From owner-freebsd-pf@FreeBSD.ORG Thu Jan 27 11:56:31 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1732416A4CF for ; Thu, 27 Jan 2005 11:56:31 +0000 (GMT) Received: from be1.mail.zoznam.sk (mail.zoznam.sk [62.65.179.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id C858E43D6A for ; Thu, 27 Jan 2005 11:56:27 +0000 (GMT) (envelope-from goosefreebsd@zoznam.sk) X-Spam-Status: No, hits=-2.8 required=4.0 Received: from [192.168.1.16] (HELO web7.zoznam.sk) by be1.mail.zoznam.sk (CommuniGate Pro SMTP 4.2.8) with ESMTP id 24883745 for freebsd-pf@freebsd.org; Thu, 27 Jan 2005 12:56:20 +0100 Received: from localhost.localdomain (localhost [127.0.0.1]) by web7.zoznam.sk (8.13.1/8.13.1) with ESMTP id j0RArVRt096747 for ; Thu, 27 Jan 2005 11:53:31 +0100 (CET) (envelope-from goosefreebsd@zoznam.sk) Message-Id: <200501271053.j0RArVRt096747@web7.zoznam.sk> Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Date: Thu, 27 Jan 2005 10:53:31 UT From: "goose bla" To: freebsd-pf@freebsd.org X-Mailer: Zoznam Mailer v.1.2 X-Www-Freemail-Ip: 156.153.255.236 Subject: Packet filter out of control upload traffic example rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jan 2005 11:56:31 -0000 Hi, pls.. can you check my PF rules for shapping. my idea was shape P2P and no important traffic and make higher priority to important traffic. download is working perfect.. if there is very big P2P download traffic and somebody want to go to www,, www page is download very fast.=20 but upload is set to 180Kbit/s and it's working on full link. i don't know why..=20 i have been using IPFW by now, but there was the same problem. traffic from inet to network worked fine,, but traffic from us to inet was out of contro= l. i read about traffic can by shape only in one way per interface.. so i must shape download traffic on one (external) and upload traffic on another (internal) interface. but i don't understand why.=20 well i have set pass rules for packet to size rules.. and size rules define what will be with packet (drop,pass).=20 so why i can't define download and upload traffic on the same interface?=20= =20 next problem is ,if i shutdown IPNAT , rdr and NAT rules are not working. i think i have rules without format mistake. thank you for your help. ext=3D"xl0" int=3D"fxp0" ext_IP=3D"{111.111.111.111}" ext_net=3D"{111.111.111.111/29}" intIP1=3D"{10.1.0.1}" intIP2=3D"{10.2.0.1}" intIP192=3D"{192.168.1.1}" intIP101=3D"{10.1.1.1}" int_net1=3D"{10.1.0.0/24}" int_net2=3D"{10.2.0.0/24}" int_net101=3D"{10.1.1.0/24}" int_net192=3D"{192.168.1.0/24}" ip1=3D"{192.168.1.3}" ip2=3D"{192.168.1.2}" #queueing altq on $int hfsc bandwidth 4Mb queue {skuska, zbyt} queue skuska {dnu, von } queue dnu hfsc { vnut_net_in, von_in } queue vnut_net_in bandwidth 1Mb hfsc (ecn, upperlimit 1Mb) queue von_in bandwidth 512Kb hfsc (ecn, upperlimit 480Kb) {spec_ip_in, ijur_in } queue spec_ip_in bandwidth 480Kb hfsc(linkshare (80% 60000 50%)) queue ijur_in hfsc { top_in, special_port_in, normal_port_in, block_port_in, stupid_pc_in } queue top_in hfsc (linkshare (10% 5000 32Kb)) queue special_port_in hfsc (linkshare (10% 5000 32Kb)) queue normal_port_in hfsc (linkshare (50% 3000 16Kb)) queue block_port_in hfsc (linkshare (1% 1000 1Kb)) queue stupid_pc_in hfsc (linkshare (1% 1000 1Kb)) queue von hfsc {vnut_net_out, von_out } queue vnut_net_out bandwidth 1Mb hfsc (ecn, upperlimit 1Mb) queue von_out bandwidth 512Kb hfsc (ecn, upperlimit 180Kb) {spec_ip_out, ijur_out} queue spec_ip_out hfsc (linkshare (80% 60000 50%)) queue ijur_out hfsc { top_out, spec_port_out, normal_port_out, block_port_out, stupid_pc_out } queue top_out hfsc (linkshare (10% 5000 32Kb)) queue spec_port_out hfsc (linkshare (10% 5000 32Kb)) queue normal_port_out hfsc (linkshare (50% 3000 16Kb)) queue block_port_out hfsc (linkshare (1% 1000 1Kb)) queue stupid_pc_out hfsc (linkshare (1% 1000 1Kb)) queue zbyt bandwidth 1Kb hfsc(default) #NAT von nat on $ext from 10.1.0.0/24 to any -> $ext_IP nat on $ext from 10.2.0.0 to any -> $ext_IP nat on $ext from 192.168.1.0 to any -> $ext_IP nat on $ext from 10.1.1.0 to any -> $ext_IP #FORWARD portov #pc1 rdr on $ext proto tcp from any to $ext port 3333 -> $ip1 port 3333 rdr on $ext proto tcp from any to $ext port 2222 -> $ip1 port 2222 rdr on $ext proto tcp from any to $ext port 2233 -> $ip1 port 2233 rdr on $ext proto {tcp udp} from any to $ext port 3322 -> $ip1 port 3322 #pc2 rdr on $ext proto tcp from any to $ext port 4421 -> $ip2 port 4421 rdr on $ext proto tcp from any to $ext port 4433 -> $ip2 port 4433 rdr on $ext proto tcp from any to $ext port 4455 -> $ip2 port 4455 rdr on $ext proto {tcp udp} from any to $ext port 5555 -> $ip2 port 5555 pass out quick on $int from any to 10.1.1.10 keep state queue special_ip_in pass in quick on $int from 10.1.1.10 to any keep state queue special_ip_out pass out quick on $int from 10.1.1.0/24 to 10.1.0.0/24 keep state queue vnut_net_in pass in quick on $int from 10.1.0.0/24 to 10.1.1.0/24 keep state queue vnut_net_out pass out quick on $int from 10.1.1.0/24 to 10.2.0.0/24 keep state queue vnut_net_in pass in quick on $int from 10.2.0.0/24 to 10.1.1.0/24 keep state queue vnut_net_out pass out quick on $int proto {tcp udp} from any port {22 23} to any keep state queue top_in pass in quick on $int proto {tcp udp} from any to any port {22 23} keep state queue top_out pass out quick on $int proto {tcp udp} from any to any port {2493 2498 2021 2023 2080 3021 3023 3080 } keep state queue spec_ip_in pass in quick on $int proto {tcp udp} from any port {2493 2498 2021 2023 2080 3021 3023 3080 } to any keep state queue spec_ip_out pass out quick on $int proto {tcp udp} from any port {80 5190 21 25 110 443 465 993 995 9000 27030} to any keep state queue normal_port_in pass in quick on $int proto {tcp udp} from any to any port {80 5190 21 25 110 443 465 993 995 9000 27030} keep state queue normal_port_out pass out quick on $int proto {tcp udp} from any to any keep state queue block_port_in pass in quick on $int proto {tcp udp} from any to any keep state queue block_port_out pass out quick on $int proto {tcp udp} from any to 10.1.1.40 keep state queue stupid_pc_in pass in quick on $int proto {tcp udp} from 10.1.1.40 to any keep state queue stupid_pc_out --- reklama ----------------------------------------------------- Pracovn=C3=A9 ponuky aj zo zahrani=C4=8Dia n=C3=A1jdete na Kari=C3=A9re. http://kariera.zoznam.sk