Date: Fri, 18 Jul 2003 13:39:04 +0000 From: Bosko Milekic <bmilekic@technokratis.com> To: Angel Todorov <atodorov@acm.org> Cc: stable@freebsd.org Subject: Re: pf Message-ID: <20030718133904.GA29620@technokratis.com> In-Reply-To: <20030718171901.21b88ba6.atodorov@acm.org> References: <20030718171901.21b88ba6.atodorov@acm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sheesh. This is an English forum, but here's my feeble attempt to
translate (I don't know what language this is, but it appears to have
some slavic-rooted words):
On Fri, Jul 18, 2003 at 05:19:01PM +0200, Angel Todorov wrote:
> ei tuka imam edin pf conf obache pravi mnogo nomera, kato se pusne parvoto koeto e dropva paketi, timeoutva po serverite i t.n.. i speed-a e mnogo baven, vijte ako nqkoi moje da otkrie generalna greshka da reply :) vapreki che ne e freebsd-specific :P ne sym go pisal az a i ne sam mnogo mnogo zapoznat s pf zatova ako nqkoi moje da pomogne e dobre doshyl :) btw moje i neshto ot tia opcii kato set timeout i optimization da e :]
"I have a pf configuration file, something something drops packets,
times out servers and so on.... and the speed is very something. See
if you can find where the general mistake is and reply. I [think] this
may not be totally freebsd-specific, but if someone knows the answer,
you're welcome to help me out. By the way, if you also know [I think]
something about the set timeout options or optimisations, let me know."
Now that we know roughly what he wants... anyone? :-)
> Macros: define common values, so they can be referenced and changed easily.
> extif="fxp1" # replace with actual external interface name i.e., dc0
> intif="fxp0" # replace with actual internal interface name i.e., dc1
> internal_net="172.16.0.0/16"
> external_addr="192.168.173.34"
>
> loif="lo0"
>
> set timeout { interval 30, frag 10 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set limit { states 10000, frags 5000 }
> set optimization normal
> #set block-policy drop
> #set require-order yes
>
>
> ############ SHAPING goes here ###############################
>
> altq on $intif cbq bandwidth 100Mb queue {etherdown, downstream}
>
>
> queue etherdown bandwidth 96% cbq(default)
> queue downstream bandwidth 4% cbq
>
> altq on $extif cbq bandwidth 100Mb queue { etherup, upstream}
>
> queue etherup bandwidth 99Mb cbq(default)
> queue upstream bandwidth 386Kb cbq
>
>
> pass in quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherdown
> pass out quick on $intif from 172.16.0.0/16 to 172.16.0.0/16 queue etherup
> pass in on $intif proto tcp from 172.16.0.0/16 to any port 80 keep state queue downstream
> pass in on $intif proto tcp from 172.16.0.0/16 to any port 53 keep state queue downstream
> pass in on $intif proto tcp from 172.16.0.0/16 to any port 8080 keep state queue downstream
> pass in on $intif proto tcp from 172.16.0.0/16 to any port 5190 queue downstream
> pass in on $intif proto tcp from 172.16.0.0/16 to any port 443 queue downstream
> pass in on $intif proto tcp from 172.16.0.0/16 to any port 4000 queue downstream
> pass in on $intif proto tcp from 172.16.0.0/16 to any port 25 queue downstream
> pass in on $intif proto icmp from 172.16.0.0/16 to any queue downstream
> pass in on $intif proto udp from 172.16.0.0/16 to any port 80 queue downstream
> pass in on $intif proto udp from 172.16.0.0/16 to any port 53 queue downstream
>
>
> ### manage upstream here
>
> pass out quick on $extif from 172.16.0.0/16 to 172.17.0.0/16 queue etherup
> pass out quick on $extif from 172.16.0.0/16 to 172.20.0.0/16 queue etherup
> pass out on $extif proto tcp from 172.16.0.0/16 to any port 80 keep state queue upstream
> pass out on $extif proto tcp from 172.16.0.0/16 to any port 53 keep state queue upstream
> pass out on $extif proto tcp from 172.16.0.0/16 to any port 8080 keep state queue upstream
> pass out on $extif proto tcp from 172.16.0.0/16 to any port 443 queue upstream
> pass out on $extif proto tcp from 172.16.0.0/16 to any port 4000 queue upstream
> pass out on $extif proto tcp from 172.16.0.0/16 to any port 25 queue upstream
>
> pass out on $extif proto udp from 172.16.0.0/16 to any port 53 queue upstream
> pass out on $extif proto udp from 172.16.0.0/16 to any port 80 queue upstream
> pass out on $extif proto icmp from 172.16.0.0/16 to any queue upstream
--
Bosko Milekic * bmilekic@technokratis.com * bmilekic@FreeBSD.org
TECHNOkRATIS Consulting Services * http://www.technokratis.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030718133904.GA29620>