From owner-freebsd-pf@FreeBSD.ORG Wed Jun 28 06:22:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3643116A4D0 for ; Wed, 28 Jun 2006 06:22:53 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F1F844561 for ; Wed, 28 Jun 2006 05:56:15 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so159583uge for ; Tue, 27 Jun 2006 22:56:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kS0UJmmFIqDIRRzSnL4fVUHXq/KK9MvWGK1XxL9j0DiyzKWG5I/Z6QVFEYFtvXJ4P83GgBsF1heCBr64gWB/bpDzG/bpxaaxde2C1qdG2JRll34PsX0mXizfyiT6Wg50YlKzKkGNeDoQYHHsJIxzzva+9QZjYvG6ItMxCKMrIi0= Received: by 10.78.140.17 with SMTP id n17mr37282hud; Tue, 27 Jun 2006 22:56:14 -0700 (PDT) Received: by 10.78.35.18 with HTTP; Tue, 27 Jun 2006 22:56:13 -0700 (PDT) Message-ID: Date: Wed, 28 Jun 2006 00:56:13 -0500 From: "Travis H." To: "Florent Thiery" In-Reply-To: <449AE9B9.1030703@int-evry.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <449AE9B9.1030703@int-evry.fr> Cc: Olivier PAUL , Soufiane BENJILLALI , freebsd-pf@freebsd.org Subject: Re: Anti-DoS QoS with altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jun 2006 06:22:53 -0000 On 6/22/06, Florent Thiery wrote: > I'm wondering how to make altq use 2 queues defined as follow > - the first one is the "attackers" queue, and should be defined by a > static file containing ip adresses, filled by another program. RED > should be used on this queue (every client in this queue should have the > same priority) table file pass in quick on $wan_if from to $web_server port { 80 8080 } queue attacks Then write a small script to add them to the attackers table. > - the second one is the "normal clients" queue, which should have the > best effort possible (again, every client in this queue should have the > same priority) ; i don't know which scheduler to use... pass in quick on $wan_if from any to $web_server port { 80 8080 } queue normal > I don't know how to manage the > - the ip file part (altq-file interconnection) altq on $wan_if priq bandwidth $upstream_bw queue { attacker, normal } queue attacker priority 0 priq(red) queue normal priority 7 priq(default) Note that you can only queue on outbound connections. Well, you can assign queues on inbound packets, but it only matters when they're queued up to go out (inbound packets get processed almost immediately if the CPU is fast enough). > - how to benchmark.... store and plot the results... (i guess it will be > shell scripting, watch grep wc pipes etc... ) gnuplot > Thanks in advance for your help. If there is an IRC channel or anybody > ok to discuss with me (messaging or mail), please contact me. I charge reasonable rates, but bear in mind that firewall rules can take a long time to debug and tweak and tune, and I charge by the hour. -- "I sometimes have delusions of adequacy" -- Woody Allen Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484