pf.conf
Milan Lysa
Milan.Lysa at progeo.cz
Thu Dec 15 10:40:31 CET 2005
Dobry den,
Prosbicka, která se Subj. okrajove tyka - pokud mate nakonfigurovan PF, funguje vam pftop -v queue?
Mne to zobrazuje vsechny states, jakoby to nefungovalo.
Milan
> -----Original Message-----
> From: users-l-bounces at freebsd.cz [mailto:users-l-bounces at freebsd.cz]On
> Behalf Of Marian Cerny
> Sent: Thursday, December 15, 2005 9:59 AM
> To: FreeBSD mailing list
> Subject: Re: pf.conf
>
>
> On 2005-12-15 08:42 +0100, Cizek.Milan wrote:
> > Ahoj,
> > treba na teto (i jinych strankach) strance
> > http://www.muine.org/~hoang/openpf.html to tak delaji. Ten
> tvuj zapis
> > je mi tez povedomy, ale nechapu jak pracuje, resp. jak by to melo
> > vypadat, pokud tam tech priorit budes vic, pro dalsi
> protokoly. Proto
> > jsem usiloval o zprovozneni te moji varianty, pripada mi
> logictejsi a
> > snadnejsi.
>
> No, skusenosti s tym pf velmi nemam, ale ten tvoj guide je
> "last update:
> Oct 20, 2003", takze predpokladam, ze sa to od vtedy asi
> nejako zmenilo.
>
> Ja som cital tento guide: http://www.openbsd.org/faq/pf/
>
> Po par hodinach hrania som z toho vyprodukoval tento konfigurak:
>
> ext_if="xl0"
> int_if="rl0"
> jabber_ports="{ 5522 5523 }"
>
> scrub in all
>
> altq on $int_if cbq bandwidth 4Mb queue { ssh, bulk }
> queue ssh bandwidth 10% priority 5 cbq(borrow) { dns,
> jabber, icmp }
> queue icmp bandwidth 20% priority 4
> queue dns bandwidth 40% priority 3
> queue jabber bandwidth 40% priority 2
> queue bulk bandwidth 80% cbq(default red)
>
> altq on $ext_if priq bandwidth 256Kb queue { bulk_out, ssh_out }
> queue bulk_out priq(default)
> queue ssh_out priority 4
>
> nat on $ext_if from $int_if:network to any -> $ext_if
>
> block in all
> block out all
>
> pass quick on lo0
>
> pass in on $int_if all
> pass out on $int_if all
>
> # external
> pass out on $ext_if proto tcp all modulate state
> pass out on $ext_if proto udp keep state
> pass out on $ext_if proto icmp keep state queue icmp
> pass out on $ext_if proto tcp to any port ssh modulate state
> queue(bulk_out, ssh_out)
>
> pass in on $ext_if proto tcp to $ext_if port ssh modulate state
>
> #internal
> pass out on $int_if proto tcp from any port ssh queue(bulk, ssh)
> pass out on $int_if proto { tcp, udp } from any port domain queue dns
> pass out on $int_if proto tcp from any port $jabber_ports queue jabber
>
> Nejake zlozite mi to neprislo. Proste sa na spravnom mieste
> vytvoria fronty
> (queues) a potom pri filtrovani paketov sa na koniec moze
> pridat, do ktorej
> fronty sa to ma zaradit (inac to ide do default).
>
> BTW: ten moj konfigurak neber za vzorovy priklad, skusenosti
> s pf & altq velke
> nemam, ale mne to bezi a som spokojny. Mal by robit to, ze
> uprednostnuje ssh
> (ale nie scp) pred inym trafficom + naviac dns, icmp a jabber.
>
> Jo, a niekde som sa docital, ze altq bezi lepsie s HZ=1000 v
> kerneli, co mozem
> potvrdit. 5.4 ma default 100, 6.0 ma myslim uz default 1000.
>
> --
> Marian Cerny <jojo at matfyz.cz>
> Jabber: jojo at njs.netlab.cz
More information about the Users-l
mailing list