.ignore писал(а):может кто знает
когда добавляю в /etc/pf.conf вот такую строчюку чтобы не брутфорсили (по SSH)
pass on $ext_if inet proto tcp from any to $ext_if port ssh keep state \ (max-src-conn 3, max-src-conn-rate 3/600, over
load <hammering> flush)
то скорость за сутки в 2-ва раза падает
если я ошибаюсь и это плод моей фантазии то поправьте меня
у меня похожая проблема была совсем не качяло практически (но видимо всеравно что-то мешает качять быстрее)
нашел ответ тут
http://149.20.54.209/showthread.php?t=12788
вот что помогло
Код: Выделить всё
pass out quick inet proto tcp all user transmission modulate state queue( torrents, acks )
pass out quick inet proto udp all user transmission keep state queue( torrents, acks )
pass in quick inet proto { tcp udp } all user transmission keep state queue( torrents, acks )
привожу свой конфиг PF на всякий случай
Код: Выделить всё
pf.conf [----] 2 L:[ 1+ 0 1/131] *(2 /4213b)= - 45 0x2D
#-------------------------------
## -- NORMALIZATION rtafic -- ##
#-------------------------------
# http://forum.lissyara.su/viewtopic.php?f=8&t=23427
# http://www.ХХХХХХХХХ.ru/base/net/freebsd_gw3.txt.html
# pfctl -ef /etc/pf.conf
# translit<---><------>http://translit.33b.ru/
#--------------------
## -- INTERFACE -- ##
#--------------------
ext_if = "rl0"
int_if = "rl1"
#--------------------
## -- IP adress -- ##
#--------------------
lannet = "х.х,х.х/24"
private_nets= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0
#----------------
## -- PORTs -- ##
#----------------
client_ports = "{20, 21, 25, 53, 80, 110, 143, 443, 465, 995, 1723, 3128, 8021, 9001, 9091, >=49151 }"
torrent_port = "{ }"
#-------------------------------
## -- NORMALIZATION rtafic -- ##
#-------------------------------
# opredelam politiku pri blokirovke paketov
set block-policy drop
# povedenie PF pri ispolzovanii tablicy sostoyaniy
set state-policy floating
# log interface
set loginterface $ext_if
# Maksimal'noe kolichestvo zapisej v pule otvechajushhem za normalizaciju trafika (scrub)
# Maksimal'noe kolichestvo vhozhdenij v pul otvechajushhij za sostojanie tablicy sostojanij soedinenij (keep state)
set limit { frags 100000, states 100000 }
# Ustanavlivaem tip optimizacii
set optimization normal
# Ignoriruem fil'traciju na kol'cevom i vnutrennem interfejse
#set skip on $ext_if
set skip on $int_if
set skip on lo0
# Normalizacija vsego vhodjashhego trafika na vseh interfejsah
scrub in all
#--------------------
## -- NAT & RDR -- ##
#--------------------
# NAT na vneshnem interfeyse
#nat on $ext_if inet from $lannet to any -> $ext_if
nat on $ext_if from ! ($ext_if) to any -> ($ext_if)
# so BitTorrent client on internal machine works better
#rdr pass on $ext_if proto { tcp, udp } from any to any port 6881:6899 -> х.х.х.х/24 port 6881:*
# Otpravljaem lokal'nyh internetchikov na squid.
rdr on $int_if proto tcp from $lannet to any port www -> 127.0.0.1 port 3129
#-----------------------
## -- RULES FILTER -- ##
#-----------------------
# Zashhita ot spufinga
antispoof quick for { lo0, $int_if, $ext_if }
## -- Blokiruem vsjo -- ##;-)))))
block log all
# Blokiruem teh, kto lezet na vneshnij interfejs s chastnymi adresami i vindukovimi portami;-)))))
block drop in quick on $ext_if from $private_nets to any
block in log on $ext_if proto { tcp, udp } from any port { 135, 137, 138, 139, 445 }
block in log on $ext_if proto { tcp, udp } to any port { 53, 119, 135, 137, 138, 139, 445 }
block out log on $ext_if proto { tcp, udp } from any port { 119, 135, 137, 138, 139, 445 }
block out log on $ext_if proto { tcp, udp } to any port { 135, 137, 138, 139, 445 }
# Razreshaem icmp
pass inet proto icmp icmp-type echoreq
# Razreshaem DNS dlja lokalki
pass in on $int_if proto udp from $lannet to $int_if port domain
# Razreshaem NTP dlja lokalki
pass in on $int_if proto udp from $lannet to $int_if port ntp
#transmission dla FreeBSD)
pass out quick inet proto tcp all user transmission modulate state queue( torrents, acks )
pass out quick inet proto udp all user transmission keep state queue( torrents, acks )
pass in quick inet proto { tcp udp } all user transmission keep state queue( torrents, acks )
# test
# pass in on $int_if from $lannet to any
# Vypuskaem klientske servisy
#pass in on $int_if proto tcp from $lannet to any port $client_ports
# Razreshaem nashemu shljuzu polnyj vyhod s oboih interfejsov
pass out on $ext_if proto tcp from any to any
pass out on $ext_if proto udp from any to any keep state
pass out on $int_if proto tcp from any to any
pass out on $int_if proto udp from any to any keep state
#--------------------------
## -- INCOMING FILTER -- ##
#--------------------------
#-------------------------
## -- SSH CONNECTING -- ##
#-------------------------
# SSH connect in internet external interface
block in log on $ext_if proto tcp from any to any port { 22 }
pass in on $int_if proto tcp from any to any port { 22 }
#----------------
## -- OTHER -- ##
#----------------
#block in quick from any os NMAP
#block in quick from any os nmap to any
ну и на всякий случай в догонку конфиг трнсмишшина
Код: Выделить всё
{
"alt-speed-down": 50,
"alt-speed-enabled": false,
"alt-speed-time-begin": 540,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 1020,
"alt-speed-up": 50,
"bind-address-ipv4": "0.0.0.0",
"bind-address-ipv6": "::",
"blocklist-enabled": false,
"dht-enabled": true,
"download-dir": "\/usr\/home\/torrents",
"encryption": 1,
"incomplete-dir": "\/usr\/home\/transmission\/incomplete",
"incomplete-dir-enabled": true,
"lazy-bitfield-enabled": true,
"message-level": 2,
"open-file-limit": 32,
"peer-limit-global": 240,
"peer-limit-per-torrent": 60,
"peer-port": 51413,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": 0,
"pex-enabled": true,
"port-forwarding-enabled": true,
"preallocation": 1,
"proxy": "",
"proxy-auth-enabled": false,
"proxy-auth-password": "",
"proxy-auth-username": "",
"proxy-enabled": false,
"proxy-port": 80,
"proxy-type": 0,
"ratio-limit": 2.0000,
"ratio-limit-enabled": false,
"rename-partial-files": true,
"rpc-authentication-required": true,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-password": " xxxxxxxxxxxxxxxxxxxxxxxxx ",
"rpc-port": xxxxxx,
"rpc-username": "traker_BSD",
"rpc-whitelist": "x.x.x.x,x.x.x.*",
"rpc-whitelist-enabled": true,
"speed-limit-down": 1000,
"speed-limit-down-enabled": false,
"speed-limit-up": 1,
"speed-limit-up-enabled": false,
"umask": 18,
"upload-slots-per-torrent": 14
}