for ; Wed, 23 Nov 2005 13:56:18 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F37F43D68 for ; Wed, 23 Nov 2005 13:56:07 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.208.38] (helo=donor.laier.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1Eev6S2qsT-0000dD; Wed, 23 Nov 2005 14:56:05 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 23 Nov 2005 14:55:52 +0100 User-Agent: KMail/1.8.2 References: <1132753339.649.48.camel@diablo> In-Reply-To: <1132753339.649.48.camel@diablo> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1714418.M2Z2QyFc8h"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200511231456.03507.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Alex Subject: Re: pf synproxy in 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 13:56:18 -0000 --nextPart1714418.M2Z2QyFc8h Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 23 November 2005 14:42, Alex wrote: > In contrast, looks like synproxy is _not_ working in 6-stable from > November, 22nd. > The same ruleset for inbound traffic is working successfully on > 5.4-STABLE. > The workaround I've done is a change 'synproxy' option to 'modulate' > Any ideas and info? There has been a change in how synproxy works. With OpenBSD's revision 1.4= 37=20 of pf.c: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.437 th= e=20 secondary handshake no longer passes unconditionally, but must be allowed b= y=20 a separate rule. Something like: pass on $int_if proto tcp from any to $synproxied flags S/SA should do. Can you please check and confirm? I am afraid this difference = in=20 behavior from normal "keep/modulate" vs. "synproxy" is underdocumented -=20 suggestions appreciated. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1714418.M2Z2QyFc8h Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDhHTzXyyEoT62BG0RArbVAJ9NTqZwjaGfOk9JSI8E/+W8IfgEBACeOOk0 960dxcQzVMn7a6ke90HT1JE= =BfHj -----END PGP SIGNATURE----- --nextPart1714418.M2Z2QyFc8h-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 23 14:31:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE82116A41F for ; Wed, 23 Nov 2005 14:31:17 +0000 (GMT) (envelope-from alextols@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92E4C43D78 for ; Wed, 23 Nov 2005 14:31:13 +0000 (GMT) (envelope-from alextols@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1442359wri for ; Wed, 23 Nov 2005 06:31:12 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=kxSWWosfuBK2kIiYagYIKh+WCGe/lxlyJIUqfU7l8mTI4K0mqyjfhS/jDIiQJstzhFyQVa0Re9/I4afUO27aI8Mp+aWMO28cqC8AacaVAQWE3Jbihdn/zET9wdr2Amyh6dcT88KMt5IdYSDtUH+d1nw/HWKu4OI+znK38rGgWCI= Received: by 10.65.145.14 with SMTP id x14mr6111304qbn; Wed, 23 Nov 2005 06:31:12 -0800 (PST) Received: from ?10.21.50.3? ( [213.221.7.36]) by mx.gmail.com with ESMTP id d2sm364422qbc.2005.11.23.06.31.10; Wed, 23 Nov 2005 06:31:11 -0800 (PST) From: Alex To: Max Laier In-Reply-To: <200511231456.03507.max@love2party.net> References: <1132753339.649.48.camel@diablo> <200511231456.03507.max@love2party.net> Content-Type: text/plain; charset=KOI8-R Date: Wed, 23 Nov 2005 17:31:18 +0300 Message-Id: <1132756278.649.56.camel@diablo> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: pf synproxy in 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 14:31:17 -0000 ÷ ÓÒ, 23/11/2005 × 14:55 +0100, Max Laier ÐÉÛÅÔ: > On Wednesday 23 November 2005 14:42, Alex wrote: > > In contrast, looks like synproxy is _not_ working in 6-stable from > > November, 22nd. > > The same ruleset for inbound traffic is working successfully on > > 5.4-STABLE. > > The workaround I've done is a change 'synproxy' option to 'modulate' > > Any ideas and info? > > There has been a change in how synproxy works. With OpenBSD's revision 1.437 > of pf.c: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.437 the > secondary handshake no longer passes unconditionally, but must be allowed by > a separate rule. Something like: > > pass on $int_if proto tcp from any to $synproxied flags S/SA > > should do. Can you please check and confirm? I am afraid this difference in > behavior from normal "keep/modulate" vs. "synproxy" is underdocumented - > suggestions appreciated. Unfortunately I've got only 1 NIC on machine and requested service is running on the same FreeBSD box. Here's my ruleset : ext_if="vr0" pass in quick on $ext_if proto icmp from any to $ext_if icmp-type echoreq pass in quick on $ext_if proto icmp from any to $ext_if icmp-type echorep pass out quick on $ext_if proto icmp from $ext_if to any icmp-type echoreq pass out quick on $ext_if proto icmp from $ext_if to any icmp-type echorep block in quick on $ext_if proto icmp from any to any block out quick on $ext_if proto icmp from any to any pass quick on lo0 all pass in log quick on $ext_if proto tcp from any to $ext_if port { ssh, smtp, pop3 } flags S/SA synproxy state pass out quick on $ext_if proto tcp all modulate state flags S/SA pass out quick on $ext_if proto udp all keep state block in log on $ext_if What's to be added to take synproxy into working state? -- Alex From owner-freebsd-pf@FreeBSD.ORG Wed Nov 23 17:58:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CC1016A421 for ; Wed, 23 Nov 2005 17:58:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F60D43D64 for ; Wed, 23 Nov 2005 17:58:21 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jANHwMCq021770 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 23 Nov 2005 18:58:22 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jANHwL0Z003324; Wed, 23 Nov 2005 18:58:22 +0100 (MET) Date: Wed, 23 Nov 2005 18:58:21 +0100 From: Daniel Hartmeier To: Alex Message-ID: <20051123175821.GA16492@insomnia.benzedrine.cx> References: <1132753339.649.48.camel@diablo> <200511231456.03507.max@love2party.net> <1132756278.649.56.camel@diablo> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1132756278.649.56.camel@diablo> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: pf synproxy in 6.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 17:58:29 -0000 On Wed, Nov 23, 2005 at 05:31:18PM +0300, Alex wrote: > What's to be added to take synproxy into working state? Try adding 'set skip on lo0'. Filtering on loopback is weird and has surprising side-effects with synproxy. Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Nov 23 19:36:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B87416A41F for ; Wed, 23 Nov 2005 19:36:18 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07E0343D58 for ; Wed, 23 Nov 2005 19:36:17 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp3-g19.free.fr (Postfix) with ESMTP id 3A8DC37578 for ; Wed, 23 Nov 2005 20:36:16 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jANJaGYf020427 for ; Wed, 23 Nov 2005 20:36:16 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: Date: Wed, 23 Nov 2005 20:36:34 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Protocol filter capabilities X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 19:36:18 -0000 hi guys, I am looking for an efficient way to filter different protocols, such as edonkey or BEEP. For the moment, I think that pf doesn't support it. Don't you think that it would be a nice thing to be able to include such "filters" from, for example, ethereal? Ethereal support more than 34k different protocols. It woul be nice to be able to choose from those filters and to apply some rules according to those filters. Do you know a way to do this? Cheers Alex From owner-freebsd-pf@FreeBSD.ORG Thu Nov 24 13:47:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11BC416A420 for ; Thu, 24 Nov 2005 13:47:24 +0000 (GMT) (envelope-from tdamas@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BF3B43D5E for ; Thu, 24 Nov 2005 13:47:22 +0000 (GMT) (envelope-from tdamas@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so181912nzo for ; Thu, 24 Nov 2005 05:47:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=oSa6epz0NAeFFG49+I36UkA+86viZWiJxqegh3ZSeuvc3AjOeY35RN17H4itCFIALKtO2nwSakoddfswKfaNelcA21Yqan8Buv+8peXniS7IJc1zvfF0Z08+gPkTP1UsX2V/71HhY6mHWKwuxfAdSiMsBRpBhMemZa4lkm5Ghys= Received: by 10.37.15.18 with SMTP id s18mr373257nzi; Thu, 24 Nov 2005 05:47:21 -0800 (PST) Received: by 10.36.148.7 with HTTP; Thu, 24 Nov 2005 05:47:21 -0800 (PST) Message-ID: Date: Thu, 24 Nov 2005 11:47:21 -0200 From: Thiago Damas To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: Protocol filter capabilities X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2005 13:47:24 -0000 I have a program that implements this, via divert socket with ipfw. I think the better way to do this is with a program that listens with bfp/pcap, and inserts/deletes rules using ioctls in /dev/pf For now, I'm trying to alter a queue, given a state, using /dev/pf, but it doesnt seen easy. Altering the queue I can limit the bandwidth of a protocol; if I want to block the protocol, I can just delete the state of the firewall. Have you some ideas? 2005/11/23, Alexandre DELAY : > hi guys, > > I am looking for an efficient way to filter different protocols, such as > edonkey or BEEP. > For the moment, I think that pf doesn't support it. > > Don't you think that it would be a nice thing to be able to include such > "filters" from, for example, ethereal? > Ethereal support more than 34k different protocols. It woul be nice to be > able to choose from those filters and to apply some rules according to th= ose > filters. > > Do you know a way to do this? > > Cheers > > Alex > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Nov 24 18:23:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3932716A421 for ; Thu, 24 Nov 2005 18:23:32 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6234E43DB9 for ; Thu, 24 Nov 2005 18:22:26 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp3-g19.free.fr (Postfix) with ESMTP id DAA9637289; Thu, 24 Nov 2005 19:22:20 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jAOIMFlE055487; Thu, 24 Nov 2005 19:22:15 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: "Thiago Damas" , Date: Thu, 24 Nov 2005 19:22:38 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: Importance: Normal Cc: Subject: RE: Protocol filter capabilities X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2005 18:23:32 -0000 Well, If you want an idea, I found this: http://freebsd.rogness.net/snort_inline/ in the freebsd-ipfw archive. The thing is that it works with snort which is not as able as ethereal (and need to be subscribed) to detect application protocols. Ethereal already includes performant filters which only wait to be used. If you need help to develop around dummynet, maybe you can try to contact luigi who developped dummynet (http://info.iet.unipi.it/~luigi). He might be interrested by this program. Maybe you can tell us more about your project? Cheers Alex -----Message d'origine----- De : owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org]De la part de Thiago Damas Envoyé : jeudi 24 novembre 2005 14:47 À : freebsd-pf@freebsd.org Objet : Re: Protocol filter capabilities I have a program that implements this, via divert socket with ipfw. I think the better way to do this is with a program that listens with bfp/pcap, and inserts/deletes rules using ioctls in /dev/pf For now, I'm trying to alter a queue, given a state, using /dev/pf, but it doesnt seen easy. Altering the queue I can limit the bandwidth of a protocol; if I want to block the protocol, I can just delete the state of the firewall. Have you some ideas? 2005/11/23, Alexandre DELAY : > hi guys, > > I am looking for an efficient way to filter different protocols, such as > edonkey or BEEP. > For the moment, I think that pf doesn't support it. > > Don't you think that it would be a nice thing to be able to include such > "filters" from, for example, ethereal? > Ethereal support more than 34k different protocols. It woul be nice to be > able to choose from those filters and to apply some rules according to those > filters. > > Do you know a way to do this? > > Cheers > > Alex > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Nov 24 19:04:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 525FD16A41F for ; Thu, 24 Nov 2005 19:04:24 +0000 (GMT) (envelope-from tdamas@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1B0C43D80 for ; Thu, 24 Nov 2005 19:04:16 +0000 (GMT) (envelope-from tdamas@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so243532nzo for ; Thu, 24 Nov 2005 11:04:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ta1ILz9xUvGEjAHka9x7Z3VvJgfxU+mG9jaEZrSzmvlhnKO3rvfEbgTp4UElaIVE5AiFqwRNULuQxpGwawSVJ/srSZUwkeJqNEOWsTLwhgNl/9UVe6qEm3TaC2mLDubrUgd9v4QJKl8zY+vwAWd7/PdDzi47y9V1CX18gmLF/uM= Received: by 10.36.177.18 with SMTP id z18mr563273nze; Thu, 24 Nov 2005 11:04:16 -0800 (PST) Received: by 10.36.148.7 with HTTP; Thu, 24 Nov 2005 11:04:16 -0800 (PST) Message-ID: Date: Thu, 24 Nov 2005 17:04:16 -0200 From: Thiago Damas To: Alexandre DELAY In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_10486_33005932.1132859056435" References: Cc: freebsd-pf@freebsd.org Subject: Re: Protocol filter capabilities X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2005 19:04:24 -0000 ------=_Part_10486_33005932.1132859056435 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I'm sending the divert version of my program; use like this: ./p2p -b 65000 -k 65000 -e 65000 -g 65000 -i 65000 ipfw add 100 divert 10000 tcp from 1024-65535 to any 1024-65535 via xl0 ipfw add 60000 ip from any to any ipfw add 65000 pipe 1 ip from any to any via xl0 out ipfw add 65001 pipe 2 ip from any to any via xl0 in My idea is to use a stateful filter, to minimize the use of CPU (this program runs on userland). Now, I'm looking at the PF code, to see where can I change. 2005/11/24, Alexandre DELAY : > Well, If you want an idea, I found this: > http://freebsd.rogness.net/snort_inline/ in the freebsd-ipfw archive. > > The thing is that it works with snort which is not as able as ethereal (a= nd > need to be subscribed) to detect application protocols. > > Ethereal already includes performant filters which only wait to be used. > > If you need help to develop around dummynet, maybe you can try to contact > luigi who developped dummynet (http://info.iet.unipi.it/~luigi). He might= be > interrested by this program. > > Maybe you can tell us more about your project? > > Cheers > > Alex > > -----Message d'origine----- > De : owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org]De la part de Thiago Damas > Envoy=E9 : jeudi 24 novembre 2005 14:47 > =C0 : freebsd-pf@freebsd.org > Objet : Re: Protocol filter capabilities > > > I have a program that implements this, via divert socket with ipfw. > I think the better way to do this is with a program that listens > with bfp/pcap, and inserts/deletes rules using ioctls in /dev/pf > For now, I'm trying to alter a queue, given a state, using /dev/pf, > but it doesnt seen easy. Altering the queue I can limit the bandwidth > of a protocol; if I want to block the protocol, I can just delete the > state of the firewall. > Have you some ideas? > > > 2005/11/23, Alexandre DELAY : > > hi guys, > > > > I am looking for an efficient way to filter different protocols, such a= s > > edonkey or BEEP. > > For the moment, I think that pf doesn't support it. > > > > Don't you think that it would be a nice thing to be able to include suc= h > > "filters" from, for example, ethereal? > > Ethereal support more than 34k different protocols. It woul be nice to = be > > able to choose from those filters and to apply some rules according to > those > > filters. > > > > Do you know a way to do this? > > > > Cheers > > > > Alex > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > ------=_Part_10486_33005932.1132859056435 Content-Type: application/octet-stream; name="p2p.c" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="p2p.c" I2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPgojaW5jbHVkZSA8 bmV0aW5ldC9pbl9zeXN0bS5oPgojaW5jbHVkZSA8bmV0aW5ldC9pcC5oPgojaW5jbHVkZSA8bmV0 aW5ldC90Y3AuaD4KI2luY2x1ZGUgPG5ldGluZXQvdWRwLmg+CiNpbmNsdWRlIDxuZXRpbmV0L2lw X2ljbXAuaD4KI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUg PHN5cy9zb2NrZXQuaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgojaW5jbHVkZSA8c3lzL3NvY2tldC5o PgojaW5jbHVkZSA8YXJwYS9pbmV0Lmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPGN0 eXBlLmg+CiNpbmNsdWRlIDxzeXMvcXVldWUuaD4KI2luY2x1ZGUgPHNpZ25hbC5oPgojaW5jbHVk ZSA8c3lzL3RpbWUuaD4KI2luY2x1ZGUgPHN5c2xvZy5oPgoKI2RlZmluZSBUSU1FUiAxODAKI2Rl ZmluZSBOVU1ESVZFUlQgMTAwMDAKI2RlZmluZSBTS0lQVE8gNjUwMDAKCgppbnQgdDsKY2hhciB0 ZXh0b1sxMDI0XTsKaW50IG5leHRza2lwdG87CmludCBza2lwdG9iaXR0b3JyZW50PVNLSVBUTzsK aW50IHNraXB0b2themFhPVNLSVBUTzsKaW50IHNraXB0b2Vkb25rZXk9U0tJUFRPOwppbnQgc2tp cHRvZ251dGVsbGE9U0tJUFRPOwppbnQgc2tpcHRvaXJjPVNLSVBUTzsKCgp1bnNpZ25lZCBpbnQK YWxhcm0gKHVuc2lnbmVkIGludCBzZWNvbmRzKQp7CiAgc3RydWN0IGl0aW1lcnZhbCBvbGQsIG5l dzsKICBuZXcuaXRfaW50ZXJ2YWwudHZfdXNlYyA9IDA7CiAgbmV3Lml0X2ludGVydmFsLnR2X3Nl YyA9IDA7CiAgbmV3Lml0X3ZhbHVlLnR2X3VzZWMgPSAwOwogIG5ldy5pdF92YWx1ZS50dl9zZWMg PSAobG9uZyBpbnQpIHNlY29uZHM7CiAgaWYgKHNldGl0aW1lciAoSVRJTUVSX1JFQUwsICZuZXcs ICZvbGQpIDwgMCkKICAgIHJldHVybiAwOwogIGVsc2UKICAgIHJldHVybiBvbGQuaXRfdmFsdWUu dHZfc2VjOwp9CgpzdHJ1Y3Qgc3RhaWxxaGVhZCAqaGVhZHA7CgpzdHJ1Y3QgZW50cnkgewogIFNU QUlMUV9FTlRSWShlbnRyeSkgZW50cmllczsKICBzdHJ1Y3QgaW5fYWRkciBpcGE7CiAgc2hvcnQg aW50IHBhOwogIHN0cnVjdCBpbl9hZGRyIGlwYjsKICBzaG9ydCBpbnQgcGI7CiAgaW50IHRzOwp9 OwoKU1RBSUxRX0hFQUQobGlzdGhlYWQsIGVudHJ5KSBoZWFkID0gU1RBSUxRX0hFQURfSU5JVElB TElaRVIoaGVhZCk7Cgp2b2lkIGxpc3RfaW5pdCh2b2lkKSB7CiAgU1RBSUxRX0lOSVQoJmhlYWQp Owp9CgppbnQKc2VhcmNoKHN0cnVjdCBpbl9hZGRyIGlwYSwgc2hvcnQgaW50IHBhLCBzdHJ1Y3Qg aW5fYWRkciBpcGIsIHNob3J0IGludCBwYikgewogIHN0cnVjdCBlbnRyeSAqbnA7CiAgY2hhciBz aXBhWzIwXSwgc2lwYlsyMF07CgogIFNUQUlMUV9GT1JFQUNIKG5wLCAmaGVhZCwgZW50cmllcykg ewogICAgaWYoKHQgLSBucC0+dHMpID49IDIqVElNRVIgKSB7CiAgICAgIHN0cmNweShzaXBhLCBp bmV0X250b2EobnAtPmlwYSkpOwogICAgICBzdHJjcHkoc2lwYiwgaW5ldF9udG9hKG5wLT5pcGIp KTsKICAgICAgc3ByaW50Zih0ZXh0bywgIkZsdXhvIHJlbW92aWRvOiAlczolZCA8LT4gJXM6JWQi LCBzaXBhLCBudG9ocyhucC0+cGEpLCBzaXBiLCBudG9ocyhucC0+cGIpKTsKICAgICAgc3lzbG9n KExPR19JTkZPfExPR19MT0NBTDAsIHRleHRvKTsKICAgICAgU1RBSUxRX1JFTU9WRSgmaGVhZCwg bnAsIGVudHJ5LCBlbnRyaWVzKTsKICAgICAgZnJlZShucCk7CiAgICB9CiAgICBpZigobnAtPmlw YS5zX2FkZHIgPT0gaXBhLnNfYWRkcikgJiYgKG5wLT5pcGIuc19hZGRyID09IGlwYi5zX2FkZHIp CiAgICAgICAmJiAobnAtPnBhID09IHBhKSAmJiAobnAtPnBiID09IHBiKSkgewogICAgICBucC0+ dHMgPSB0OwogICAgICByZXR1cm4oMSk7CiAgICB9CiAgICBpZigobnAtPmlwYS5zX2FkZHIgPT0g aXBiLnNfYWRkcikgJiYgKG5wLT5pcGIuc19hZGRyID09IGlwYS5zX2FkZHIpCiAgICAgICAmJiAo bnAtPnBhID09IHBiKSAmJiAobnAtPnBiID09IHBhKSkgewogICAgICBucC0+dHMgPSB0OyAKICAg ICAgcmV0dXJuKDEpOwogICAgfQogIH0KICByZXR1cm4oMCk7Cn0KCnZvaWQgYWRkKHN0cnVjdCBp bl9hZGRyIGlwYSwgc2hvcnQgaW50IHBhLCBzdHJ1Y3QgaW5fYWRkciBpcGIsIHNob3J0IGludCBw YikgewogIHN0cnVjdCBlbnRyeSAqbnA7CiAgbnAgPSBtYWxsb2Moc2l6ZW9mKHN0cnVjdCBlbnRy eSkpOwogIG5wLT5pcGEgPSBpcGE7CiAgbnAtPmlwYiA9IGlwYjsKICBucC0+cGEgPSBwYTsKICBu cC0+cGIgPSBwYjsKICBucC0+dHMgPSB0OyAKICBTVEFJTFFfSU5TRVJUX1RBSUwoJmhlYWQsIG5w LCBlbnRyaWVzKTsKfQoKdm9pZCBjYXRjaChpbnQgc2lnKSB7CiAgdCA9IHRpbWUoTlVMTCk7CiAg c2lnbmFsKFNJR0FMUk0sIGNhdGNoKTsKICBhbGFybShUSU1FUik7Cn0KCgoKaW50CmJpdHRvcnJl bnQoY2hhciAqbWVtLCBpbnQgbGVuKQp7CiAgY2hhcgkJc3RyaW5nICAgIFtdID0gezB4MTMsICdC JywgJ2knLCAndCcsICdUJywgJ28nLCAncicsICdyJywgJ2UnLCAnbicsICd0JywgJyAnLCAncCcs ICdyJywgJ28nLCAndCcsICdvJywgJ2MnLCAnbycsICdsJywgMHgwfTsKICBpZiAoc3RybGVuKHN0 cmluZykgPiBsZW4pCiAgICByZXR1cm4gKDApOwogIGlmIChzdHJuY21wKG1lbSwgc3RyaW5nLCBz dHJsZW4oc3RyaW5nKSkgPT0gMCkKICAgIHJldHVybiAoMSk7CiAgcmV0dXJuICgwKTsKfQoKaW50 CmthemFhKGNoYXIgKm1lbSwgaW50IGxlbikKewogIGNoYXIJCXN0cmluZzEgICBbXSA9ICJHRVQg Ly5maWxlcyI7CiAgY2hhcgkJc3RyaW5nMiAgIFtdID0gIkdFVCAvLmhhc2g9IjsKICBpZiAoKHN0 cmxlbihzdHJpbmcxKSA+IGxlbikgfHwgKHN0cmxlbihzdHJpbmcyKSA+IGxlbikpCiAgICByZXR1 cm4gKDApOwogIGlmICgoc3RybmNtcChtZW0sIHN0cmluZzEsIHN0cmxlbihzdHJpbmcxKSkgPT0g MCkgfHwgKHN0cm5jbXAobWVtLCBzdHJpbmcyLCBzdHJsZW4oc3RyaW5nMikpID09IDApKQogICAg cmV0dXJuICgxKTsKICByZXR1cm4gKDApOwp9CgppbnQKZWRvbmtleShjaGFyICptZW0sIGludCBs ZW4pCnsKICBpbnQJCWk7CiAgaWYgKGxlbiA8IDcpCiAgICByZXR1cm4gKDApOwogIGlmICgoKiht ZW0pID09IChjaGFyKTB4ZTMgfHwgKihtZW0pID09IChjaGFyKTB4YzUpICYmICgqKG1lbSArIDUp ID09IChjaGFyKTB4MDEpKSB7CiAgICBtZW1jcHkoJmksIChtZW0gKyAxKSwgNCk7CiAgICBpZiAo bGVuID09IChpICsgNSkpIHsKICAgICAgcmV0dXJuICgxKTsKICAgIH0KICB9CiAgcmV0dXJuICgw KTsKfQoKaW50CmdudXRlbGxhKGNoYXIgKm1lbSwgaW50IGxlbikKewogIGNoYXIJCXN0cmluZyAg ICBbXSA9ICJHTlVURUxMQSAiOwogIGlmIChzdHJsZW4oc3RyaW5nKSA+IGxlbikKICAgIHJldHVy biAoMCk7CiAgaWYgKHN0cm5jbXAobWVtLCBzdHJpbmcsIHN0cmxlbihzdHJpbmcpKSA9PSAwKQog ICAgcmV0dXJuICgxKTsKICByZXR1cm4gKDApOwp9CgppbnQKaXJjKGNoYXIgKm1lbSwgaW50IGxl bikKewogIGNoYXIJCXN0cmluZyAgICBbXSA9ICJOT1RJQ0UgQVVUSCA6IjsKICBpZiAoc3RybGVu KHN0cmluZykgPiBsZW4pCiAgICByZXR1cm4gKDApOwogIGlmIChzdHJuY21wKG1lbSwgc3RyaW5n LCBzdHJsZW4oc3RyaW5nKSkgPT0gMCkKICAgIHJldHVybiAoMSk7CiAgcmV0dXJuICgwKTsKfQoK c3RhdGljIGNoYXIgICAgKkZvcm1hdFBhY2tldChzdHJ1Y3QgaXAgKik7CgpzdGF0aWMgY2hhciAg ICAqCkZvcm1hdFBhY2tldChzdHJ1Y3QgaXAgKmlwKQp7CiAgc3RhdGljIGNoYXIJYnVmIFsyNTZd OwogIHN0cnVjdCB0Y3BoZHIgICp0Y3BoZHI7CiAgc3RydWN0IHVkcGhkciAgKnVkcGhkcjsKICBz dHJ1Y3QgaWNtcCAgICAqaWNtcGhkcjsKICBjaGFyCQlzcmMgICAgICAgWzIwXTsKICBjaGFyCQlk c3QgICAgICAgWzIwXTsKCiAgc3RyY3B5KHNyYywgaW5ldF9udG9hKGlwLT5pcF9zcmMpKTsKICBz dHJjcHkoZHN0LCBpbmV0X250b2EoaXAtPmlwX2RzdCkpOwoKICBzd2l0Y2ggKGlwLT5pcF9wKSB7 CiAgY2FzZSBJUFBST1RPX1RDUDoKICAgIHRjcGhkciA9IChzdHJ1Y3QgdGNwaGRyICopKChjaGFy ICopaXAgKyAoaXAtPmlwX2hsIDw8IDIpKTsKICAgIHNwcmludGYoYnVmLCAiW1RDUF0gJXM6JWQg LT4gJXM6JWQiLAoJICAgIHNyYywKCSAgICBudG9ocyh0Y3BoZHItPnRoX3Nwb3J0KSwKCSAgICBk c3QsCgkgICAgbnRvaHModGNwaGRyLT50aF9kcG9ydCkpOwogICAgYnJlYWs7CgogIGNhc2UgSVBQ Uk9UT19VRFA6CiAgICB1ZHBoZHIgPSAoc3RydWN0IHVkcGhkciAqKSgoY2hhciAqKWlwICsgKGlw LT5pcF9obCA8PCAyKSk7CiAgICBzcHJpbnRmKGJ1ZiwgIltVRFBdICVzOiVkIC0+ICVzOiVkIiwK CSAgICBzcmMsCgkgICAgbnRvaHModWRwaGRyLT51aF9zcG9ydCksCgkgICAgZHN0LAoJICAgIG50 b2hzKHVkcGhkci0+dWhfZHBvcnQpKTsKICAgIGJyZWFrOwoKICBjYXNlIElQUFJPVE9fSUNNUDoK ICAgIGljbXBoZHIgPSAoc3RydWN0IGljbXAgKikoKGNoYXIgKilpcCArIChpcC0+aXBfaGwgPDwg MikpOwogICAgc3ByaW50ZihidWYsICJbSUNNUF0gJXMgLT4gJXMgJXUoJXUpIiwKCSAgICBzcmMs CgkgICAgZHN0LAoJICAgIGljbXBoZHItPmljbXBfdHlwZSwKCSAgICBpY21waGRyLT5pY21wX2Nv ZGUpOwogICAgYnJlYWs7CgogIGRlZmF1bHQ6CiAgICBzcHJpbnRmKGJ1ZiwgIlslZF0gJXMgLT4g JXMgIiwgaXAtPmlwX3AsIHNyYywgZHN0KTsKICAgIGJyZWFrOwogIH0KCiAgcmV0dXJuIGJ1ZjsK fQoKCmludApwcm9jZXNzYShjaGFyICptZW0sIGludCBsZW4pCnsKICBzdHJ1Y3QgaXAgICAgICAq aXBzID0gKHN0cnVjdCBpcCAqKW1lbTsKICBzdHJ1Y3QgdGNwaGRyICAqdGNwcyA9IChzdHJ1Y3Qg dGNwaGRyICopKG1lbSArIHNpemVvZihzdHJ1Y3QgaXApKTsKICBpbnQJCWRhdGFvZmZzZXQgPSAo dGNwcy0+dGhfb2ZmIDw8IDIpICsgc2l6ZW9mKHN0cnVjdCBpcCk7CgogIGlmICgoaXBzLT5pcF92 ICE9IDQpIHx8IChpcHMtPmlwX2hsICE9IDUpIHx8IGlwcy0+aXBfcCAhPSBJUFBST1RPX1RDUCkg ewogICAgc3lzbG9nKExPR19JTkZPfExPR19MT0NBTDAsICJwYWNrZXQgaXMgbm90IHRjcC9pcCIp OwogICAgcmV0dXJuICgwKTsKICB9CiAgaWYoc2VhcmNoKGlwcy0+aXBfc3JjLCB0Y3BzLT50aF9z cG9ydCwgaXBzLT5pcF9kc3QsIHRjcHMtPnRoX2Rwb3J0KSkgewogICAgcmV0dXJuKDEpOwogIH0K ICBpZiAoKGxlbiAtIGRhdGFvZmZzZXQpID09IDApCiAgICByZXR1cm4gKDApOwogIGlmIChiaXR0 b3JyZW50KG1lbSArIGRhdGFvZmZzZXQsIChsZW4gLSBkYXRhb2Zmc2V0KSkpIHsKICAgIHNwcmlu dGYodGV4dG8sICIlcyAtPiAlcyIsICJCaXRUb3JyZW50IiwgRm9ybWF0UGFja2V0KChzdHJ1Y3Qg aXAgKiltZW0pKTsKICAgIHN5c2xvZyhMT0dfSU5GT3xMT0dfTE9DQUwwLCB0ZXh0byk7CiAgICBh ZGQoaXBzLT5pcF9zcmMsIHRjcHMtPnRoX3Nwb3J0LCBpcHMtPmlwX2RzdCwgdGNwcy0+dGhfZHBv cnQpOwogICAgbmV4dHNraXB0byA9IHNraXB0b2JpdHRvcnJlbnQ7CiAgICByZXR1cm4gKDEpOwog IH0KICBpZiAoa2F6YWEobWVtICsgZGF0YW9mZnNldCwgKGxlbiAtIGRhdGFvZmZzZXQpKSkgewog ICAgc3ByaW50Zih0ZXh0bywgIiVzIC0+ICVzIiwgIkthWmFBIiwgRm9ybWF0UGFja2V0KChzdHJ1 Y3QgaXAgKiltZW0pKTsKICAgIHN5c2xvZyhMT0dfSU5GT3xMT0dfTE9DQUwwLCB0ZXh0byk7CiAg ICBhZGQoaXBzLT5pcF9zcmMsIHRjcHMtPnRoX3Nwb3J0LCBpcHMtPmlwX2RzdCwgdGNwcy0+dGhf ZHBvcnQpOwogICAgbmV4dHNraXB0byA9IHNraXB0b2themFhOwogICAgcmV0dXJuICgxKTsKICB9 CiAgaWYgKGVkb25rZXkobWVtICsgZGF0YW9mZnNldCwgKGxlbiAtIGRhdGFvZmZzZXQpKSkgewog ICAgc3ByaW50Zih0ZXh0bywgIiVzIC0+ICVzIiwgImVEb25rZXkiLCBGb3JtYXRQYWNrZXQoKHN0 cnVjdCBpcCAqKW1lbSkpOwogICAgc3lzbG9nKExPR19JTkZPfExPR19MT0NBTDAsIHRleHRvKTsK ICAgIGFkZChpcHMtPmlwX3NyYywgdGNwcy0+dGhfc3BvcnQsIGlwcy0+aXBfZHN0LCB0Y3BzLT50 aF9kcG9ydCk7CiAgICBuZXh0c2tpcHRvID0gc2tpcHRvZWRvbmtleTsKICAgIHJldHVybiAoMSk7 CiAgfQogIGlmIChnbnV0ZWxsYShtZW0gKyBkYXRhb2Zmc2V0LCAobGVuIC0gZGF0YW9mZnNldCkp KSB7CiAgICBzcHJpbnRmKHRleHRvLCAiJXMgLT4gJXMiLCAiR251dGVsbGEiLCBGb3JtYXRQYWNr ZXQoKHN0cnVjdCBpcCAqKW1lbSkpOwogICAgc3lzbG9nKExPR19JTkZPfExPR19MT0NBTDAsIHRl eHRvKTsKICAgIGFkZChpcHMtPmlwX3NyYywgdGNwcy0+dGhfc3BvcnQsIGlwcy0+aXBfZHN0LCB0 Y3BzLT50aF9kcG9ydCk7CiAgICBuZXh0c2tpcHRvID0gc2tpcHRvZ251dGVsbGE7CiAgICByZXR1 cm4gKDEpOwogIH0KICBpZiAoaXJjKG1lbSArIGRhdGFvZmZzZXQsIChsZW4gLSBkYXRhb2Zmc2V0 KSkpIHsKICAgIHNwcmludGYodGV4dG8sICIlcyAtPiAlcyIsICJJUkMiLCBGb3JtYXRQYWNrZXQo KHN0cnVjdCBpcCAqKW1lbSkpOwogICAgc3lzbG9nKExPR19JTkZPfExPR19MT0NBTDAsIHRleHRv KTsKICAgIGFkZChpcHMtPmlwX3NyYywgdGNwcy0+dGhfc3BvcnQsIGlwcy0+aXBfZHN0LCB0Y3Bz LT50aF9kcG9ydCk7CiAgICBuZXh0c2tpcHRvID0gc2tpcHRvaXJjOwogICAgcmV0dXJuICgxKTsK ICB9CiAgcmV0dXJuICgwKTsKfQoKaW50CnNvY2tldF9kaXZlcnRfb3BlbihpbnQgbnVtKQp7CiAg aW50CQlmZDsKICBzdHJ1Y3Qgc29ja2FkZHJfaW4gYWRkcjsKCiAgaWYgKChmZCA9IHNvY2tldChQ Rl9JTkVULCBTT0NLX1JBVywgSVBQUk9UT19ESVZFUlQpKSA9PSAtMSkgewogICAgcGVycm9yKCJz b2NrZXQiKTsKICAgIGV4aXQoRVhJVF9GQUlMVVJFKTsKICB9CiAgYWRkci5zaW5fZmFtaWx5ID0g UEZfSU5FVDsKICBhZGRyLnNpbl9hZGRyLnNfYWRkciA9IElOQUREUl9BTlk7CiAgYWRkci5zaW5f cG9ydCA9IGh0b25zKG51bSk7CgogIGlmIChiaW5kKGZkLCAoc3RydWN0IHNvY2thZGRyICopJmFk ZHIsIHNpemVvZihhZGRyKSkgPT0gLTEpIHsKICAgIHBlcnJvcigiYmluZCIpOwogICAgZXhpdChF WElUX0ZBSUxVUkUpOwogIH0KICByZXR1cm4gKGZkKTsKfQoKaW50CnNvY2tldF9kaXZlcnRfY2xv c2UoaW50IGZkKQp7CiAgY2xvc2UoZmQpOwogIHJldHVybiAoMCk7Cn0KCmludApzb2NrZXRfZGl2 ZXJ0X2dldChpbnQgZmQsIHN0cnVjdCBzb2NrYWRkcl9pbiAqc2EsIGNoYXIgKmJ1ZiwgaW50IGJ1 ZmxlbikKewogIGludAkJbGVuICAgICAgICwgYWRkcmxlbjsKCiAgYWRkcmxlbiA9IHNpemVvZigq c2EpOwogIGxlbiA9IHJlY3Zmcm9tKGZkLCBidWYsIGJ1ZmxlbiwgMCwKCQkgKHN0cnVjdCBzb2Nr YWRkciAqKXNhLCAmYWRkcmxlbik7CiAgaWYgKGxlbiA9PSAtMSkKICAgIHBlcnJvcigicmVjdmZy b20iKTsKCiAgcmV0dXJuIChsZW4pOwp9CgppbnQKc29ja2V0X2RpdmVydF9zZW5kKGludCBmZCwg c3RydWN0IHNvY2thZGRyX2luIHNhLCBjaGFyICpidWYsIGludCBidWZsZW4sIGludCBza2lwdG8p CnsKICBpbnQJCWxlbjsKICBpZiAoc2tpcHRvKSB7CiAgICBzYS5zaW5fcG9ydCA9IG5leHRza2lw dG87CiAgfQogIGxlbiA9IHNlbmR0byhmZCwgYnVmLCBidWZsZW4sIDAsCgkgICAgICAgKHN0cnVj dCBzb2NrYWRkciAqKSZzYSwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpOwogIC8vaWYgKGxlbiAh PSBidWZsZW4pCiAgLy9wZXJyb3IoInNlbmR0byIpOwoKICByZXR1cm4gKGxlbik7Cn0KCgppbnQK Z29vbihpbnQgZmQpCnsKICBzdHJ1Y3Qgc29ja2FkZHJfaW4gczsKICB2b2lkICAgICAgICAgICAq bWVtb3J5OwogIHNpemVfdAkJbGVuID0gNjU1MzU7CiAgaW50CQlsOwoKICBtZW1vcnkgPSBtYWxs b2MobGVuICogc2l6ZW9mKGNoYXIpKTsKCiAgd2hpbGUgKDEpIHsKICAgIGwgPSBzb2NrZXRfZGl2 ZXJ0X2dldChmZCwgJnMsIG1lbW9yeSwgbGVuKTsKICAgIGlmIChwcm9jZXNzYShtZW1vcnksIGwp KSB7CiAgICAgIHNvY2tldF9kaXZlcnRfc2VuZChmZCwgcywgbWVtb3J5LCBsLCAxKTsKICAgIH0g ZWxzZSB7CiAgICAgIHNvY2tldF9kaXZlcnRfc2VuZChmZCwgcywgbWVtb3J5LCBsLCAwKTsKICAg IH0KICB9CiAgcmV0dXJuICgwKTsKfQoKaW50Cm1haW4oaW50IGFyZ2MsIGNoYXIgKiphcmd2KQp7 CiAgaW50CQlmZDsKICBpbnQgCQljaDsKICAKICBpZiAoZ2V0ZXVpZCgpICE9IDApIHsKICAgIGZw cmludGYoc3RkZXJyLCAiR3Vlc3MgbWUsIHlvdSdyZSBub3cgYWxsb3dlZCB0byBydW4gbWUuXG4i KTsKICAgIGV4aXQoRVhJVF9GQUlMVVJFKTsKICB9CgogIHdoaWxlICgoY2ggPSBnZXRvcHQoYXJn YywgYXJndiwgImI6azplOmc6aToiKSkgIT0gLTEpIHsKICAgIHN3aXRjaCAoY2gpIHsKICAgIGNh c2UgJ2InOgogICAgCXNraXB0b2JpdHRvcnJlbnQgPSBhdG9pKG9wdGFyZyk7CiAgICAJYnJlYWs7 CiAgICBjYXNlICdrJzoKICAgIAlza2lwdG9rYXphYSA9IGF0b2kob3B0YXJnKTsKICAgIAlicmVh azsKICAgIGNhc2UgJ2UnOgogICAgCXNraXB0b2Vkb25rZXkgPSBhdG9pKG9wdGFyZyk7CiAgICAJ YnJlYWs7CiAgICBjYXNlICdnJzoKICAgIAlza2lwdG9nbnV0ZWxsYSA9IGF0b2kob3B0YXJnKTsK ICAgIAlicmVhazsKICAgIGNhc2UgJ2knOgogICAgCXNraXB0b2lyYyA9IGF0b2kob3B0YXJnKTsK ICAgIAlicmVhazsKICAgIGNhc2UgJz8nOgogICAgZGVmYXVsdDoKICAgICAgICBmcHJpbnRmKHN0 ZGVyciwgIlVzbzogPHAycD4gWy1iIHJlZ3JhX2JpdHRvcnJlbnRdIFstayByZWdyYV9rYXphYV0g Wy1lIHJlZ3JhX2Vkb25rZXldIFstZyByZWdyYV9nbnV0ZWxsYV0gWy1pIHJlZ3JhX2lyY10iKTsK ICAgIH0KICB9CiAgYXJnYyAtPSBvcHRpbmQ7CiAgYXJndiArPSBvcHRpbmQ7CgogIGZkID0gc29j a2V0X2RpdmVydF9vcGVuKE5VTURJVkVSVCk7CgogIGxpc3RfaW5pdCgpOwoKICBkYWVtb24oMCww KTsKICBhbGFybShUSU1FUik7CiAgc2lnbmFsKFNJR0FMUk0sIGNhdGNoKTsKICB0ID0gdGltZShO VUxMKTsKCiAgZ29vbihmZCk7CgogIHNvY2tldF9kaXZlcnRfY2xvc2UoZmQpOwoKICByZXR1cm4g KEVYSVRfU1VDQ0VTUyk7Cn0K ------=_Part_10486_33005932.1132859056435-- From owner-freebsd-pf@FreeBSD.ORG Fri Nov 25 22:01:38 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8A5F16A41F for ; Fri, 25 Nov 2005 22:01:38 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail05.syd.optusnet.com.au (mail05.syd.optusnet.com.au [211.29.132.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CDCE43D64 for ; Fri, 25 Nov 2005 22:01:37 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d58-104-249-166.dsl.nsw.optusnet.com.au [58.104.249.166]) by mail05.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id jAPM1a2n009236 for ; Sat, 26 Nov 2005 09:01:36 +1100 Message-ID: <000c01c5f20b$d19e4620$0600a8c0@delta> From: "Josh Finlay" To: Date: Sat, 26 Nov 2005 08:01:41 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: ALTQ bandwidth limiting only from internet IPs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2005 22:01:38 -0000 I use the following rules for PF: ExtIF="ng0" IntIF="de0" Delta="192.168.0.6" Fear="192.168.0.1" altq on $ExtIF cbq bandwidth 128Kb queue { q_network_out } altq on $IntIF cbq bandwidth 512Kb queue { q_network_in } queue q_network_out bandwidth 100% { q_delta_out, q_fear_out } queue q_delta_out bandwidth 50% cbq(default borrow) queue q_fear_out bandwidth 50% cbq(borrow) queue q_network_in bandwidth 100% { q_delta_in, q_fear_in } queue q_delta_in bandwidth 50% cbq(default borrow) queue q_fear_in bandwidth 50% cbq(borrow) pass out on $ExtIF from $Delta to any keep state queue q_delta_out pass out on $ExtIF from $Fear to any keep state queue q_fear_out pass out on $IntIF from $Delta to any keep state queue q_delta_in pass out on $IntIF from $Fear to any keep state queue q_fear_in This config seems to work quite well but its also queueing local traffic aswell so if I'm uploading from "Delta" to somewhere on the internet, my local ssh sessions (to the machine running pf) lag due to lack of free bandwidth So how do I tell PF to only queue if its an internet ip? or perhaps a better way of saying it, is to *not* queue local traffic (to/from local ips). From owner-freebsd-pf@FreeBSD.ORG Sat Nov 26 00:27:10 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB18E16A41F for ; Sat, 26 Nov 2005 00:27:10 +0000 (GMT) (envelope-from nivo+sender+38c70d@yuckfou.org) Received: from ssdd.xs4all.nl (ssdd.xs4all.nl [195.64.89.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFBCE43D82 for ; Sat, 26 Nov 2005 00:26:49 +0000 (GMT) (envelope-from nivo+sender+38c70d@yuckfou.org) Received: from localhost (localhost [127.0.0.1]) by imhotep.yuckfou.org (Postfix) with ESMTP id BDBA9685 for ; Sat, 26 Nov 2005 01:27:00 +0100 (CET) Received: from ssdd.xs4all.nl ([127.0.0.1]) by localhost (imhotep.yuckfou.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61041-01 for ; Sat, 26 Nov 2005 01:26:54 +0100 (CET) Received: by imhotep.yuckfou.org (Postfix, from userid 1000) id 81624688; Sat, 26 Nov 2005 01:26:51 +0100 (CET) Received: from [192.168.2.239] (turbata-xp.gondel.local [192.168.2.239]) by localhost.yuckfou.org (tmda-ofmipd) with ESMTP; Sat, 26 Nov 2005 01:26:48 +0100 (CET) Message-ID: <4387ABB8.6010406@yuckfou.org> Date: Sat, 26 Nov 2005 01:26:32 +0100 User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Josh Finlay References: <000c01c5f20b$d19e4620$0600a8c0@delta> In-Reply-To: <000c01c5f20b$d19e4620$0600a8c0@delta> X-Enigmail-Version: 0.93.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: Nils Vogels X-TMDA-Fingerprint: T66S5XgI4XyvUTeDABZNnntpq9g X-Virus-Scanned: amavisd-new at yuckfou.org X-Spam-Status: No, score=-4.399 tagged_above=-999 required=6.31 tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599] X-Spam-Score: -4.399 X-Spam-Level: Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ bandwidth limiting only from internet IPs X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nils Vogels List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 00:27:11 -0000 Josh Finlay wrote: > pass out on $ExtIF from $Delta to any keep state queue q_delta_out > pass out on $ExtIF from $Fear to any keep state queue q_fear_out > pass out on $IntIF from $Delta to any keep state queue q_delta_in > pass out on $IntIF from $Fear to any keep state queue q_fear_in > > This config seems to work quite well > but its also queueing local traffic aswell > so if I'm uploading from "Delta" to somewhere on the internet, my > local ssh sessions (to the machine running pf) lag due to lack of free > bandwidth > > So how do I tell PF to only queue if its an internet ip? or perhaps a > better way of saying it, is to *not* queue local traffic (to/from > local ips). What you could try is something like this: table persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } pass out on $ExtIF from $Delta to any keep state queue q_delta_out pass out on $ExtIF from $Fear to any keep state queue q_fear_out pass out on $IntIF from $Delta to ! keep state queue q_delta_in pass out on $IntIF from $Fear to ! keep state queue q_fear_in YMMV -- Simple guidelines to happiness: Work like you don't need the money, love like your heart has never been broken and dance like no one can see you. From owner-freebsd-pf@FreeBSD.ORG Sat Nov 26 09:51:14 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B27CB16A41F for ; Sat, 26 Nov 2005 09:51:14 +0000 (GMT) (envelope-from sorin.gheorghe@omnitechnet.ro) Received: from Woody.cyberspace.ro (woody.fibernet.ro [84.234.96.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C4ED43D64 for ; Sat, 26 Nov 2005 09:51:08 +0000 (GMT) (envelope-from sorin.gheorghe@omnitechnet.ro) Received: from localhost (localhost.fibernet.ro [127.0.0.1]) by Woody.cyberspace.ro (Postfix) with ESMTP id 47E6A212C9A; Sat, 26 Nov 2005 11:50:03 +0200 (EET) Received: from Woody.cyberspace.ro ([127.0.0.1]) by localhost (localhost.fibernet.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26414-03; Sat, 26 Nov 2005 11:49:59 +0200 (EET) Received: from youracef0d5685 (unknown [84.247.120.121]) by Woody.cyberspace.ro (Postfix) with SMTP id 3D008212C92; Sat, 26 Nov 2005 11:49:59 +0200 (EET) Message-ID: <002201c5f26e$e7a40e60$fc00a8c0@youracef0d5685> From: "Sorin Gheorghe" To: "Nils Vogels" , "Josh Finlay" References: <000c01c5f20b$d19e4620$0600a8c0@delta> <4387ABB8.6010406@yuckfou.org> Date: Sat, 26 Nov 2005 11:50:59 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Antivirus: avast! (VPS 0547-5, 11/26/2005), Outbound message X-Antivirus-Status: Clean X-Virus-Scanned: Local scanned at fibernet.ro Cc: freebsd-pf@freebsd.org Subject: ALTQ bandwidth limiting for internet and local-exchange ..... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 09:51:14 -0000 try something like this ... i have a lot of routers with this configuration table is the local-exchange ips, even better you can get that from a route-reflector bgp session with your local provider and you can use the zebra-dump-parser.pl to put that classes in the table. After that just ....exec("/sbin/pfctl -Tl -f /etc/pf.conf"); and everything is OK :) i run this script every 10 seconds and it's works grate .... bgpd.conf .....examples dump bgp routes-mrt /altq/zebra/tmp/zebra.mrt 10 pf.conf: altq on ex1 bandwidth 4000Mb hfsc queue {in_internet,in_metro,default } altq on ex0 bandwidth 4000Mb hfsc queue {out_internet,out_metro,default2 } queue in_internet bandwidth 100Mb hfsc (realtime 700Kb upperlimit 700Kb ) {q194.234.194.99,q194.234.194.101,q194.234.194.102,q194.234.194.103,q194.234.194.104,q194.234.194.105,q194.234.194.3,q194.234.194.4,q194.234.194.5,q194.234.194.6,q194.234.194.7,q194.234.194.9,q194.234.194.10,q194.234.194.11,q194.234.194.12,q194.234.194.13,q194.234.194.14,q194.234.194.15,q194.234.194.16,q194.234.194.17,q194.234.194.18,q194.234.194.19,q194.234.194.20,q194.234.194.21,q194.234.194.22,q194.234.194.23,q194.234.194.24,q194.234.194.25,q194.234.194.26,q194.234.194.28,q194.234.194.29,q194.234.194.31,q194.234.194.32,q194.234.194.33,q194.234.194.34,q194.234.194.35,q194.234.194.36,q194.234.194.37,q194.234.194.39,q194.234.194.40,q194.234.194.41,q194.234.194.42,q194.234.194.43,q194.234.194.44,q194.234.194.46,q194.234.194.47,q194.234.194.100,q194.234.194.49,q194.234.194.50,q194.234.194.51,q194.234.194.52,q194.234.194.53,q194.234.194.54,q194.234.194.55,q194.234.194.56,q194.234.194.70,q194.234.194.71,q194.234.194.72,q194.234.194.73,q194.234.194.74,q194.234.194.75,q194.234.194. 76,q194.234.194.77,q194.234.194.78,q194.234.194.79,q194.234.194.80,q194.234.194.81,q194.234.194.82,q194.234.194.83,q194.234.194.84,q194.234.194.85,q194.234.194.86,defaultii} queue out_internet bandwidth 100Mb hfsc (realtime 700Kb upperlimit 700Kb ) {e194.234.194.99,e194.234.194.101,e194.234.194.102,e194.234.194.103,e194.234.194.104,e194.234.194.105,e194.234.194.3,e194.234.194.4,e194.234.194.5,e194.234.194.6,e194.234.194.7,e194.234.194.9,e194.234.194.10,e194.234.194.11,e194.234.194.12,e194.234.194.13,e194.234.194.14,e194.234.194.15,e194.234.194.16,e194.234.194.17,e194.234.194.18,e194.234.194.19,e194.234.194.20,e194.234.194.21,e194.234.194.22,e194.234.194.23,e194.234.194.24,e194.234.194.25,e194.234.194.26,e194.234.194.28,e194.234.194.29,e194.234.194.31,e194.234.194.32,e194.234.194.33,e194.234.194.34,e194.234.194.35,e194.234.194.36,e194.234.194.37,e194.234.194.39,e194.234.194.40,e194.234.194.41,e194.234.194.42,e194.234.194.43,e194.234.194.44,e194.234.194.46,e194.234.194.47,e194.234.194.100,e194.234.194.49,e194.234.194.50,e194.234.194.51,e194.234.194.52,e194.234.194.53,e194.234.194.54,e194.234.194.55,e194.234.194.56,e194.234.194.70,e194.234.194.71,e194.234.194.72,e194.234.194.73,e194.234.194.74,e194.234.194.75,e194.234.194. 76,e194.234.194.77,e194.234.194.78,e194.234.194.79,e194.234.194.80,e194.234.194.81,e194.234.194.82,e194.234.194.83,e194.234.194.84,e194.234.194.85,e194.234.194.86,defaultio} queue in_metro bandwidth 800Mb hfsc {w194.234.194.99,w194.234.194.101,w194.234.194.102,w194.234.194.103,w194.234.194.104,w194.234.194.105,w194.234.194.3,w194.234.194.4,w194.234.194.5,w194.234.194.6,w194.234.194.7,w194.234.194.9,w194.234.194.10,w194.234.194.11,w194.234.194.12,w194.234.194.13,w194.234.194.14,w194.234.194.15,w194.234.194.16,w194.234.194.17,w194.234.194.18,w194.234.194.19,w194.234.194.20,w194.234.194.21,w194.234.194.22,w194.234.194.23,w194.234.194.24,w194.234.194.25,w194.234.194.26,w194.234.194.28,w194.234.194.29,w194.234.194.31,w194.234.194.32,w194.234.194.33,w194.234.194.34,w194.234.194.35,w194.234.194.36,w194.234.194.37,w194.234.194.39,w194.234.194.40,w194.234.194.41,w194.234.194.42,w194.234.194.43,w194.234.194.44,w194.234.194.46,w194.234.194.47,w194.234.194.100,w194.234.194.49,w194.234.194.50,w194.234.194.51,w194.234.194.52,w194.234.194.53,w194.234.194.54,w194.234.194.55,w194.234.194.56,w194.234.194.70,w194.234.194.71,w194.234.194.72,w194.234.194.73,w194.234.194.74,w194.234.194.75,w194.234.194. 76,w194.234.194.77,w194.234.194.78,w194.234.194.79,w194.234.194.80,w194.234.194.81,w194.234.194.82,w194.234.194.83,w194.234.194.84,w194.234.194.85,w194.234.194.86,defaultmi} queue out_metro bandwidth 800Mb hfsc {r194.234.194.99,r194.234.194.101,r194.234.194.102,r194.234.194.103,r194.234.194.104,r194.234.194.105,r194.234.194.3,r194.234.194.4,r194.234.194.5,r194.234.194.6,r194.234.194.7,r194.234.194.9,r194.234.194.10,r194.234.194.11,r194.234.194.12,r194.234.194.13,r194.234.194.14,r194.234.194.15,r194.234.194.16,r194.234.194.17,r194.234.194.18,r194.234.194.19,r194.234.194.20,r194.234.194.21,r194.234.194.22,r194.234.194.23,r194.234.194.24,r194.234.194.25,r194.234.194.26,r194.234.194.28,r194.234.194.29,r194.234.194.31,r194.234.194.32,r194.234.194.33,r194.234.194.34,r194.234.194.35,r194.234.194.36,r194.234.194.37,r194.234.194.39,r194.234.194.40,r194.234.194.41,r194.234.194.42,r194.234.194.43,r194.234.194.44,r194.234.194.46,r194.234.194.47,r194.234.194.100,r194.234.194.49,r194.234.194.50,r194.234.194.51,r194.234.194.52,r194.234.194.53,r194.234.194.54,r194.234.194.55,r194.234.194.56,r194.234.194.70,r194.234.194.71,r194.234.194.72,r194.234.194.73,r194.234.194.74,r194.234.194.75,r194.234.194. 76,r194.234.194.77,r194.234.194.78,r194.234.194.79,r194.234.194.80,r194.234.194.81,r194.234.194.82,r194.234.194.83,r194.234.194.84,r194.234.194.85,r194.234.194.86,defaultmo} queue default bandwidth 128Kb hfsc (realtime 32Kb upperlimit 512Kb default) qlimit 150 queue defaultii bandwidth 128Kb hfsc (realtime 32Kb upperlimit 512Kb ) qlimit 150 queue defaultio bandwidth 128Kb hfsc (realtime 32Kb upperlimit 512Kb ) qlimit 150 queue defaultmi bandwidth 128Kb hfsc (realtime 32Kb upperlimit 512Kb ) qlimit 150 queue defaultmo bandwidth 128Kb hfsc (realtime 32Kb upperlimit 512Kb ) qlimit 150 queue default2 bandwidth 128Kb hfsc (realtime 9Mb upperlimit 9Mb default) qlimit 150 queue q194.234.194.99 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.99 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.99 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.99 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.101 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.101 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.101 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.101 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.102 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.102 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.102 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.102 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.103 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.103 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.103 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.103 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.104 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.104 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.104 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.104 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.105 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.105 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.105 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.105 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.3 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.3 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.3 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.3 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.4 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.4 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.4 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.4 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.5 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.5 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.5 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.5 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.6 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.6 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.6 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.6 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.7 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.7 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.7 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.7 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.9 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.9 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.9 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.9 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.10 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.10 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.10 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.10 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.11 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.11 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.11 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.11 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.12 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.12 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.12 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.12 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.13 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.13 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.13 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.13 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.14 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.14 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.14 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.14 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.15 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.15 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.15 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.15 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.16 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.16 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.16 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.16 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.17 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.17 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.17 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.17 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.18 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.18 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.18 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.18 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.19 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.19 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.19 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.19 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.20 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.20 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.20 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.20 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.21 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.21 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.21 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.21 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.22 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.22 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.22 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.22 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.23 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.23 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.23 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.23 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.24 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.24 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.24 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.24 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.25 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.25 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.25 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.25 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.26 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.26 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.26 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.26 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.28 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.28 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.28 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.28 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.29 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.29 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.29 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.29 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.31 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.31 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.31 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.31 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.32 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.32 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.32 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.32 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.33 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.33 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.33 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.33 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.34 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.34 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.34 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.34 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.35 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.35 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.35 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.35 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.36 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.36 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.36 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.36 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.37 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.37 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.37 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.37 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.39 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.39 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.39 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.39 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.40 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.40 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.40 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.40 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.41 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.41 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.41 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.41 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.42 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.42 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.42 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.42 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.43 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.43 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.43 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.43 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.44 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.44 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.44 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.44 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.46 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.46 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.46 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.46 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.47 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.47 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.47 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.47 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.100 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.100 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.100 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.100 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.49 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.49 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.49 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.49 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.50 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.50 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.50 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.50 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.51 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.51 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.51 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.51 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.52 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.52 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.52 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.52 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.53 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.53 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.53 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.53 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.54 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.54 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.54 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.54 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.55 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.55 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.55 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.55 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.56 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.56 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.56 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.56 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.70 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.70 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.70 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.70 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.71 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.71 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.71 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.71 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.72 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.72 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.72 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.72 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.73 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.73 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.73 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.73 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.74 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.74 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.74 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.74 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.75 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.75 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.75 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.75 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.76 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.76 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.76 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.76 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.77 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.77 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.77 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.77 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.78 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.78 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.78 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.78 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.79 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.79 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.79 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.79 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.80 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.80 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.80 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.80 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.81 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.81 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.81 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.81 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.82 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.82 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.82 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.82 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.83 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.83 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.83 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.83 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.84 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.84 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.84 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.84 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.85 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.85 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.85 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.85 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue q194.234.194.86 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 256Kb) qlimit 20 queue e194.234.194.86 bandwidth 1Kb hfsc (realtime 1Kb upperlimit 192Kb) qlimit 1000 queue w194.234.194.86 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 queue r194.234.194.86 bandwidth 2Mb hfsc (realtime 8Mb upperlimit 70Mb) qlimit 1000 table persist file '/altq/routes.txt' rdr pass on ex1 proto tcp to ! port 80 -> 127.0.0.1 port 3128 block in quick on ex1 proto tcp from any to any port 134><140 block in quick on ex1 proto udp from any to any port 445 block in quick on ex1 proto udp from any to any port 134><140 block in quick on ex1 proto tcp from any to any port 445 block in quick on ex0 proto tcp from any to any port 134><140 block in quick on ex0 proto udp from any to any port 445 block in quick on ex0 proto udp from any to any port 134><140 block in quick on ex0 proto tcp from any to any port 445 block out quick on ex1 proto tcp from any to any port 134><140 block out quick on ex1 proto udp from any to any port 445 block out quick on ex1 proto udp from any to any port 134><140 block out quick on ex1 proto tcp from any to any port 445 block out quick on ex0 proto tcp from any to any port 134><140 block out quick on ex0 proto udp from any to any port 445 block out quick on ex0 proto udp from any to any port 134><140 block out quick on ex0 proto tcp from any to any port 445 pass out quick on ex1 from any to 194.234.194.99 tos 0x08 queue q194.234.194.99 pass out quick on ex1 from any to 194.234.194.99 queue w194.234.194.99 pass in quick on ex1 from 194.234.194.99 to queue r194.234.194.99 pass in quick on ex1 from 194.234.194.99 queue e194.234.194.99 pass out quick on ex1 from any to 194.234.194.101 tos 0x08 queue q194.234.194.101 pass out quick on ex1 from any to 194.234.194.101 queue w194.234.194.101 pass in quick on ex1 from 194.234.194.101 to queue r194.234.194.101 pass in quick on ex1 from 194.234.194.101 queue e194.234.194.101 pass out quick on ex1 from any to 194.234.194.102 tos 0x08 queue q194.234.194.102 pass out quick on ex1 from any to 194.234.194.102 queue w194.234.194.102 pass in quick on ex1 from 194.234.194.102 to queue r194.234.194.102 pass in quick on ex1 from 194.234.194.102 queue e194.234.194.102 pass out quick on ex1 from any to 194.234.194.103 tos 0x08 queue q194.234.194.103 pass out quick on ex1 from any to 194.234.194.103 queue w194.234.194.103 pass in quick on ex1 from 194.234.194.103 to queue r194.234.194.103 pass in quick on ex1 from 194.234.194.103 queue e194.234.194.103 pass out quick on ex1 from any to 194.234.194.104 tos 0x08 queue q194.234.194.104 pass out quick on ex1 from any to 194.234.194.104 queue w194.234.194.104 pass in quick on ex1 from 194.234.194.104 to queue r194.234.194.104 pass in quick on ex1 from 194.234.194.104 queue e194.234.194.104 pass out quick on ex1 from any to 194.234.194.105 tos 0x08 queue q194.234.194.105 pass out quick on ex1 from any to 194.234.194.105 queue w194.234.194.105 pass in quick on ex1 from 194.234.194.105 to queue r194.234.194.105 pass in quick on ex1 from 194.234.194.105 queue e194.234.194.105 pass out quick on ex1 from any to 194.234.194.3 tos 0x08 queue q194.234.194.3 pass out quick on ex1 from any to 194.234.194.3 queue w194.234.194.3 pass in quick on ex1 from 194.234.194.3 to queue r194.234.194.3 pass in quick on ex1 from 194.234.194.3 queue e194.234.194.3 pass out quick on ex1 from any to 194.234.194.4 tos 0x08 queue q194.234.194.4 pass out quick on ex1 from any to 194.234.194.4 queue w194.234.194.4 pass in quick on ex1 from 194.234.194.4 to queue r194.234.194.4 pass in quick on ex1 from 194.234.194.4 queue e194.234.194.4 pass out quick on ex1 from any to 194.234.194.5 tos 0x08 queue q194.234.194.5 pass out quick on ex1 from any to 194.234.194.5 queue w194.234.194.5 pass in quick on ex1 from 194.234.194.5 to queue r194.234.194.5 pass in quick on ex1 from 194.234.194.5 queue e194.234.194.5 pass out quick on ex1 from any to 194.234.194.6 tos 0x08 queue q194.234.194.6 pass out quick on ex1 from any to 194.234.194.6 queue w194.234.194.6 pass in quick on ex1 from 194.234.194.6 to queue r194.234.194.6 pass in quick on ex1 from 194.234.194.6 queue e194.234.194.6 pass out quick on ex1 from any to 194.234.194.7 tos 0x08 queue q194.234.194.7 pass out quick on ex1 from any to 194.234.194.7 queue w194.234.194.7 pass in quick on ex1 from 194.234.194.7 to queue r194.234.194.7 pass in quick on ex1 from 194.234.194.7 queue e194.234.194.7 pass out quick on ex1 from any to 194.234.194.9 tos 0x08 queue q194.234.194.9 pass out quick on ex1 from any to 194.234.194.9 queue w194.234.194.9 pass in quick on ex1 from 194.234.194.9 to queue r194.234.194.9 pass in quick on ex1 from 194.234.194.9 queue e194.234.194.9 pass out quick on ex1 from any to 194.234.194.10 tos 0x08 queue q194.234.194.10 pass out quick on ex1 from any to 194.234.194.10 queue w194.234.194.10 pass in quick on ex1 from 194.234.194.10 to queue r194.234.194.10 pass in quick on ex1 from 194.234.194.10 queue e194.234.194.10 pass out quick on ex1 from any to 194.234.194.11 tos 0x08 queue q194.234.194.11 pass out quick on ex1 from any to 194.234.194.11 queue w194.234.194.11 pass in quick on ex1 from 194.234.194.11 to queue r194.234.194.11 pass in quick on ex1 from 194.234.194.11 queue e194.234.194.11 pass out quick on ex1 from any to 194.234.194.12 tos 0x08 queue q194.234.194.12 pass out quick on ex1 from any to 194.234.194.12 queue w194.234.194.12 pass in quick on ex1 from 194.234.194.12 to queue r194.234.194.12 pass in quick on ex1 from 194.234.194.12 queue e194.234.194.12 pass out quick on ex1 from any to 194.234.194.13 tos 0x08 queue q194.234.194.13 pass out quick on ex1 from any to 194.234.194.13 queue w194.234.194.13 pass in quick on ex1 from 194.234.194.13 to queue r194.234.194.13 pass in quick on ex1 from 194.234.194.13 queue e194.234.194.13 pass out quick on ex1 from any to 194.234.194.14 tos 0x08 queue q194.234.194.14 pass out quick on ex1 from any to 194.234.194.14 queue w194.234.194.14 pass in quick on ex1 from 194.234.194.14 to queue r194.234.194.14 pass in quick on ex1 from 194.234.194.14 queue e194.234.194.14 pass out quick on ex1 from any to 194.234.194.15 tos 0x08 queue q194.234.194.15 pass out quick on ex1 from any to 194.234.194.15 queue w194.234.194.15 pass in quick on ex1 from 194.234.194.15 to queue r194.234.194.15 pass in quick on ex1 from 194.234.194.15 queue e194.234.194.15 pass out quick on ex1 from any to 194.234.194.16 tos 0x08 queue q194.234.194.16 pass out quick on ex1 from any to 194.234.194.16 queue w194.234.194.16 pass in quick on ex1 from 194.234.194.16 to queue r194.234.194.16 pass in quick on ex1 from 194.234.194.16 queue e194.234.194.16 pass out quick on ex1 from any to 194.234.194.17 tos 0x08 queue q194.234.194.17 pass out quick on ex1 from any to 194.234.194.17 queue w194.234.194.17 pass in quick on ex1 from 194.234.194.17 to queue r194.234.194.17 pass in quick on ex1 from 194.234.194.17 queue e194.234.194.17 pass out quick on ex1 from any to 194.234.194.18 tos 0x08 queue q194.234.194.18 pass out quick on ex1 from any to 194.234.194.18 queue w194.234.194.18 pass in quick on ex1 from 194.234.194.18 to queue r194.234.194.18 pass in quick on ex1 from 194.234.194.18 queue e194.234.194.18 pass out quick on ex1 from any to 194.234.194.19 tos 0x08 queue q194.234.194.19 pass out quick on ex1 from any to 194.234.194.19 queue w194.234.194.19 pass in quick on ex1 from 194.234.194.19 to queue r194.234.194.19 pass in quick on ex1 from 194.234.194.19 queue e194.234.194.19 pass out quick on ex1 from any to 194.234.194.20 tos 0x08 queue q194.234.194.20 pass out quick on ex1 from any to 194.234.194.20 queue w194.234.194.20 pass in quick on ex1 from 194.234.194.20 to queue r194.234.194.20 pass in quick on ex1 from 194.234.194.20 queue e194.234.194.20 pass out quick on ex1 from any to 194.234.194.21 tos 0x08 queue q194.234.194.21 pass out quick on ex1 from any to 194.234.194.21 queue w194.234.194.21 pass in quick on ex1 from 194.234.194.21 to queue r194.234.194.21 pass in quick on ex1 from 194.234.194.21 queue e194.234.194.21 pass out quick on ex1 from any to 194.234.194.22 tos 0x08 queue q194.234.194.22 pass out quick on ex1 from any to 194.234.194.22 queue w194.234.194.22 pass in quick on ex1 from 194.234.194.22 to queue r194.234.194.22 pass in quick on ex1 from 194.234.194.22 queue e194.234.194.22 pass out quick on ex1 from any to 194.234.194.23 tos 0x08 queue q194.234.194.23 pass out quick on ex1 from any to 194.234.194.23 queue w194.234.194.23 pass in quick on ex1 from 194.234.194.23 to queue r194.234.194.23 pass in quick on ex1 from 194.234.194.23 queue e194.234.194.23 pass out quick on ex1 from any to 194.234.194.24 tos 0x08 queue q194.234.194.24 pass out quick on ex1 from any to 194.234.194.24 queue w194.234.194.24 pass in quick on ex1 from 194.234.194.24 to queue r194.234.194.24 pass in quick on ex1 from 194.234.194.24 queue e194.234.194.24 pass out quick on ex1 from any to 194.234.194.25 tos 0x08 queue q194.234.194.25 pass out quick on ex1 from any to 194.234.194.25 queue w194.234.194.25 pass in quick on ex1 from 194.234.194.25 to queue r194.234.194.25 pass in quick on ex1 from 194.234.194.25 queue e194.234.194.25 pass out quick on ex1 from any to 194.234.194.26 tos 0x08 queue q194.234.194.26 pass out quick on ex1 from any to 194.234.194.26 queue w194.234.194.26 pass in quick on ex1 from 194.234.194.26 to queue r194.234.194.26 pass in quick on ex1 from 194.234.194.26 queue e194.234.194.26 pass out quick on ex1 from any to 194.234.194.28 tos 0x08 queue q194.234.194.28 pass out quick on ex1 from any to 194.234.194.28 queue w194.234.194.28 pass in quick on ex1 from 194.234.194.28 to queue r194.234.194.28 pass in quick on ex1 from 194.234.194.28 queue e194.234.194.28 pass out quick on ex1 from any to 194.234.194.29 tos 0x08 queue q194.234.194.29 pass out quick on ex1 from any to 194.234.194.29 queue w194.234.194.29 pass in quick on ex1 from 194.234.194.29 to queue r194.234.194.29 pass in quick on ex1 from 194.234.194.29 queue e194.234.194.29 pass out quick on ex1 from any to 194.234.194.31 tos 0x08 queue q194.234.194.31 pass out quick on ex1 from any to 194.234.194.31 queue w194.234.194.31 pass in quick on ex1 from 194.234.194.31 to queue r194.234.194.31 pass in quick on ex1 from 194.234.194.31 queue e194.234.194.31 pass out quick on ex1 from any to 194.234.194.32 tos 0x08 queue q194.234.194.32 pass out quick on ex1 from any to 194.234.194.32 queue w194.234.194.32 pass in quick on ex1 from 194.234.194.32 to queue r194.234.194.32 pass in quick on ex1 from 194.234.194.32 queue e194.234.194.32 pass out quick on ex1 from any to 194.234.194.33 tos 0x08 queue q194.234.194.33 pass out quick on ex1 from any to 194.234.194.33 queue w194.234.194.33 pass in quick on ex1 from 194.234.194.33 to queue r194.234.194.33 pass in quick on ex1 from 194.234.194.33 queue e194.234.194.33 pass out quick on ex1 from any to 194.234.194.34 tos 0x08 queue q194.234.194.34 pass out quick on ex1 from any to 194.234.194.34 queue w194.234.194.34 pass in quick on ex1 from 194.234.194.34 to queue r194.234.194.34 pass in quick on ex1 from 194.234.194.34 queue e194.234.194.34 pass out quick on ex1 from any to 194.234.194.35 tos 0x08 queue q194.234.194.35 pass out quick on ex1 from any to 194.234.194.35 queue w194.234.194.35 pass in quick on ex1 from 194.234.194.35 to queue r194.234.194.35 pass in quick on ex1 from 194.234.194.35 queue e194.234.194.35 pass out quick on ex1 from any to 194.234.194.36 tos 0x08 queue q194.234.194.36 pass out quick on ex1 from any to 194.234.194.36 queue w194.234.194.36 pass in quick on ex1 from 194.234.194.36 to queue r194.234.194.36 pass in quick on ex1 from 194.234.194.36 queue e194.234.194.36 pass out quick on ex1 from any to 194.234.194.37 tos 0x08 queue q194.234.194.37 pass out quick on ex1 from any to 194.234.194.37 queue w194.234.194.37 pass in quick on ex1 from 194.234.194.37 to queue r194.234.194.37 pass in quick on ex1 from 194.234.194.37 queue e194.234.194.37 pass out quick on ex1 from any to 194.234.194.39 tos 0x08 queue q194.234.194.39 pass out quick on ex1 from any to 194.234.194.39 queue w194.234.194.39 pass in quick on ex1 from 194.234.194.39 to queue r194.234.194.39 pass in quick on ex1 from 194.234.194.39 queue e194.234.194.39 pass out quick on ex1 from any to 194.234.194.40 tos 0x08 queue q194.234.194.40 pass out quick on ex1 from any to 194.234.194.40 queue w194.234.194.40 pass in quick on ex1 from 194.234.194.40 to queue r194.234.194.40 pass in quick on ex1 from 194.234.194.40 queue e194.234.194.40 pass out quick on ex1 from any to 194.234.194.41 tos 0x08 queue q194.234.194.41 pass out quick on ex1 from any to 194.234.194.41 queue w194.234.194.41 pass in quick on ex1 from 194.234.194.41 to queue r194.234.194.41 pass in quick on ex1 from 194.234.194.41 queue e194.234.194.41 pass out quick on ex1 from any to 194.234.194.42 tos 0x08 queue q194.234.194.42 pass out quick on ex1 from any to 194.234.194.42 queue w194.234.194.42 pass in quick on ex1 from 194.234.194.42 to queue r194.234.194.42 pass in quick on ex1 from 194.234.194.42 queue e194.234.194.42 pass out quick on ex1 from any to 194.234.194.43 tos 0x08 queue q194.234.194.43 pass out quick on ex1 from any to 194.234.194.43 queue w194.234.194.43 pass in quick on ex1 from 194.234.194.43 to queue r194.234.194.43 pass in quick on ex1 from 194.234.194.43 queue e194.234.194.43 pass out quick on ex1 from any to 194.234.194.44 tos 0x08 queue q194.234.194.44 pass out quick on ex1 from any to 194.234.194.44 queue w194.234.194.44 pass in quick on ex1 from 194.234.194.44 to queue r194.234.194.44 pass in quick on ex1 from 194.234.194.44 queue e194.234.194.44 pass out quick on ex1 from any to 194.234.194.46 tos 0x08 queue q194.234.194.46 pass out quick on ex1 from any to 194.234.194.46 queue w194.234.194.46 pass in quick on ex1 from 194.234.194.46 to queue r194.234.194.46 pass in quick on ex1 from 194.234.194.46 queue e194.234.194.46 pass out quick on ex1 from any to 194.234.194.47 tos 0x08 queue q194.234.194.47 pass out quick on ex1 from any to 194.234.194.47 queue w194.234.194.47 pass in quick on ex1 from 194.234.194.47 to queue r194.234.194.47 pass in quick on ex1 from 194.234.194.47 queue e194.234.194.47 pass out quick on ex1 from any to 194.234.194.100 tos 0x08 queue q194.234.194.100 pass out quick on ex1 from any to 194.234.194.100 queue w194.234.194.100 pass in quick on ex1 from 194.234.194.100 to queue r194.234.194.100 pass in quick on ex1 from 194.234.194.100 queue e194.234.194.100 pass out quick on ex1 from any to 194.234.194.49 tos 0x08 queue q194.234.194.49 pass out quick on ex1 from any to 194.234.194.49 queue w194.234.194.49 pass in quick on ex1 from 194.234.194.49 to queue r194.234.194.49 pass in quick on ex1 from 194.234.194.49 queue e194.234.194.49 pass out quick on ex1 from any to 194.234.194.50 tos 0x08 queue q194.234.194.50 pass out quick on ex1 from any to 194.234.194.50 queue w194.234.194.50 pass in quick on ex1 from 194.234.194.50 to queue r194.234.194.50 pass in quick on ex1 from 194.234.194.50 queue e194.234.194.50 pass out quick on ex1 from any to 194.234.194.51 tos 0x08 queue q194.234.194.51 pass out quick on ex1 from any to 194.234.194.51 queue w194.234.194.51 pass in quick on ex1 from 194.234.194.51 to queue r194.234.194.51 pass in quick on ex1 from 194.234.194.51 queue e194.234.194.51 pass out quick on ex1 from any to 194.234.194.52 tos 0x08 queue q194.234.194.52 pass out quick on ex1 from any to 194.234.194.52 queue w194.234.194.52 pass in quick on ex1 from 194.234.194.52 to queue r194.234.194.52 pass in quick on ex1 from 194.234.194.52 queue e194.234.194.52 pass out quick on ex1 from any to 194.234.194.53 tos 0x08 queue q194.234.194.53 pass out quick on ex1 from any to 194.234.194.53 queue w194.234.194.53 pass in quick on ex1 from 194.234.194.53 to queue r194.234.194.53 pass in quick on ex1 from 194.234.194.53 queue e194.234.194.53 pass out quick on ex1 from any to 194.234.194.54 tos 0x08 queue q194.234.194.54 pass out quick on ex1 from any to 194.234.194.54 queue w194.234.194.54 pass in quick on ex1 from 194.234.194.54 to queue r194.234.194.54 pass in quick on ex1 from 194.234.194.54 queue e194.234.194.54 pass out quick on ex1 from any to 194.234.194.55 tos 0x08 queue q194.234.194.55 pass out quick on ex1 from any to 194.234.194.55 queue w194.234.194.55 pass in quick on ex1 from 194.234.194.55 to queue r194.234.194.55 pass in quick on ex1 from 194.234.194.55 queue e194.234.194.55 pass out quick on ex1 from any to 194.234.194.56 tos 0x08 queue q194.234.194.56 pass out quick on ex1 from any to 194.234.194.56 queue w194.234.194.56 pass in quick on ex1 from 194.234.194.56 to queue r194.234.194.56 pass in quick on ex1 from 194.234.194.56 queue e194.234.194.56 pass out quick on ex1 from any to 194.234.194.70 tos 0x08 queue q194.234.194.70 pass out quick on ex1 from any to 194.234.194.70 queue w194.234.194.70 pass in quick on ex1 from 194.234.194.70 to queue r194.234.194.70 pass in quick on ex1 from 194.234.194.70 queue e194.234.194.70 pass out quick on ex1 from any to 194.234.194.71 tos 0x08 queue q194.234.194.71 pass out quick on ex1 from any to 194.234.194.71 queue w194.234.194.71 pass in quick on ex1 from 194.234.194.71 to queue r194.234.194.71 pass in quick on ex1 from 194.234.194.71 queue e194.234.194.71 pass out quick on ex1 from any to 194.234.194.72 tos 0x08 queue q194.234.194.72 pass out quick on ex1 from any to 194.234.194.72 queue w194.234.194.72 pass in quick on ex1 from 194.234.194.72 to queue r194.234.194.72 pass in quick on ex1 from 194.234.194.72 queue e194.234.194.72 pass out quick on ex1 from any to 194.234.194.73 tos 0x08 queue q194.234.194.73 pass out quick on ex1 from any to 194.234.194.73 queue w194.234.194.73 pass in quick on ex1 from 194.234.194.73 to queue r194.234.194.73 pass in quick on ex1 from 194.234.194.73 queue e194.234.194.73 pass out quick on ex1 from any to 194.234.194.74 tos 0x08 queue q194.234.194.74 pass out quick on ex1 from any to 194.234.194.74 queue w194.234.194.74 pass in quick on ex1 from 194.234.194.74 to queue r194.234.194.74 pass in quick on ex1 from 194.234.194.74 queue e194.234.194.74 pass out quick on ex1 from any to 194.234.194.75 tos 0x08 queue q194.234.194.75 pass out quick on ex1 from any to 194.234.194.75 queue w194.234.194.75 pass in quick on ex1 from 194.234.194.75 to queue r194.234.194.75 pass in quick on ex1 from 194.234.194.75 queue e194.234.194.75 pass out quick on ex1 from any to 194.234.194.76 tos 0x08 queue q194.234.194.76 pass out quick on ex1 from any to 194.234.194.76 queue w194.234.194.76 pass in quick on ex1 from 194.234.194.76 to queue r194.234.194.76 pass in quick on ex1 from 194.234.194.76 queue e194.234.194.76 pass out quick on ex1 from any to 194.234.194.77 tos 0x08 queue q194.234.194.77 pass out quick on ex1 from any to 194.234.194.77 queue w194.234.194.77 pass in quick on ex1 from 194.234.194.77 to queue r194.234.194.77 pass in quick on ex1 from 194.234.194.77 queue e194.234.194.77 pass out quick on ex1 from any to 194.234.194.78 tos 0x08 queue q194.234.194.78 pass out quick on ex1 from any to 194.234.194.78 queue w194.234.194.78 pass in quick on ex1 from 194.234.194.78 to queue r194.234.194.78 pass in quick on ex1 from 194.234.194.78 queue e194.234.194.78 pass out quick on ex1 from any to 194.234.194.79 tos 0x08 queue q194.234.194.79 pass out quick on ex1 from any to 194.234.194.79 queue w194.234.194.79 pass in quick on ex1 from 194.234.194.79 to queue r194.234.194.79 pass in quick on ex1 from 194.234.194.79 queue e194.234.194.79 pass out quick on ex1 from any to 194.234.194.80 tos 0x08 queue q194.234.194.80 pass out quick on ex1 from any to 194.234.194.80 queue w194.234.194.80 pass in quick on ex1 from 194.234.194.80 to queue r194.234.194.80 pass in quick on ex1 from 194.234.194.80 queue e194.234.194.80 pass out quick on ex1 from any to 194.234.194.81 tos 0x08 queue q194.234.194.81 pass out quick on ex1 from any to 194.234.194.81 queue w194.234.194.81 pass in quick on ex1 from 194.234.194.81 to queue r194.234.194.81 pass in quick on ex1 from 194.234.194.81 queue e194.234.194.81 pass out quick on ex1 from any to 194.234.194.82 tos 0x08 queue q194.234.194.82 pass out quick on ex1 from any to 194.234.194.82 queue w194.234.194.82 pass in quick on ex1 from 194.234.194.82 to queue r194.234.194.82 pass in quick on ex1 from 194.234.194.82 queue e194.234.194.82 pass out quick on ex1 from any to 194.234.194.83 tos 0x08 queue q194.234.194.83 pass out quick on ex1 from any to 194.234.194.83 queue w194.234.194.83 pass in quick on ex1 from 194.234.194.83 to queue r194.234.194.83 pass in quick on ex1 from 194.234.194.83 queue e194.234.194.83 pass out quick on ex1 from any to 194.234.194.84 tos 0x08 queue q194.234.194.84 pass out quick on ex1 from any to 194.234.194.84 queue w194.234.194.84 pass in quick on ex1 from 194.234.194.84 to queue r194.234.194.84 pass in quick on ex1 from 194.234.194.84 queue e194.234.194.84 pass out quick on ex1 from any to 194.234.194.85 tos 0x08 queue q194.234.194.85 pass out quick on ex1 from any to 194.234.194.85 queue w194.234.194.85 pass in quick on ex1 from 194.234.194.85 to queue r194.234.194.85 pass in quick on ex1 from 194.234.194.85 queue e194.234.194.85 pass out quick on ex1 from any to 194.234.194.86 tos 0x08 queue q194.234.194.86 pass out quick on ex1 from any to 194.234.194.86 queue w194.234.194.86 pass in quick on ex1 from 194.234.194.86 to queue r194.234.194.86 pass in quick on ex1 from 194.234.194.86 queue e194.234.194.86 block out quick on ex1 block in quick on ex1 Regards, Sorin Gheorghe Senior Network Administrator ----- Original Message ----- From: "Nils Vogels" To: "Josh Finlay" Cc: Sent: Saturday, November 26, 2005 2:26 AM Subject: Re: ALTQ bandwidth limiting only from internet IPs > Josh Finlay wrote: > >> pass out on $ExtIF from $Delta to any keep state queue q_delta_out >> pass out on $ExtIF from $Fear to any keep state queue q_fear_out >> pass out on $IntIF from $Delta to any keep state queue q_delta_in >> pass out on $IntIF from $Fear to any keep state queue q_fear_in >> >> This config seems to work quite well >> but its also queueing local traffic aswell >> so if I'm uploading from "Delta" to somewhere on the internet, my >> local ssh sessions (to the machine running pf) lag due to lack of free >> bandwidth >> >> So how do I tell PF to only queue if its an internet ip? or perhaps a >> better way of saying it, is to *not* queue local traffic (to/from >> local ips). > > What you could try is something like this: > > table persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } > pass out on $ExtIF from $Delta to any keep state queue q_delta_out > pass out on $ExtIF from $Fear to any keep state queue q_fear_out > pass out on $IntIF from $Delta to ! keep state queue q_delta_in > pass out on $IntIF from $Fear to ! keep state queue q_fear_in > > YMMV > > -- > Simple guidelines to happiness: > Work like you don't need the money, > love like your heart has never been broken and > dance like no one can see you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Nov 26 18:56:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E9ED16A41F for ; Sat, 26 Nov 2005 18:56:17 +0000 (GMT) (envelope-from Jason@WinSE.ath.cx) Received: from ms-smtp-02.rdc-kc.rr.com (ms-smtp-02.rdc-kc.rr.com [24.94.166.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6630543D53 for ; Sat, 26 Nov 2005 18:56:16 +0000 (GMT) (envelope-from Jason@WinSE.ath.cx) Received: from jason (CPE-24-167-241-74.wi.res.rr.com [24.167.241.74]) by ms-smtp-02.rdc-kc.rr.com (8.12.10/8.12.7) with ESMTP id jAQIrbdv008645 for ; Sat, 26 Nov 2005 12:53:38 -0600 (CST) Received: from jason by jason (PGP Universal service); Sat, 26 Nov 2005 12:57:06 -0600 X-PGP-Universal: processed; by jason on Sat, 26 Nov 2005 12:57:06 -0600 From: "WinSE" To: Date: Sat, 26 Nov 2005 12:57:05 -0600 Message-ID: MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: <4387ABB8.6010406@yuckfou.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Importance: Normal X-PGP-Encoding-Version: 2.0.2 X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 7bit X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset="iso-8859-1" Content-Type: text/plain; charset="iso-8859-1" X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Making a box seem unfirewalled. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 18:56:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 What is the best way to block a packet and make it seem like the port is closed. What is the best way to make the box look like it doesnt exist? I am more interested in the first, but please respond if you know either, as when I move out and relocate my servers, I would prefer to have my family's internet connection look unused. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.2 (Build 2424) iQIVAwUBQ4iwAriDw2qdxtlYAQicVBAAocdn6A/HjfimH9Bx5MjT4RDNEHh913Sf J7E/NkVb2xs2crXdrTbqikHKjh9y5mcSYLpsDynuhjQiJDmHDmUve1I/nIktmKQV A3uy3IOSDV8Ud8xDCQKgonm8lIxCWKb9csI7F0GpcYSQfRBoXU9TfP4TBh3wVV2L 49m8RxJMUc9GeBTTGLoTgEyVWsosI0N5FQj7BOlwtZ/9EBZlDZvMqehgebcXrI+H tBqUxYYwQ4+we1H/5jY0FJHOdlhFO+Cmuqaaw0+0+H9t3hjncta8VqQqsamAcGBg xGPhZyRa79tC4XS47pE+6/dfeQwlIFTTcP0cIPpxTQqs+/zQP5AjnO11Cn+FGN6P Hdi1KZGJhpZKV0HhMmCpNPKx360uKIg0Slwr7VRrw5r6eGv6iX9frHQRNMqUJu2J YNlZ0DBfX6gWyKNc59KGUH5/rFQr6TlIbWNBGGj1pmWgAzHekgVRI7LLwmCttkgO iLrjQYYm8ZKDDVEQflgDX5RhisJgAKEmlELAQO9XlFgz89geWk90FUlrZCtV6IYt q1EixsGhLTaFYvZZnMPx1txkFI4tS/BH+x63VMEkr8yPOSmzK/caHIMRPXj/gcAs fNIpsCqfh/KUQquMGSKCH3UeiXWpTKce8i07mL3F9Gvw+4BEHfdHR6A79lJaIsJ/ /3Ps2V8etRI= =MBQQ -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Sat Nov 26 19:08:56 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BD9416A420 for ; Sat, 26 Nov 2005 19:08:56 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 272E143D5A for ; Sat, 26 Nov 2005 19:08:53 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.253]) by smtp.nildram.co.uk (Postfix) with ESMTP id A6AB4256C5B for ; Sat, 26 Nov 2005 19:08:32 +0000 (GMT) From: "Greg Hennessy" To: Date: Sat, 26 Nov 2005 19:08:32 -0000 Message-ID: <000001c5f2bc$cb5843e0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcXyvAHs+qttyuszTtihRWK5HI7auwAAJx9A Subject: RE: Making a box seem unfirewalled. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 19:08:56 -0000 > What is the best way to block a packet and make it seem like > the port is closed. What is the best way to make the box > look like it doesnt exist? man pf.conf /set block-policy Greg