altq, web server, and squid

Sat, 07 Apr 2007 03:08:24 -0700 

Hi All,

Need help.
128 Kb router link to the internet.
OpenBSD connect to the router on ste2. (100Mb link)
OpenBSD 100Mb internal link ste0.
Running Squid on the OpenBSD. Listening on port 3128
Running Web server on the OpenBSD.
Running named on the OpenBSD.

It seem that the internal users consumed all the bandwidth for http.
where I will like to have spare bandwidth:
32 Kb for smtp, ssh.
32 Kb for others ftp, ftp-data
64 Kb for http and https access.

Any suggestion are very appreciate. Thx

Firewall configuration (running OpenBSD 3.9)
ext_if="ste2"
int_if="ste0"

fwix="222.124.1.1"
fw_ip="172.16.1.2"

apin_net="172.16.0.0/24"

proxy="3128"
int2fw="ssh smtp pop3"
ix2fw="ssh"
fw2ix_www="www https"
fw2ix_oth="ssh smtp"
fw2ix_ftp="ftp ftp-data"
ext2fw="www https ssh smtp "

table <spamd> persist
table <spamd-white> persist

set skip on { lo $int_if }

scrub in all

altq on $ext_if cbq bandwidth 128Kb queue { std_fw, www_fw, ftp_fw }
queue std_fw    bandwidth 32Kb cbq(default borrow)
queue www_fw    bandwidth 64Kb cbq(borrow)
queue ftp_fw    bandwidth 32Kb cbq(borrow)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

binat on $ext_if from $fw_ip to any -> $fwix

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

rdr pass on $ext_if proto tcp from <spamd> to port smtp \
        -> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
        -> 127.0.0.1 port spamd

anchor "ftp-proxy/*"

block in log all
block out log all

antispoof quick for { lo $int_if }

pass in quick on $int_if proto tcp from $apin_net to $int_if \
        port $proxy flags S/SA keep state
pass in quick on $int_if proto tcp from $apin_net to $int_if \
        port {$int2fw} flags S/SA keep state
pass in quick on $int_if proto udp from $apin_net to $int_if port domain \
        keep state

pass in on $ext_if proto tcp to ($ext_if) port {$ix2fw} keep state
pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
pass out on $ext_if proto icmp to any keep state
pass out on $ext_if proto udp to any port domain keep state
pass out on $ext_if proto tcp to any port {$fw2ix_www} \
        flags S/SA keep state queue www_fw
pass out on $ext_if proto tcp to any port {$fw2ix_oth} \
        flags S/SA keep state queue www_oth
pass out on $ext_if proto tcp to any port {$fw2ix_ftp} \
        flags S/SA keep state queue www_ftp

Best regards,
Riwan

Reply via email to