is this logically correct ?
Sorry for reposting but as no one answered , i need to confirm urgent.
here is my first traffic shaping pf.conf file .. although there werent any
syntax mistakes but can you have a look to it see if there is any logical
mistake ?
would be very greatfull
regards
intif=epic0
intnet=10.0.0.0/16
extif=fxp0
extad=192.168.0.2/32
chadd=10.0.0.1/32
servers=10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6
mailserver=10.0.0.2
vip=10.0.0.5
ports = 21 22 25 53 80 110 119 123 143 443 554 1755 1863 3389 5000 5001 5050 51
00 5190 6667 11999
allif={$extif, intif}
table allowedclients persist file /etc/allowedclients
table blockedclients persist file /etc/blockedclients
scrub in all
altq on $extif cbq bandwidth 500Kb queue { def, msn, www, https, smtp, ssh, ftp
}
queue ftp bandwidth 10% cbq(borrow red)
queue www bandwidth 30% cbq(borrow red)
queue https bandwidth 30% cbq(borrow red)
queue ssh bandwidth 10% cbq(borrow red)
queue def bandwidth 10% cbq(default borrow red)
queue smtp bandwidth 10% cbq
nat on $extif inet proto {tcp, udp } from allowedclients to any port { $ports
} - $extad
rdr on $intif proto tcp from allowedclients to any port 80 - $chadd port 8080
rdr on $extif proto tcp from any to $extad port 25 - $mailserver port 25
rdr on $extif proto tcp from any to $extad port 80 - $mailserver port 80
pass out on $extif inet proto { tcp, udp } from allowedclients to any port {
$ports }
pass in on extif proto tcp from allowedclients to any port msn queue msn
pass in on extif proto tcp from allowedclients to any port ssh queue ssh
pass in on extif proto tcp from allowedclients to any port www queue https
pass in on extif proto tcp from allowedclients to any port www queue www
pass in on extif proto tcp from allowedclients to any port smtp queue smtp
pass in on extif proto tcp from allowedclients to any port ftp queue ftp
pass out on extif inet proto udp from any to allowedclients port msn queue msn
pass out on extif inet proto udp from any to allowedclients port ssh queue ssh
pass out on extif inet proto udp from any to allowedclients port www queue htt
ps
pass out on extif inet proto udp from any to allowedclients port www queue www
pass out on extif inet proto udp from any to allowedclients port smtp queue sm
tp
pass out on extif inet proto udp from any to allowedclients port ftp queue ftp
*B:B$., B8B8,.B$B:*B(B(B(*B$ Stingray *B:B$., B8B8,.B$B:*B(B(*B$
Re: is this logically correct ?
On Aug 15, 2006, at 1:17 PM, S t i n g r a y wrote: Sorry for reposting but as no one answered , i need to confirm urgent. here is my first traffic shaping pf.conf file .. although there werent any syntax mistakes but can you have a look to it see if there is any logical mistake ? I suspect that nobody has replied because they're tired of proofing your ruleset every time you make a change. This is the ~15th time you've asked the list to review your pf.conf in the last 3 months. At some point you need to trust your own skills. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: is this logically correct ?
On 8/15/06, S t i n g r a y [EMAIL PROTECTED] wrote:
Sorry for reposting but as no one answered , i need to confirm urgent.
here is my first traffic shaping pf.conf file .. although there werent any syntax
mistakes but can you have a look to it see if there is any logical mistake ?
would be very greatfull
regards
intif=epic0
intnet=10.0.0.0/16
extif=fxp0
extad=192.168.0.2/32
chadd=10.0.0.1/32
servers=10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6
mailserver=10.0.0.2
vip=10.0.0.5
ports = 21 22 25 53 80 110 119 123 143 443 554 1755 1863 3389 5000 5001 5050 51
00 5190 6667 11999
allif={$extif, intif}
table allowedclients persist file /etc/allowedclients
table blockedclients persist file /etc/blockedclients
scrub in all
altq on $extif cbq bandwidth 500Kb queue { def, msn, www, https, smtp, ssh, ftp
}
queue ftp bandwidth 10% cbq(borrow red)
queue www bandwidth 30% cbq(borrow red)
queue https bandwidth 30% cbq(borrow red)
queue ssh bandwidth 10% cbq(borrow red)
queue def bandwidth 10% cbq(default borrow red)
queue smtp bandwidth 10% cbq
nat on $extif inet proto {tcp, udp } from allowedclients to any port { $ports
} - $extad
rdr on $intif proto tcp from allowedclients to any port 80 - $chadd port 8080
rdr on $extif proto tcp from any to $extad port 25 - $mailserver port 25
rdr on $extif proto tcp from any to $extad port 80 - $mailserver port 80
pass out on $extif inet proto { tcp, udp } from allowedclients to any port {
$ports }
pass in on extif proto tcp from allowedclients to any port msn queue msn
pass in on extif proto tcp from allowedclients to any port ssh queue ssh
pass in on extif proto tcp from allowedclients to any port www queue https
pass in on extif proto tcp from allowedclients to any port www queue www
pass in on extif proto tcp from allowedclients to any port smtp queue smtp
pass in on extif proto tcp from allowedclients to any port ftp queue ftp
pass out on extif inet proto udp from any to allowedclients port msn queue msn
pass out on extif inet proto udp from any to allowedclients port ssh queue ssh
pass out on extif inet proto udp from any to allowedclients port www queue htt
ps
pass out on extif inet proto udp from any to allowedclients port www queue www
pass out on extif inet proto udp from any to allowedclients port smtp queue sm
tp
pass out on extif inet proto udp from any to allowedclients port ftp queue ftp
*B:B$., B8B8,.B$B:*B(B(B(*B$ Stingray *B:B$., B8B8,.B$B:*B(B(*B$
shouldn't allif={$extif, intif} be allif={$extif, $intif}
If you want to verify the queues, install pftop (in the ports) and
check the Queue View when you have a bit of traffic to see if they are
being added to the correct one.
cheers
ste
