From owner-freebsd-pf@FreeBSD.ORG Tue Jan 27 15:54:53 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 05267848 for ; Tue, 27 Jan 2015 15:54:53 +0000 (UTC) Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6618CDB7 for ; Tue, 27 Jan 2015 15:54:52 +0000 (UTC) Received: by mail-la0-f43.google.com with SMTP id q1so14079412lam.2 for ; Tue, 27 Jan 2015 07:54:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=e2ybqdbn1TSfbuhZNw9AW87rIYmlTtZlsG15T6zFUSw=; b=AdgPuKDYR24IDQRSDIpoWesYXw2dlAgtrxHp42GTPLyDLkv2dHlRezN4/0gFUwUfbV JDx20HXCsD1nlNMJA04loK/Gnfaj8HWvcglJlWnh1JvDp7Fmqn9oVD+9QDq/HDCcxLEK nu/wB3G4em6dpZN8YNxvbQGXIeMJhuubrIBfZvBdFGsEAyJjmceFWvoGxxLMs+g5Yvpj apqVw86T4Ddl51tncJFxVITxfThfuphZdldnhWEYxbaECvh1LlgkfdvmA/g7rV5EpCVM fby/mVXgxIuilj3C0ZgsSCz3B1wnnxLV3PjeqnEGLgJBX90AVpdvjE/mH+bBVfNNvZul E4XA== X-Received: by 10.152.21.10 with SMTP id r10mr2541872lae.11.1422374090404; Tue, 27 Jan 2015 07:54:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.112.138.4 with HTTP; Tue, 27 Jan 2015 07:54:10 -0800 (PST) In-Reply-To: <54BF2F92.4060102@manotom.com> References: <54BDD62E.4040003@bluerosetech.com> <54BF2F92.4060102@manotom.com> From: Odhiambo Washington Date: Tue, 27 Jan 2015 18:54:10 +0300 Message-ID: Subject: Re: Controlling P2P with PF To: Konstantin Nikolaev Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-pf@freebsd org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 15:54:53 -0000 On 21 January 2015 at 07:48, Konstantin Nikolaev wrote: > > > *An example of a live horse: *if_ext =3D "fxp1" # =F7=CE= =C5=DB=CE=C9=CA > =C9=CE=D4. =D3=CD=CF=D4=D2=D1=DD=C9=CA =D7 TOMICH =D3 IP 195.211.197.17 > if_int =3D "fxp0" # =E9=CE=D4=C5=D2=C6=C5=CA=D3 =D3=CD=CF= =D4=D2=D1=DD=C9=CA =D7 =E4=ED=FA =D3 IP > 195.211.196.65 > > default_ports =3D "{ 0:1000 3389 6666 7777}" > > altq on $if_ext hfsc bandwidth 100Mb queue { default_up, slow_up, ack_up= } > queue default_up bandwidth 70Mb priority 5 hfsc( default ) > queue slow_up bandwidth 2000Kb priority 4 hfsc( realtime 1000K= b > linkshare 2000Kb upperlimit 2Mb) > queue ack_up bandwidth 28Mb priority 7 hfsc( realtime 10Mb > linkshare 28Mb ) > > altq on $if_int hfsc bandwidth 100Mb queue { default_down, slow_down, > ack_down } > queue default_down bandwidth 70Mb priority 5 hfsc( default ) > queue slow_down bandwidth 2000Kb priority 4 hfsc( realtime > 1000Kb linkshare 2000Kb upperlimit 2Mb) > queue ack_down bandwidth 28Mb priority 7 hfsc( realtime 10Mb > linkshare 28Mb ) > > #Output DMZ network $Mnet: > # 1) > pass in quick on $if_int from $if_int:network to any no state > pass out quick on $if_ext proto { tcp udp } from $if_int:network to any > port $default_ports queue ( default_up ack_up ) no state > # 2) > pass out on $if_ext from $if_int:network to any queue ( default_up ack_up > ) no state > # 3) > pass out on $if_ext proto { tcp udp } from $if_int:network to ! > queue ( slow_up ack_up ) no state > > #Answers on requests > # 1) > pass in quick on $if_ext from any to $if_int:network no state > pass out quick on $if_int proto {tcp udp} from any port $default_ports to > $if_int:network queue (default_down ack_down ) no state > # 2) > pass out on $if_int from any to $if_int:network queue ( default_down > ack_down ) no state > # 3) > pass out on $if_int proto { tcp } from ! to $if_int:network queue = ( > slow_down ack_down ) no state > > > *Not very good, but as an example descend* > I am thinking of doing it from the top: 1. Give higher priority to all the known traffic on known ports 2. Leave only 1% to unknown traffic on unknown ports, BUT, if capacity is there because known traffic are 'asleep', let unknown traffic use it Reading an example from: https://www.pantz.org/software/pf/pfconfigfile.htm= l, and with a up/down link of 2/2Mbps altq on $ext_if bandwidth 1968Kb hfsc queue { q_pri, q_def, q_mus, q_tor } queue q_pri bandwidth 49% priority 7 hfsc queue q_def bandwidth 49% priority 5 hfsc (linkshare 49%) {q_smtp,q_http,ssh_login,q_def1} queue ssh_login bandwidth 96% priority 5 hfsc queue q_http bandwidth 1% priority 4 hfsc queue q_smtp bandwidth 1% priority 4 hfsc queue q_def1 bandwidth 1% priority 3 hfsc (default) queue q_mus bandwidth 1% qlimit 200 priority 4 hfsc queue q_tor bandwidth 1% qlimit 25 priority 3 hfsc (upperlimit 272Kb) Although I would want to add more known ports.. I am still reading about PF and this queues stuff so it's not easy to sink it it still. I don't understand why this example only dealt with ext_if and did nothing on the int_if :( Someone must have done this in a way that ensures torrents work when there is capacity and get relegated when there is important traffic. --=20 Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."