Opa Renato... funcionou bacana agora!!!
so acrescentei no altq on { fxp0 fxp1 } , como ja tinha as regras de saida pra interfaces, ele ja funcionou meu problema agora q o acesso do server ficou limitado também... tentei colocar pass quick from any to $me (meu server) pass quick from $me to any mas ele ainda continua limitando...pelo q entendi, se eu coloco colocar uma regra e nao especificar nenhuma queue ele vai passar livre, por fora do altq... eh assim mesmo? caso nao seja, como faco pra ignorar o altq para certas regras? tem alguns ips que preciso deixar liberado... Obrigado Renato Martins escreveu: > outra coisa altq so faz da saida da placa e nao do in > entao faça queue nas duas interfaces na interna e externa > > esse é um exemplo: > > # interfaces > > ext_if="re0" > > int_if="re1" > > # configuracao de ips e portas > > internal_net="10.0.0.0/24" > > external_addr="200.250.x.x" > > me="{ 200.250.x.1, 10.x.x.2, 127.0.0.1 }" > > confiavel="{ 200.250.x.x 10.0.0.0/24}" > > ns="{ 200.250.x.9, 200.250.x.2 }" > > voip="{ 200.250.x.4, 200.250.x.7 }" > > port_serv="{ 20, 21, 22, 25, 53, 80, 81, 110, 143, 443, 8080 }" > > port_ssh="22" > > port_voip="{ 5060 >< 5063 }" > > port_h323="{ 1718 >< 1721 }" > > portudp_voip="{5999 >< 65000 }" > > port_drop="{134 >< 139, 445, 1025 >< 1027, 444, 3456, 1234, 666 }" > > port_all="{ 1><65535 }" > > redes="{ 10.0.0.0/24, 200.250.x.x/24 }" > > # Options: tune the behavior of pf, default values are given. > > set timeout { interval 10, frag 30 } > > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > > set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > > set timeout { icmp.first 20, icmp.error 10 } > > set timeout { other.first 60, other.single 30, other.multiple 60 } > > set timeout { adaptive.start 0, adaptive.end 0 } > > set limit { states 10000, frags 5000 } > > set loginterface none > > set optimization normal > > set block-policy drop > > set require-order yes > > set skip on lo > > #set fingerprints "/etc/pf.os" > > # Normalization: reassemble fragments and resolve or reduce traffic > ambiguities. > > #scrub in all > > # Queue out interface externa upload. > > altq on $ext_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { eresto, > evoip, eserv } > > queue eresto bandwidth 800Kb priority 1 cbq (default borrow) > > queue evoip bandwidth 1.2Mb priority 3 cbq(borrow) > > queue eserv bandwidth 2.0Mb priority 2 cbq(borrow) > > # Queue out interface interface download. > > altq on $int_if bandwidth 4Mb cbq qlimit 70 tbrsize 36864 queue { iresto, > ivoip, iserv } > > queue iresto bandwidth 800Kb priority 1 cbq (default borrow) > > queue ivoip bandwidth 1.2Mb priority 3 cbq(borrow) > > queue iserv bandwidth 2.0Mb priority 2 cbq(borrow) > > > > # nat da rede cliente > > nat on $ext_if from $internal_net to any -> ($ext_if) > > # rdr outgoing FTP requests to the ftp-proxy > > rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > ## squid > > #no rdr on $int_if proto tcp from 200.250.x.x to any port 80 > > rdr on $int_if proto tcp from 200.250.x.8 to any port 80 -> 127.0.0.1 port > 3128 > > # Filtering: the implicit first two rules are > > block in all > > block out all > > # libera acesso receita > > pass proto tcp from $redes to 161.148.0.0/16 keep state queue eserv > > pass proto tcp from 161.148.0.0/16 to $redes keep state queue iserv > > pass quick proto tcp from $redes to 161.148.0.0/16 port 3456 keep state > queue eserv > > pass quick proto tcp from 161.148.0.0/16 port 3456 to $redes keep state > queue iserv > > > > # block de spoof e brodcast vindos de fora da rede > > block quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, > 255.255.255.255/32 } to any > > block quick on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12, > 192.168.0.0/16, 255.255.255.255/32 } > > # aceita trafego da rede para o local > > pass in on lo from $redes to 127.0.0.1 keep state > > # libera o acesso da rede para proxy > > #pass quick proto {tcp,udp } from $redes to $me port 3128 keep state > > #pass quick proto {tcp,udp } from $me to $redes keep state > > # block portas spoofadas windows > > block quick proto { tcp,udp } from any to any port $port_drop > > # aceitar ssh somente dos confiaveis > > pass in quick on $int_if proto { tcp,udp } from $confiavel to $me port > $port_ssh keep state > > pass out quick on $int_if proto { tcp,udp } from $me port $port_ssh to > $confiavel keep state > > # fecha ssh de outros que nao seja confiaveis > > block in quick proto { tcp,udp } from any to $me port $port_ssh > > block out quick proto { tcp,udp } from $me port $port_ssh to any > > # aceitar ssh para 2 > > pass quick proto { tcp,udp } from any to 200.250.x.2 port $port_ssh keep > state > > pass quick proto { tcp,udp } from 200.250.x.2 to any keep state > > # Prioridade de 1024 para voips > > pass out quick on $int_if proto tcp from any to $voip flags S/SAU keep state > queue ivoip > > pass in quick on $int_if proto tcp from $voip to any flags S/SAU keep state > queue evoip > > pass out quick on $ext_if proto tcp from $voip to any flags S/SAU keep state > queue evoip > > pass in quick on $ext_if proto tcp from any to $voip flags S/SAU keep state > queue ivoip > > # prio das portas voip sip: tcp > > pass out quick on $int_if proto tcp from any to $redes port $port_voip flags > S/SAU keep state queue ivoip > > pass in quick on $int_if proto tcp from $redes to any port $port_voip flags > S/SAU keep state queue evoip > > pass out quick on $ext_if proto tcp from $redes to any port $port_voip flags > S/SAU keep state queue evoip > > pass in quick on $ext_if proto tcp from any to $redes port $port_voip flags > S/SAU keep state queue ivoip > > # Prioridade das portas voip > > # prio das portas voip sip: udp > > pass out quick on $int_if proto udp from any to $redes port $port_voip keep > state queue iserv > > pass in quick on $int_if proto udp from $redes to any port $port_voip keep > state queue eserv > > pass out quick on $ext_if proto udp from $redes to any port $port_voip keep > state queue eserv > > pass in quick on $ext_if proto udp from any to $redes port $port_voip keep > state queue iserv > > > > # portas udp de sip 506x > > pass out quick on $int_if proto udp from any to $redes port $portudp_voip > keep state queue iserv > > pass in quick on $int_if proto udp from $redes to any port $portudp_voip > keep state queue eserv > > pass out quick on $ext_if proto udp from $redes to any port $portudp_voip > keep state queue eserv > > pass in quick on $ext_if proto udp from any to $redes port $portudp_voip > keep state queue iserv > > > > # portas h323 > > pass out quick on $int_if proto { tcp,udp } from any to $redes port > $port_h323 keep state queue iserv > > pass in quick on $int_if proto {tcp,udp } from $redes to any port $port_h323 > keep state queue eserv > > pass out quick on $ext_if proto { tcp,udp } from $redes to any port > $port_h323 keep state queue eserv > > pass in quick on $ext_if proto {tcp,udp } from any to $redes port $port_h323 > keep state queue iserv > > > > #portas dos nosso ssh > > pass out quick on $int_if proto { tcp,udp } from any to any port $port_ssh > keep state queue iserv > > pass in quick on $int_if proto {tcp,udp } from any port $port_ssh to any > keep state queue eserv > > pass out quick on $ext_if proto { tcp,udp } from any port $port_ssh to any > keep state queue eserv > > pass in quick on $ext_if proto {tcp,udp } from any to any port $port_ssh > keep state queue iserv > > > > #libera o trafego de serviços +comuns > > #int int +comuns > > pass out quick on $int_if proto { tcp,udp } from any to $redes port > $port_serv keep state queue iserv > > pass in quick on $int_if proto { tcp,udp } from $redes port $port_serv to > any keep state queue eserv > > #int ext +comuns > > pass out quick on $ext_if proto { tcp,udp } from $redes port $port_serv to > any keep state queue eserv > > pass in quick on $ext_if proto { tcp,udp } from any to $redes port > $port_serv keep state queue iserv > > > > ## libera icmp > > #icmp para interface interna > > pass out quick on $int_if proto icmp from any to $redes queue iserv > > pass in quick on $int_if proto icmp from $redes to any queue eserv > > #icmp para interface externa > > pass out quick on $ext_if proto icmp from $redes to any queue eserv > > pass in quick on $ext_if proto icmp from any to $redes queue iserv > > > > # libera todas portas para o resto do link que sobrar > > pass out quick on $int_if from any to $redes queue irest > > pass in quick on $int_if from $redes to any queue erest > > pass out quick on $ext_if from $redes to any queue erest > > pass in quick on $ext_if from any to $redes queue irest > > > ----- Original Message ----- > From: "Fabiano (BiGu)" <[EMAIL PROTECTED]> > To: ""Lista Brasileira de Discussão sobre FreeBSD (FUG-BR)"" > <freebsd@fug.com.br> > Sent: Tuesday, June 19, 2007 12:08 PM > Subject: Re: [FUG-BR] ALTQ não controla banda > > > Gilberto Villani Brito escreveu: > >> On 19/06/07, Fabiano (BiGu) <[EMAIL PROTECTED]> wrote: >> >> >>> Pois eh, mas aqui nao funciona...nao sei o q estou fazendo errado... >>> Ja vasculhei o manual do PF de cabo a rabo...e estou fazendo a >>> configuracao exata como esta no manual... >>> >>> Gilberto Villani Brito escreveu: >>> >>> >>>> On 17/06/07, Fabiano (BiGu) <[EMAIL PROTECTED]> wrote: >>>> >>>> >>>> >>>>> Oi Galera, >>>>> >>>>> Montei um ALTQ + PF aqui mas nao estou conseguindo controlar banda >>>>> de um IP >>>>> >>>>> fiz o seguinte: >>>>> >>>>> altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede } >>>>> >>>>> queue std bandwidth 128Kb priority 0 \ >>>>> cbq(default borrow) >>>>> >>>>> queue voip bandwidth 512Kb priority 7 \ >>>>> cbq(red ecn) >>>>> >>>>> queue email bandwidth 128Kb priority 0 \ >>>>> cbq(red ecn borrow) >>>>> >>>>> queue rede bandwidth 512Kb priority 0 \ >>>>> cbq(red ecn) >>>>> >>>>> >>>>> E coloquei essas regras >>>>> >>>>> pass out quick proto { tcp icmp udp } from x.x.x.x to any \ >>>>> queue rede >>>>> pass in quick proto { tcp udp icmp } from any to x.x.x.x \ >>>>> queue rede >>>>> >>>>> >>>>> O problema que nao constrola a banda de jeito nenhum, esse ip utiliza >>>>> toda a banda disponível do link... >>>>> Quando rodo o pftop existe trafego nessas duas filas, q é exatamente >>>>> desse IP...mas ele nao segura a banda.. >>>>> >>>>> O que posso estar fazendo errado? >>>>> >>>>> uso freebsd 6.2-RELEASE >>>>> >>>>> Obrigado >>>>> ------------------------- >>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>> >>>>> >>>>> >>>>> >>>> Funciona sim. >>>> Verifique o histórico da lista que você vai encontrar um e-mail meu >>>> com exemplos. >>>> >>>> >>>> Abraços >>>> >>>> >>>> >>> ------------------------- >>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>> >>> >>> >> Tente isso: >> pass in (interface da rede interna) quick proto { tcp udp icmp } from >> x.x.x.x to any queue rede >> >> Abraços >> >> > opa, tentei isso ...sem sucesso tambem: > > vou mandar todo meu pf.conf > > ext_if=fxp1 > int_if=fxp0 > > set optimization normal > set block-policy drop > set loginterface fxp1 > set loginterface fxp0 > set debug misc > set skip on lo0 > > scrub in all > scrub out all > > altq on fxp1 cbq bandwidth 2Mb queue { std, voip, email, rede } > > queue std bandwidth 128Kb priority 1 \ > cbq(default) > > queue voip bandwidth 512Kb priority 7 \ > cbq(red ecn borrow) > > queue email bandwidth 256Kb priority 2 \ > cbq(red ecn borrow) > > queue rede bandwidth 512Kb priority 1 \ > cbq(red ecn) > > rdr on $int_if proto tcp from $rede_1 to any port 80 -> localhost port 3128 > > block in on fxp1 > block out on fxp1 > > pass out quick proto { tcp udp icmp } from x.x.x.x to any \ > queue rede > > pass in quick proto { tcp udp icmp } from any to x.x.x.x \ > queue rede > > > Se eu colocar a regra que o amigo citou acima, num consigo nem > navegar...e desse jeito ele nao controla banda...ou seja, nao segura a > conexao nos 512K > > Já estou quase pirando e num consigo resolver isso..eheheh > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > ------------------------- > Histórico: http://www.fug.com.br/historico/html/freebsd/ > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd > > __________ NOD32 2338 (20070619) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > > ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd