From owner-freebsd-pf@FreeBSD.ORG Fri Jun 23 17:05:17 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A75AF16A4D2 for ; Fri, 23 Jun 2006 17:05:17 +0000 (UTC) (envelope-from florent.thiery@int-evry.fr) Received: from smtp2.int-evry.fr (smtp2.int-evry.fr [157.159.10.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4403343D79 for ; Fri, 23 Jun 2006 17:05:08 +0000 (GMT) (envelope-from florent.thiery@int-evry.fr) Received: from smyrne.int-evry.fr (smtp-ext.int-evry.fr [157.159.11.17]) by smtp2.int-evry.fr (Postfix) with ESMTP id 28CEC2FD2B; Fri, 23 Jun 2006 19:05:05 +0200 (CEST) Received: from [157.159.44.43] (ddwarf.maisel.int-evry.fr [157.159.44.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smyrne.int-evry.fr (Postfix) with ESMTP id 548EACF30D; Fri, 23 Jun 2006 19:04:55 +0200 (CEST) Message-ID: <449AE9B9.1030703@int-evry.fr> Date: Thu, 22 Jun 2006 19:04:25 +0000 From: Florent Thiery User-Agent: Thunderbird 1.5.0.4 (X11/20060615) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-INT-MailScanner-Information: Please contact the ISP for more information X-INT-MailScanner: Found to be clean X-INT-MailScanner-MCPCheck: X-INT-MailScanner-SpamCheck: X-MailScanner-From: florent.thiery@int-evry.fr Cc: Olivier PAUL , Soufiane BENJILLALI Subject: Anti-DoS QoS with altq X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2006 17:05:17 -0000 Hi, I'm wondering how to make altq use 2 queues defined as follow - the first one is the "attackers" queue, and should be defined by a static file containing ip adresses, filled by another program. RED should be used on this queue (every client in this queue should have the same priority) - the second one is the "normal clients" queue, which should have the best effort possible (again, every client in this queue should have the same priority) ; i don't know which scheduler to use... The only traffic considered (as of now) is web traffic. The end purpose of this is anti-DoS QoS on web server (80 and 8080 at the same time). I have a running webserver and traffic generator, and a freebsd 6.1 gateway with custom kernel (altq + pf options enabled). webserver -100 MB link - gateway - 1 Gb link - traffic generator machine 1 freebsd machine 1 my purpose is to know the best combination in order to get the best service possible for normal clients and the rest of bandwith should go to attackers (if any of them are false positives). I don't know how to manage the - the ip file part (altq-file interconnection) - the schedulers part: i'm gonna test them (httperf), are there some altq-dedicated benchmarking tools (which, ideally would change QoS options sequentially)? - how to benchmark.... store and plot the results... (i guess it will be shell scripting, watch grep wc pipes etc... ) Thanks in advance for your help. If there is an IRC channel or anybody ok to discuss with me (messaging or mail), please contact me. Regards, Florent