Hi @ all,
I try to limit the Bandwidth on my OpenBSD 3.7 (Release). But there is
something wrong.
On my box run a ftp-server (10.0.0.1) without proxy.
and I try to copy from/to it from 10.0.0.20 via FTP
The traffic walk through the rules (log with tcpdump...), but there isn't a
limit of the inbound-Traffic. If I add "keep state" to it, then there is a
limit, but not the right (about factor 5 wrong).
Does anyone know this problem? Or know anything else to try?
my pf.conf looks like this
Thanks a lot and have a nice evening...
Raphy
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Aliases werden erzeugt
# Netzwerkkarten
ext_if="rl1"
int_if="rl0"
dmz_if="vr0"
# Sub-Netzwerke
ext_net="192.168.1.0/8"
int_net="10.0.0.0/8"
dmz_net="172.16.0.0/8"
# Rechner-IP's
int_ip_modem="192.168.1.1"
ext_ip_mickey="192.168.1.2"
int_ip_mickey="10.0.0.1"
dmz_ip_mickey="172.16.0.1"
dmz_ip_www="172.16.0.2"
dmz_port_www="80"
#table <spamd> persist
#table <spamd-white> persist
# einige Definitionen
set limit { states 10000, frags 5000 }
set block-policy drop
# Pakete zusammenbauen
scrub in on {$ext_if,$dmz_if} all fragment reassemble
# Bandwidth Control
# LAN-Interface
altq on $int_if cbq bandwidth 100Mb queue {lan_in, lan_out}
queue lan_in bandwidth 50% cbq {lan_misc_in, ftp_lan_in, ssh_lan_in}
queue lan_misc_in bandwidth 50Kb cbq
queue ftp_lan_in bandwidth 1Mb cbq
queue ssh_lan_in bandwidth 50Kb priority 7 cbq
queue lan_out bandwidth 50% cbq {lan_misc_out, ftp_lan_out, ssh_lan_out}
queue lan_misc_out bandwidth 50Kb cbq(default)
queue ftp_lan_out bandwidth 2Mb cbq
queue ssh_lan_out bandwidth 8Mb priority 7 cbq
# NAT Regeln
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# Redirect-Rules...
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
# -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
# -> 127.0.0.1 port spamd
# fuer WWW-Server
#rdr on $ext_if proto {tcp,udp} from any to port $dmz_port_www -> #$dmz_ip_www
port $dmz_port_www
# Firewall-Rules
# Base-Rules
block drop in log all
block drop out log all
pass quick on { lo lo0 }
antispoof quick for { lo lo0 $ext_if $int_if $dmz_if }
# ***********************************
# the LAN
# inbound
pass in on $int_if proto tcp from $int_net to $int_ip_mickey port {20, 21}
queue ftp_lan_in # FTP
pass in on $int_if proto tcp from $int_net to $int_ip_mickey port 22 queue
ssh_lan_in # SSH
# outbound
pass out on $int_if proto tcp from $int_ip_mickey port {20,21} to $int_net
queue ftp_lan_out # FTP
pass out on $int_if proto tcp from $int_ip_mickey port 22 to $int_net queue
ssh_lan_out # SSH
