From owner-freebsd-questions@FreeBSD.ORG Mon Nov 12 07:04:44 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE12816A41A for ; Mon, 12 Nov 2007 07:04:44 +0000 (UTC) (envelope-from girish1729@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by mx1.freebsd.org (Postfix) with ESMTP id 5C8A113C4A5 for ; Mon, 12 Nov 2007 07:04:44 +0000 (UTC) (envelope-from girish1729@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so1004626rvb for ; Sun, 11 Nov 2007 23:04:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:received:date:to:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent:from; bh=9510apUrvMHPhjLI/xqnw1ZXZ5DT91okwulsXW6Wu2Y=; b=l70BjnCGovavu94sgM0kRakEhhEOrj3iN7pA2NV2YMAUQ4k4yHpdmx+X7NehioUuyfPSauITNcJ6P48ouOlc00QU8XoIN40JWiqt6YXO/xYrJkjcO556bSWOaj/HIN1M6JvRxeXd7elQ5ciLmohW5of4Ik/ThXvIafPZIty3Sac= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:date:to:subject:message-id:reply-to:mail-followup-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent:from; b=ZCLg/Q57kUdKAA/ihQ3jeZ1Od8pF95EuJaifT52GJhUUzZfo71GdFuklxa/EkKV02SIMxpgi3n6peGoj17lpetijiTkwfU5inogsl+QVzvqIXvUHdRNKqB3U4X3LBRfLgljgiSdOD+qnChzGOoUmSmyFbUdtX8VuMu9v+poQdiQ= Received: by 10.141.19.16 with SMTP id w16mr2216970rvi.1194851072302; Sun, 11 Nov 2007 23:04:32 -0800 (PST) Received: from saraswathy.susmita.org ( [59.92.40.46]) by mx.google.com with ESMTPS id g21sm9446143rvb.2007.11.11.23.04.27 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 11 Nov 2007 23:04:30 -0800 (PST) Received: by saraswathy.susmita.org (Postfix, from userid 1002) id 9988B143E7; Mon, 12 Nov 2007 12:34:22 +0530 (IST) Date: Mon, 12 Nov 2007 12:34:22 +0530 To: freebsd-questions@freebsd.org Message-ID: <20071112070422.GA31412@saraswathy.susmita.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <53330.192.168.13.8.1194786209.squirrel@www.boosten.org> <20071111144325.GA3433@saraswathy.susmita.org> <3815.192.168.13.35.1194803377.squirrel@www.boosten.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3815.192.168.13.35.1194803377.squirrel@www.boosten.org> User-Agent: Mutt/1.5.12-2006-07-14 From: Girish Venkatachalam Subject: Re: Quick question about PF and ALTQ X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: girishvenkatachalam@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2007 07:04:44 -0000 On 18:49:37 Nov 11, Peter Boosten wrote: > Thanks for your answer, although that's not quite what I'm looking for: > Okay. Find my answer below. > I know it's possible to 'shape' the traffic with altq, so it's possible in > theory to shape certain kind of traffic to almost nihil. Smart devices > like packetshapers (and even some proxy appliances like Blue Coat) have > separate categories for streaming media, so I was wondering if PF and altq > could do the same. Well I have no idea about appliances or commercial software. I can however tell you what I know. I have never tried these things but I can tell you what I have understood. First and foremost you can only shape outgoing traffic. You cannot do QoS with incoming traffic. You might be able to manipulate things a little but you have far more power when it comes to deciding how you want others to receive packets from you. This is the basic idea. You can only do traffic shaping with egress traffic. Not with ingress traffic. Now, pf + altq can do very sophisticated traffic shaping. There are three categories of queuing disciples supported by pf. a ) class based queuing (cbq) b ) priority based queuing (priq) c ) hierarchical fair service curve (hfsc) Each of these mechanisms have pros and cons and you have to pick one of them based on your requirements. The configuration for basic QoS management consists of three steps. 1) The altq statement ( which interface to work on , how much bandwidth you want to play around with and also the queuing discipline (one of the above) 2) You have to define the "queue" rules to determine how the total bandwidth in the above line has to be split amongst the various categories. Typically they are split into multiple queues based on port numbers but other possibilities also exist. For instance you will want to allocate bulk of the bandwidth for important mail traffic and browsing but you want to restrict p2p and other protocols. It is the "queue" lines that also determine what to do when there is congestion. (IOW most of the tweaking happens here :) 3) Next step is to use the pf filter rules to allocate which queues to use for handling which traffic I shall illustrate with an example. This is not my own. I am taking it from the pf man page. 1) altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh } 2) queue std bandwidth 10% cbq(default) queue http bandwidth 60% priority 2 cbq(borrow red) \ { employees, developers } queue developers bandwidth 75% cbq(borrow) queue employees bandwidth 15% queue mail bandwidth 10% priority 0 cbq(borrow ecn) queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } queue ssh_interactive bandwidth 50% priority 7 cbq(borrow) queue ssh_bulk bandwidth 50% priority 0 cbq(borrow) 3) block return out on dc0 inet all queue std pass out on dc0 inet proto tcp from $developerhosts to any port 80 \ keep state queue developers pass out on dc0 inet proto tcp from $employeehosts to any port 80 \ keep state queue employees pass out on dc0 inet proto tcp from any to any port 22 \ keep state queue(ssh_bulk, ssh_interactive) pass out on dc0 inet proto tcp from any to any port 25 \ keep state queue mail As you can see the first line is the altq directive. You have defined a list of queues (std, http, mail, ssh) and also mentioned that you want to use class based queuing. Then the queue rules determine how individual queues should share the bandwidth amongst themselves. But we are not quite done yet. The most critical step is the filter rules that determine when to queue traffic and which queue to assign to. That happens in 3). It should be self explanatory. Please note that we have used "pass out" which corresponds to my main idea of determining how traffic leaves our network. Once data arrives on the interface, it is already too late to do QoS manipulation. This is not completely true (you can do bandwidth throttling) but at least relatively speaking this idea appears to be correct. > > Your solution works, however you'll have to know what sites are being > visited in order to block them entirely. > Hope the above explanation suffices. Can you clarify your needs a bit more? Thanks. Best, Girish