Hi @ all, I try to limit the Bandwidth on my OpenBSD 3.7 (Release). But there is something wrong.
On my box run a ftp-server (10.0.0.1) without proxy. and I try to copy from/to it from 10.0.0.20 via FTP The traffic walk through the rules (log with tcpdump...), but there isn't a limit of the inbound-Traffic. If I add "keep state" to it, then there is a limit, but not the right (about factor 5 wrong). Does anyone know this problem? Or know anything else to try? my pf.conf looks like this Thanks a lot and have a nice evening... Raphy # $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Aliases werden erzeugt # Netzwerkkarten ext_if="rl1" int_if="rl0" dmz_if="vr0" # Sub-Netzwerke ext_net="192.168.1.0/8" int_net="10.0.0.0/8" dmz_net="172.16.0.0/8" # Rechner-IP's int_ip_modem="192.168.1.1" ext_ip_mickey="192.168.1.2" int_ip_mickey="10.0.0.1" dmz_ip_mickey="172.16.0.1" dmz_ip_www="172.16.0.2" dmz_port_www="80" #table <spamd> persist #table <spamd-white> persist # einige Definitionen set limit { states 10000, frags 5000 } set block-policy drop # Pakete zusammenbauen scrub in on {$ext_if,$dmz_if} all fragment reassemble # Bandwidth Control # LAN-Interface altq on $int_if cbq bandwidth 100Mb queue {lan_in, lan_out} queue lan_in bandwidth 50% cbq {lan_misc_in, ftp_lan_in, ssh_lan_in} queue lan_misc_in bandwidth 50Kb cbq queue ftp_lan_in bandwidth 1Mb cbq queue ssh_lan_in bandwidth 50Kb priority 7 cbq queue lan_out bandwidth 50% cbq {lan_misc_out, ftp_lan_out, ssh_lan_out} queue lan_misc_out bandwidth 50Kb cbq(default) queue ftp_lan_out bandwidth 2Mb cbq queue ssh_lan_out bandwidth 8Mb priority 7 cbq # NAT Regeln nat on $ext_if from !($ext_if) -> ($ext_if:0) # Redirect-Rules... #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #rdr pass on $ext_if proto tcp from <spamd> to port smtp \ # -> 127.0.0.1 port spamd #rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \ # -> 127.0.0.1 port spamd # fuer WWW-Server #rdr on $ext_if proto {tcp,udp} from any to port $dmz_port_www -> #$dmz_ip_www port $dmz_port_www # Firewall-Rules # Base-Rules block drop in log all block drop out log all pass quick on { lo lo0 } antispoof quick for { lo lo0 $ext_if $int_if $dmz_if } # *********************************** # the LAN # inbound pass in on $int_if proto tcp from $int_net to $int_ip_mickey port {20, 21} queue ftp_lan_in # FTP pass in on $int_if proto tcp from $int_net to $int_ip_mickey port 22 queue ssh_lan_in # SSH # outbound pass out on $int_if proto tcp from $int_ip_mickey port {20,21} to $int_net queue ftp_lan_out # FTP pass out on $int_if proto tcp from $int_ip_mickey port 22 to $int_net queue ssh_lan_out # SSH