Re: Quick question about PF and ALTQ
On 14:03:29 Nov 11, Peter Boosten wrote: > Hi all, > > One quick question: is it possible to filter specific kinds of traffic > with altq, traffic that is not bound to specific IP addresses, like online > radio? > Yes. Not altq(It is for QoS). But pf can of course. :) localip = "www.shoutcast.com" radioport = 554 block quick out on fxp0 proto tcp from any to $remoteip port $radioport Here is an example for you lift and plonk into your /etc/pf.conf. :) Best of luck! Obviously the IP and port are fictitious. This will block all the incoming traffic from any internal IP to the online radio service. Hope this helps. regards, Girish What is the port for online radio? Many use http. If you want to block RTSP, then I guess it should be 554 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
On Sun, November 11, 2007 15:43, Girish Venkatachalam wrote: > On 14:03:29 Nov 11, Peter Boosten wrote: > >> Hi all, >> >> >> One quick question: is it possible to filter specific kinds of traffic >> with altq, traffic that is not bound to specific IP addresses, like >> online radio? >> > > Yes. > > > Not altq(It is for QoS). > > > But pf can of course. :) > > > localip = "www.shoutcast.com" radioport = 554 block quick out on fxp0 > proto tcp from any to $remoteip port $radioport > > Here is an example for you lift and plonk into your /etc/pf.conf. :) > > > Best of luck! > > > Obviously the IP and port are fictitious. > > > This will block all the incoming traffic from any internal IP to the > online radio service. > > Hope this helps. > > > regards, Girish > What is the port for online radio? Many use http. If you want to block > RTSP, then I guess it should be 554 Thanks for your answer, although that's not quite what I'm looking for: I know it's possible to 'shape' the traffic with altq, so it's possible in theory to shape certain kind of traffic to almost nihil. Smart devices like packetshapers (and even some proxy appliances like Blue Coat) have separate categories for streaming media, so I was wondering if PF and altq could do the same. Your solution works, however you'll have to know what sites are being visited in order to block them entirely. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
On Sun, November 11, 2007 15:43, Girish Venkatachalam wrote: > On 14:03:29 Nov 11, Peter Boosten wrote: > >> Hi all, >> >> >> One quick question: is it possible to filter specific kinds of traffic >> with altq, traffic that is not bound to specific IP addresses, like >> online radio? >> > > Yes. > > > Not altq(It is for QoS). > the OpenBSD site mentiones 'Class Based Queueing' on this page: http://www.openbsd.org/faq/pf/queueing.html There's some 'example' that userB might get 250K for 'audio', however the entire page fails to explain how this could be done. Maybe someone on this list got it running... Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Peter Boosten wrote: > On Sun, November 11, 2007 15:43, Girish Venkatachalam wrote: >> On 14:03:29 Nov 11, Peter Boosten wrote: >> >>> Hi all, >>> >>> >>> One quick question: is it possible to filter specific kinds of traffic >>> with altq, traffic that is not bound to specific IP addresses, like >>> online radio? >>> >> Yes. >> >> >> Not altq(It is for QoS). >> > > the OpenBSD site mentiones 'Class Based Queueing' on this page: > http://www.openbsd.org/faq/pf/queueing.html > > There's some 'example' that userB might get 250K for 'audio', however the > entire page fails to explain how this could be done. Maybe someone on this > list got it running... If you can identify the traffic by the means available to you provided by pf(4) then, yes certainly you can use ALTQ or other means to control the bandwidth permitted for that traffic. It's a big /if/ however. pf(4) works at layers 2 and 3 -- that is, it looks only at packet headers -- MAC addresses, IP addresses TCP flags etc. It knows nothing of the protocol specific stuff that requires inspection of packet contents. In general, in order to control traffic by inspection of packet contents you will need to implement some sort of protocol specific proxy. I'm afraid I know virtually nothing of the sort of protocols used to transmit on-line radio, but I'm assuming that they are of more general use than just on-line radio -- so you need to inspect the contents in order to distinguish exactly what it is. (By analogy: you couldn't just block all web traffic because most it is legitimate, but you can block images containing substantial areas of skin tones...) So your question now becomes two: * What software is available to proxy this on-line radio traffic? and * Can I distinguish the on-line radio traffic from other uses of the same protocol? Without a bit more information about exactly what you're dealing with, it is impossible for those questions to be answered. However, given that you can identify the appropriate proxy software, you can possibly use pf(4) to implement transparent proxying. There are any number of articles on the web about transparent proxying of HTTP traffic with squid and pf that Google can find for you. By adapting that approach you may be able to apply the same concept to your traffic. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHN1T/8Mjk52CukIwRCHDPAJ4pUM9QwuDjGXF+w4Lo/4ftDGvQrACfVj/Y //yMhiUZM/m+ycRnVR3Ky7E= =tcZO -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
On Sun, November 11, 2007 20:16, Matthew Seaman wrote: >> >>> On 14:03:29 Nov 11, Peter Boosten wrote: Hi all, One quick question: is it possible to filter specific kinds of traffic with altq, traffic that is not bound to specific IP addresses, like online radio? > > If you can identify the traffic by the means available to you... [snip] > ..approach you may be able to apply the same concept to your traffic. > Thanks for your (good) answer, Matthew, I'll start a search for appropriate software then. Regards, Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
On 18:49:37 Nov 11, Peter Boosten wrote:
> Thanks for your answer, although that's not quite what I'm looking for:
>
Okay. Find my answer below.
> I know it's possible to 'shape' the traffic with altq, so it's possible in
> theory to shape certain kind of traffic to almost nihil. Smart devices
> like packetshapers (and even some proxy appliances like Blue Coat) have
> separate categories for streaming media, so I was wondering if PF and altq
> could do the same.
Well I have no idea about appliances or commercial software.
I can however tell you what I know. I have never tried these things but
I can tell you what I have understood.
First and foremost you can only shape outgoing traffic. You cannot do
QoS with incoming traffic. You might be able to manipulate things a
little but you have far more power when it comes to deciding how you
want others to receive packets from you.
This is the basic idea. You can only do traffic shaping with egress
traffic. Not with ingress traffic.
Now, pf + altq can do very sophisticated traffic shaping.
There are three categories of queuing disciples supported by pf.
a ) class based queuing (cbq)
b ) priority based queuing (priq)
c ) hierarchical fair service curve (hfsc)
Each of these mechanisms have pros and cons and you have to pick one of
them based on your requirements.
The configuration for basic QoS management consists of three steps.
1) The altq statement ( which interface to work on , how much bandwidth
you want to play around with and also the queuing discipline (one of
the above)
2) You have to define the "queue" rules to determine how the total
bandwidth in the above line has to be split amongst the various
categories. Typically they are split into multiple queues based on port
numbers but other possibilities also exist. For instance you will want
to allocate bulk of the bandwidth for important mail traffic and
browsing but you want to restrict p2p and other protocols. It is the
"queue" lines that also determine what to do when there is congestion.
(IOW most of the tweaking happens here :)
3) Next step is to use the pf filter rules to allocate which queues to
use for handling which traffic
I shall illustrate with an example. This is not my own. I am taking it
from the pf man page.
1) altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh }
2) queue std bandwidth 10% cbq(default)
queue http bandwidth 60% priority 2 cbq(borrow red) \
{ employees, developers }
queue developers bandwidth 75% cbq(borrow)
queue employees bandwidth 15%
queue mail bandwidth 10% priority 0 cbq(borrow ecn)
queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
queue ssh_interactive bandwidth 50% priority 7 cbq(borrow)
queue ssh_bulk bandwidth 50% priority 0 cbq(borrow)
3) block return out on dc0 inet all queue std
pass out on dc0 inet proto tcp from $developerhosts to any port 80
\
keep state queue developers
pass out on dc0 inet proto tcp from $employeehosts to any port 80 \
keep state queue employees
pass out on dc0 inet proto tcp from any to any port 22 \
keep state queue(ssh_bulk, ssh_interactive)
pass out on dc0 inet proto tcp from any to any port 25 \
keep state queue mail
As you can see the first line is the altq directive. You have defined a
list of queues (std, http, mail, ssh) and also mentioned that you want
to use class based queuing.
Then the queue rules determine how individual queues should share the
bandwidth amongst themselves. But we are not quite done yet.
The most critical step is the filter rules that determine when to queue
traffic and which queue to assign to.
That happens in 3).
It should be self explanatory.
Please note that we have used "pass out" which corresponds to my main
idea of determining how traffic leaves our network.
Once data arrives on the interface, it is already too late to do QoS
manipulation.
This is not completely true (you can do bandwidth throttling) but at
least relatively speaking this idea appears to be correct.
>
> Your solution works, however you'll have to know what sites are being
> visited in order to block them entirely.
>
Hope the above explanation suffices.
Can you clarify your needs a bit more?
Thanks.
Best,
Girish
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
On Mon, November 12, 2007 08:04, Girish Venkatachalam wrote: > > Hope the above explanation suffices. Yu, it does. Very nice explanation, thanx. > > > Can you clarify your needs a bit more? Well, it's actually quite simple: our internet access line, which is used by several people (directly, without a proxy server, but with a FreeBSD firewall). Our management wants to block unwanted traffic (so not: wants to block unwanted sited - which would be very easy), like p2p and online radio, since this traffic is: - non business related - bandwidth consuming Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
Peter Boosten wrote: > On Mon, November 12, 2007 08:04, Girish Venkatachalam wrote: > >> Hope the above explanation suffices. > > Yu, it does. Very nice explanation, thanx. > >> >> Can you clarify your needs a bit more? > > Well, it's actually quite simple: our internet access line, which is used > by several people (directly, without a proxy server, but with a FreeBSD > firewall). Our management wants to block unwanted traffic (so not: wants > to block unwanted sited - which would be very easy), like p2p and online > radio, since this traffic is: > - non business related > - bandwidth consuming > > Peter You just drop all traffic except for that over wanted ports, such as for http, https, ftp, smtp, pop3, maybe some instant messengers... That won't help against tunneling, though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
On 10:17:52 Nov 12, Peter Boosten wrote: > Yu, it does. Very nice explanation, thanx. > NP. Thanks. > > Well, it's actually quite simple: our internet access line, which is used > by several people (directly, without a proxy server, but with a FreeBSD > firewall). Our management wants to block unwanted traffic (so not: wants > to block unwanted sited - which would be very easy), like p2p and online > radio, since this traffic is: > - non business related > - bandwidth consuming In that case you don't need QoS at all. Just use pf for it. Refer to the first mail I sent in this thread. All the info you need is right there. Don't worry about altq. Best, Girish ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Quick question about PF and ALTQ
On 14:03:29 Nov 11, Peter Boosten wrote:
> Hi all,
>
> One quick question: is it possible to filter specific kinds of traffic
> with altq, traffic that is not bound to specific IP addresses, like online
> radio?
>
Looks like I finally understood what you want.
You want to block the protocol from/to *any* IP address.
This is easily done.
block all
pass out all to { http smtp ftp }
This is a very "cruel" ruleset. :)
Instead you actually want this one.
nonbusiess= "{" 522 bittorrent ... "}"
block quick drop out all to port $nonbusiness
As you can see using pf, you can leave out anything.
That is the power of this marvelous creation.
It gives tremendous power to firewalls.
In fact I would venture to say it is the best software available for
firewalling functionality.
Best,
Girish
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
