On 2013-04-17, John Tate <j...@johntate.org> wrote:
> Well the ruleset loads, can anyone do a quick check of this in case I've
> done something stupid. I've never used match rules before. I'm not really
> sure how to test queueing to see if it works.
see "systat queue"; run it as root.
> #queues
> altq on $ext_if priq bandwidth 7500Kb queue { std_out, ssh_im_out, dns_out,
> tcp_ack_out }
> queue std_out priq(default)
> queue ssh_im_out priority 4 priq(red)
> queue dns_out priority 5
> queue tcp_ack_out priority 6
>
> altq on $int_if cbq bandwidth 350Kb queue { std_in, ssh_im_in, dns_in,
> fekete_in }
> queue std_in bandwidth 175Kb cbq(default)
> queue ssh_im_in bandwidth 75Kb priority 4
> queue dns_in bandwidth 50Kb priority 5
> queue fekete_in bandwidth 50Kb cbq(borrow)
Using separate queue names for _in and _out is really awkward when you
use stateful firewall rules; try something along these lines instead:
altq on $ext_if priq bandwidth 7500Kb queue { std, ssh_im, dns, tcp_ack }
queue std on $ext_if priq(default)
queue ssh_im on $ext_if priority 4 priq(red)
queue dns on $ext_if priority 5
queue tcp_ack on $ext_if priority 6
altq on $int_if cbq bandwidth 350Kb queue { std, ssh_im, dns, fekete }
queue std on $int_if bandwidth 175Kb cbq(default)
queue ssh_im on $int_if bandwidth 75Kb priority 4
queue dns on $int_if bandwidth 50Kb priority 5
queue fekete on $int_if bandwidth 50Kb cbq(borrow)
match inet proto tcp queue(std, tcp_ack)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im, tcp_ack)
match from $fekete queue fekete
match to $fekete queue fekete
... although unless your internet connection is rather strange,
the bandwidth figures are the wrong way round; this limits to 7500Kb
for traffic sent out of $ext_if (to the internet, I presume) and
350Kb sent out of $int_if (traffic from the firewall or from the
internet to local machines)
