That rules-set design is where i'm stuck, If the upload of the pc in
the lan is obeying to the std queue if should be able to queue to
whatever speed i want, right?...
Note: Trying to set upload speeds for a pc on the lan.
# macros
ext_if="dc0"
int_if="vr1"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
comp3="192.168.100.3"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# queue
altq on $ext_if cbq bandwidth 256Kb queue { stdout pcout }
queue stdout bandwidth 192Kb cbq(default)
queue pcout bandwidth 64Kb cbq
altq on $int_if cbq bandwidth 100% queue { stdin pcin }
queue stdin bandwidth 192Kb cbq(default)
queue pcin bandwidth 64Kb cbq
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
#pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
# flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass on $int_if
pass out on $int_if from any to 192.168.100.106 queue pcin
pass out on $ext_if from 192.168.100.106 to any queue pcout
On 7/14/06, tony sarendal <[EMAIL PROTECTED]> wrote:
On 14/07/06, Jeff Quast <[EMAIL PROTECTED]> wrote:
>
> On 7/14/06, Bernd Schoeller <[EMAIL PROTECTED]> wrote:
> > On Thu, Jul 13, 2006 at 08:53:31PM -0400, Jeff Quast wrote:
> > > You cannot control the speed at which packets arrive on an interface.
> > Are you sure?
>
> I am sure. If it sounds unreasonable, get a live firehose, and see if
> you can control the amount of water received in your mouth.
>
> I don't think your question is entirely clear.. Please note there is
> also a pf mailing list http://www.benzedrine.cx/mailinglist.html . You
> state you want to control the download speed on a LAN, implying all
> incoming and outgoing packets are on this LAN. If this is the case put
> pf+altq on each machine, and queue outgoing packets. Seems simple
> enough to me.
>
> From the faq:
>
> "PF will record the queue in the state table entry so that packets
> traveling back out fxp0 that match the stateful connection will end up
> in the ssh queue. Note that even though the queue keyword is being
> used on a rule filtering incoming traffic, the goal is to specify a
> queue for the corresponding outgoing traffic; the above rule does not
> queue incoming packets. "
You may not be able to control the rate the packets hit the firewall with,
but you can control the rate they exit on the other side.
Doing what you want to accomplish can be done, read the pf.conf man page
again a few times and consider that state is created for each interface.
An inbound keep state rule on one interface can specify which queue the
return packets
should end up in, and outbound keep state rule on the other side can specify
which queue the packets should use there.
Now it's all down to rule-set design, that is where the complexity, and in
the
end the strenght. of PF is.
/Tony
--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
-= The scorpion replied,
"I couldn't help it, it's my nature" =-
