--- Edgar <[EMAIL PROTECTED]> wrote:
> Hello, I was hoping someone could help me out with
> HFSC and pf, I'm sending my
> rules (pf.conf) in the body of this message (so
> anyone can see them), the
> problem here is that I have a queue rule called
> emule, and a queue rule
> default, both on $ext_if, and then I have a filter
> rule for all emule traffic
> defined by some ports, tcp and udp, I have also
> tried this same configuration
> from ports 4000 to 6000 with the same result, I
> don't know what I'm doing
> wrong, I believe all my rules are ok, but this is
> why I'm sending this email,
> to verify that everything is correct, hope someone
> can help me out, thank you
>
Ok.Can you describe what exactly want to do?
> Rules:
> ########################################
> #MACROS
> ########################################
>
> int_if="dc0"
> ext_if="rl0"
> int_net="192.168.0.0/24"
> NoRouteIps="{127.0.0.0/8, 192.168.0.0/16,
> 172.16.0.0/12, 10.0.0.0/8}"
> netbios="{ 137, 138, 139, 81 }"
81???
> p2pp="{6891 ,6892, 6893, 6894, 6895, 6896, 6881,
> 6882, 1214, 4662, 51432}"
> casa="{192.168.0.105, 192.168.0.104}"
> limite="10Mb"
> download="980Kb"
> upload="200Kb"
> emule="100Kb"
> EDKports="{4662, 4661, 4665, 4672}"
>
> #######################################
> #SCRUB
> ######################################
> scrub in all
>
>
###############################################################
> # Traffic control with HFSC
>
###############################################################
> altq on $int_if hfsc bandwidth $limite queue {
> download }
you don't need single queue
altq on $int_if hfsc bandwidth $limite queue {def,
samba,web}
avoid using name default for queue defination.
> queue download priority 0 bandwidth 99%
> hfsc(linkshare 99%) { default, samba,
> web }
> queue default priority 1 bandwidth $download
> hfsc(realtime 250Kb linkshare
> 800Kb upperlimit $download default)
> queue web priority 4 bandwidth $download qlimit 15
> hfsc( realtime 300Kb
> linkshare 800Kb upperlimit $download )
> queue samba priority 3 bandwidth 20% hfsc(
> realtime 50% linkshare 7Mb
> upperlimit $limite )
>
> altq on $ext_if hfsc bandwidth $upload queue {
> upload }
rewrite above
> queue upload priority 1 bandwidth $upload
> hfsc(linkshare $upload) { def,
> emule }
> queue def priority 10 bandwidth 10% qlimit 10
> hfsc(realtime 20% linkshare
> 10% upperlimit $upload default)
> queue emule priority 4 bandwidth $emule qlimit 10
> hfsc(realtime 10Kb
> linkshare 20Kb upperlimit $emule)
>
> ########################################
> #NAT RULES
> #######################################
> nat on $ext_if from $int_if:network to any ->
> ($ext_if)
>
> #------------------------------------------------
> # Reglas para mensajer�a y p2p
> #------------------------------------------------
I don't known what this mean :) write in english
> rdr on $ext_if proto tcp from any to any port $p2pp
> -> $casa
> rdr on $ext_if proto udp from any to any port {
> 4665, 4672 } -> $casa
>
what are those $casa 's?Why you use them?
> #########################################
> #PACKET FILTERING
> #########################################
>
>
#------------------------------------------------------------------------
> # Block all incoming traffic by default
>
#------------------------------------------------------------------------
> block in all
>
>
#----------------------------------------------------
> # Shape web traffic ( test )
>
#----------------------------------------------------
> pass quick on $int_if proto tcp from any to any port
> = 80 keep state
> queue( web )
pass in or out?
avoid using bracket queue ( ... )
>
> #---------------------------------------------
> # Let all traffic in and out for loopback
> #---------------------------------------------
> pass quick on lo0 all
>
> #-----------------------------------
> # Anti spoofing protection
> #-----------------------------------
> antispoof quick for $int_if inet
>
> #---------------------------------------------
> # Accept SSH 8080
> #---------------------------------------------
> pass in quick on $ext_if proto tcp from any to
> $ext_if port = 8080 flags S/SA
>
> #----------------------------------------------
> # Accept connections from LAN
> #----------------------------------------------
> pass quick on $int_if proto tcp from $int_net to
> $int_if port = 8080 keep
> state queue( ssh )
in or out?!?
> pass in on $int_if from $int_net to any
> pass in on $int_if from any to $int_net
> pass in quick on $int_if proto {tcp, udp} from any
> to any port $netbios keep
> state queue( samba )
>
you can optimeze above rules.Also note tha you can
shape only outgoing traffic.
> #---------------------------------------------------
> # Block norouteips
> #---------------------------------------------------
> block in on $ext_if from $NoRouteIps to any
> block out on $ext_if from any to $NoRouteIps
>
> #------------------------------------------------
> # P2P and IM
> #------------------------------------------------
> pass in quick on $ext_if proto tcp from any to $casa
> port $p2pp
What is you external ip and why we should allow
external host to connect $casa? We have NAT hire.
> pass in quick on $ext_if proto udp from any to $casa
> port { 4665, 4672 }
> pass out quick on $ext_if proto {tcp, udp} from any
> to any port $EDKports
> queue( emule )
> pass out quick on $ext_if proto {tcp, udp} from any
> port $EDKports to any
> queue( emule )
>
> #---------------------------------------------------
> # Block netbios for external interface
> #---------------------------------------------------
> block in quick on $ext_if proto { tcp, udp } from
> any to any port $netbios
We have "block in all" be default!remove above rule
>
> #--------------------------------------------------
> # Let all traffic pass out of the external interface
> if no rule applies
> #--------------------------------------------------
> pass out quick on $ext_if keep state
>
I'll be glad to help you.Please describe you problem
again in other words.
Best regards
T. Koychev
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
