PF и ALTQ, что я делаю не так?

Проблемы установки, настройки и работы Правильной Операционной Системы

Модератор: terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Ответить
mnz
рядовой
Сообщения: 10
Зарегистрирован: 2009-01-19 7:57:16

PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz » 2009-02-16 7:59:45

Всем привет. До этого имел дело с шейпингом трафика только в линуксе, теперь нужно настроить во фре. Канал в интернет 1280/1280, в локальную сеть провайдера 8000/1830 (скорость adsl-модема). После применения правил скорость в интернет падает до 200-300 кбит/с (хотя во всех очередях прописано borrow), пинг прыгает до 1500-2000мс, хотя канал не загружен совсем. Мало того, даже ssh при подключении со стороны 100мбит сети отваливается... :smile: На сервере фряха 7.1, 2 pppoe подключения через mpd5, к интернету и провайдерской локалке соответственно, NAT и фаервол в ipfw... Пока делаю шейпинг только исходящего трафика. Подскажите, что не так в правилах?

Код: Выделить всё

inet_if="ng0"
dml_if="ng1"
netbook_ip="10.10.10.4"
computer_ip="10.10.10.2"
dml_net="10.152.0.0/16"

set block-policy drop

scrub all no-df random-id reassemble tcp
scrub in all fragment reassemble

altq on $inet_if cbq bandwidth 1150Kb queue \
  { computer_ext_inet, server_ext_inet, netbook_ext_inet }
queue computer_ext_inet bandwidth 400Kb cbq(borrow) { computer_ext_icmp_inet, \
  computer_ext_mail_inet, computer_ext_http_inet, computer_ext_other_inet }
  queue computer_ext_icmp_inet   bandwidth  5% priority 7 cbq(red borrow)
  queue computer_ext_mail_inet   bandwidth 35% priority 5 cbq(red borrow)
  queue computer_ext_http_inet   bandwidth 35% priority 3 cbq(red borrow)
  queue computer_ext_other_inet  bandwidth 25% priority 1 cbq(default red borrow
queue server_ext_inet bandwidth 350Kb cbq(borrow) { server_ext_dns_inet, \
  server_ext_icmp_inet, server_ext_ssh_inet, server_ext_http_inet, \
  server_ext_other_inet }
  queue server_ext_dns_inet    bandwidth 10% priority 6 cbq(red borrow)
  queue server_ext_icmp_inet   bandwidth  5% priority 7 cbq(red borrow)
  queue server_ext_ssh_inet    bandwidth 30% priority 5 cbq(red borrow)
  queue server_ext_http_inet   bandwidth 30% priority 3 cbq(red borrow)
  queue server_ext_other_inet  bandwidth 25% priority 1 cbq(red borrow)
queue netbook_ext_inet bandwidth 400Kb cbq(borrow) { netbook_ext_icmp_inet, \
  netbook_ext_mail_inet, netbook_ext_http_inet, netbook_ext_other_inet }
  queue netbook_ext_icmp_inet  bandwidth  5% priority 7 cbq(red borrow)
  queue netbook_ext_mail_inet  bandwidth 35% priority 5 cbq(red borrow)
  queue netbook_ext_http_inet  bandwidth 35% priority 3 cbq(red borrow)
  queue netbook_ext_other_inet bandwidth 25% priority 1 cbq(red borrow)

altq on $dml_if cbq bandwidth 1650Kb queue { computer_ext_dml, \
  server_ext_dml, netbook_ext_dml }
queue computer_ext_dml bandwidth 150Kb cbq(borrow) { computer_ext_icmp_dml, \
  computer_ext_http_dml, computer_ext_other_dml }
  queue computer_ext_icmp_dml   bandwidth  5% priority 7 cbq(default red borrow)
  queue computer_ext_http_dml   bandwidth 50% priority 3 cbq(red borrow)
  queue computer_ext_other_dml  bandwidth 45% priority 1 cbq(red borrow)
queue server_ext_dml bandwidth 200Kb cbq(borrow) { server_ext_dns_dml, \
  server_ext_icmp_dml, server_ext_ssh_dml, server_ext_http_dml, \
  server_ext_other_dml }
  queue server_ext_dns_dml    bandwidth 10% priority 6 cbq(red borrow)
  queue server_ext_icmp_dml   bandwidth  5% priority 7 cbq(red borrow)
  queue server_ext_ssh_dml    bandwidth 30% priority 5 cbq(red borrow)
  queue server_ext_http_dml   bandwidth 30% priority 3 cbq(red borrow)
  queue server_ext_other_dml  bandwidth 25% priority 1 cbq(red borrow)
queue netbook_ext_dml bandwidth 150Kb cbq(borrow) { netbook_ext_icmp_dml, \
  netbook_ext_http_dml, netbook_ext_other_dml }
  queue netbook_ext_icmp_dml  bandwidth  5% priority 7 cbq(red borrow)
  queue netbook_ext_http_dml  bandwidth 50% priority 3 cbq(red borrow)
  queue netbook_ext_other_dml bandwidth 45% priority 1 cbq(red borrow)

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
block in log quick proto tcp flags FUP/FUP
block in log quick proto tcp flags SF/SFRA
block in log quick proto tcp flags /SFRA
#block in log quick proto tcp flags SFUP/SFRAU
block in log quick proto tcp flags FPU/SFRAUP
block in log quick proto tcp flags F/SFRA
block in log quick proto tcp flags U/SFRAU
block in log quick proto tcp flags P/P

pass out quick proto tcp from $computer_ip to $dml_net port { 80, 1080, 8080 } queue computer_ext_http_dml
pass out quick proto icmp from $computer_ip to $dml_net queue computer_ext_icmp_dml
pass out quick proto { tcp, udp, icmp } from $computer_ip to $dml_net queue computer_ext_other_dml

pass out quick proto tcp from $netbook_ip to $dml_net port { 80, 1080, 8080 } queue netbook_ext_http_dml
pass out quick proto icmp from $netbook_ip to $dml_net queue netbook_ext_icmp_dml
pass out quick proto { tcp, udp, icmp } from $netbook_ip to $dml_net queue netbook_ext_other_dml

pass out quick proto udp from me to $dml_net port 53 queue server_ext_dns_dml
pass out quick proto icmp from me to $dml_net queue server_ext_icmp_dml
pass out quick proto tcp from me to $dml_net port { 80, 1080, 8080 } queue server_ext_http_dml
pass out quick proto tcp from me port 80 to $dml_net queue server_ext_http_dml
pass out quick proto tcp from me port 22 to $dml_net queue server_ext_ssh_dml
pass out quick proto { tcp, udp, icmp } from me to $dml_net queue server_ext_other_dml

pass out quick proto tcp from $computer_ip to any port { 80, 1080, 8080 } queue computer_ext_http_inet
pass out quick proto icmp from $computer_ip to any queue computer_ext_icmp_inet
pass out quick proto { tcp, udp, icmp } from $computer_ip to any queue computer_ext_other_inet

pass out quick proto tcp from $netbook_ip to any port { 80, 1080, 8080 } queue netbook_ext_http_inet
pass out quick proto icmp from $netbook_ip to any queue netbook_ext_icmp_inet
pass out quick proto { tcp, udp, icmp } from $netbook_ip to any queue netbook_ext_other_inet

pass out quick proto udp from me to any port 53 queue server_ext_dns_inet
pass out quick proto icmp from me to any queue server_ext_icmp_inet
pass out quick proto tcp from me to any port { 80, 1080, 8080 } queue server_ext_http_inet
pass out quick proto tcp from me port 80 to any queue server_ext_http_inet
pass out quick proto tcp from me port 22 to any queue server_ext_ssh_inet
pass out quick proto { tcp, udp, icmp } from me to any queue server_ext_other_inet

pass in all
pass out all
Вернуться к началу
Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/
Вернуться к началу
Аватара пользователя
zingel
beastie
Сообщения: 6204
Зарегистрирован: 2007-10-30 3:56:49
Откуда: Moscow
Контактная информация:
Контактная информация пользователя zingel

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение zingel » 2009-02-16 8:15:09

ну вопервых добавьте

Код: Выделить всё

set optimization aggressive
и

Код: Выделить всё

set limit states 10000

а во-вторых давайте

Код: Выделить всё

pfctl -sa
Z301171463546 - можно пожертвовать мне денег
Вернуться к началу
mnz
рядовой
Сообщения: 10
Зарегистрирован: 2009-01-19 7:57:16

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz » 2009-02-17 7:55:43

Добавил рекомендуемые строчки, теперь не подвисает, спасибо. Чуть поменял правила, но трафик от компьютеров за NAT все равно сваливается в дефолтовые очереди...

Код: Выделить всё

FILTER RULES:
scrub all no-df random-id reassemble tcp fragment reassemble
scrub in all fragment reassemble
block drop in log quick proto tcp all flags FPU/FSRPAUEW
block drop in log quick proto tcp all flags FSRPAUEW/FSRPAUEW
block drop in log quick proto tcp all flags FSRAU/FSRPAUEW
block drop in log quick proto tcp all flags /FSRPAUEW
block drop in log quick proto tcp all flags SR/SR
block drop in log quick proto tcp all flags FS/FS
block drop in log quick proto tcp all flags FPU/FPU
block drop in log quick proto tcp all flags FS/FSRA
block drop in log quick proto tcp all flags /FSRA
block drop in log quick proto tcp all flags FPU/FSRPAU
block drop in log quick proto tcp all flags F/FSRA
block drop in log quick proto tcp all flags U/FSRAU
block drop in log quick proto tcp all flags P/P
pass in quick on vr0 inet proto tcp from 10.10.10.0/24 to 10.10.10.1 flags S/SA keep state queue main
pass in quick on vr0 inet proto tcp from 10.10.10.2 to 10.152.0.0/16 port = http flags S/SA keep state queue computer_ext_http_dml
pass in quick on vr0 inet proto tcp from 10.10.10.2 to 10.152.0.0/16 port = socks flags S/SA keep state queue computer_ext_http_dml
pass in quick on vr0 inet proto tcp from 10.10.10.2 to 10.152.0.0/16 port = 8080 flags S/SA keep state queue computer_ext_http_dml
pass in quick on vr0 inet proto icmp from 10.10.10.2 to 10.152.0.0/16 keep state queue computer_ext_icmp_dml
pass in quick on vr0 inet proto tcp from 10.10.10.2 to 10.152.0.0/16 flags S/SA keep state queue computer_ext_other_dml
pass in quick on vr0 inet proto udp from 10.10.10.2 to 10.152.0.0/16 keep state queue computer_ext_other_dml
pass in quick on vr0 inet proto tcp from 10.10.10.4 to 10.152.0.0/16 port = http flags S/SA keep state queue netbook_ext_http_dml
pass in quick on vr0 inet proto tcp from 10.10.10.4 to 10.152.0.0/16 port = socks flags S/SA keep state queue netbook_ext_http_dml
pass in quick on vr0 inet proto tcp from 10.10.10.4 to 10.152.0.0/16 port = 8080 flags S/SA keep state queue netbook_ext_http_dml
pass in quick on vr0 inet proto icmp from 10.10.10.4 to 10.152.0.0/16 keep state queue netbook_ext_icmp_dml
pass in quick on vr0 inet proto tcp from 10.10.10.4 to 10.152.0.0/16 flags S/SA keep state queue netbook_ext_other_dml
pass in quick on vr0 inet proto udp from 10.10.10.4 to 10.152.0.0/16 keep state queue netbook_ext_other_dml
pass out quick on ng1 inet proto udp from 10.152.208.228 to 10.152.0.0/16 port = domain keep state queue server_ext_dns_dml
pass out quick on ng1 inet proto icmp from 10.152.208.228 to 10.152.0.0/16 keep state queue server_ext_icmp_dml
pass out quick on ng1 inet proto tcp from 10.152.208.228 to 10.152.0.0/16 port = http flags S/SA keep state queue server_ext_http_dml
pass out quick on ng1 inet proto tcp from 10.152.208.228 to 10.152.0.0/16 port = socks flags S/SA keep state queue server_ext_http_dml
pass out quick on ng1 inet proto tcp from 10.152.208.228 to 10.152.0.0/16 port = 8080 flags S/SA keep state queue server_ext_http_dml
pass out quick on ng1 inet proto tcp from 10.152.208.228 port = http to 10.152.0.0/16 flags S/SA keep state queue server_ext_http_dml
pass out quick on ng1 inet proto tcp from 10.152.208.228 port = ssh to 10.152.0.0/16 flags S/SA keep state queue server_ext_ssh_dml
pass out quick on ng1 inet proto tcp from 10.152.208.228 to 10.152.0.0/16 flags S/SA keep state queue server_ext_other_dml
pass out quick on ng1 inet proto udp from 10.152.208.228 to 10.152.0.0/16 keep state queue server_ext_other_dml
pass in quick on vr0 inet proto tcp from 10.10.10.2 to any port = http flags S/SA keep state queue computer_ext_http_inet
pass in quick on vr0 inet proto tcp from 10.10.10.2 to any port = socks flags S/SA keep state queue computer_ext_http_inet
pass in quick on vr0 inet proto tcp from 10.10.10.2 to any port = 8080 flags S/SA keep state queue computer_ext_http_inet
pass in quick on vr0 inet proto icmp from 10.10.10.2 to any keep state queue computer_ext_icmp_inet
pass in quick on vr0 inet proto tcp from 10.10.10.2 to any flags S/SA keep state queue computer_ext_other_inet
pass in quick on vr0 inet proto udp from 10.10.10.2 to any keep state queue computer_ext_other_inet
pass in quick on vr0 inet proto tcp from 10.10.10.4 to any port = http flags S/SA keep state queue netbook_ext_http_inet
pass in quick on vr0 inet proto tcp from 10.10.10.4 to any port = socks flags S/SA keep state queue netbook_ext_http_inet
pass in quick on vr0 inet proto tcp from 10.10.10.4 to any port = 8080 flags S/SA keep state queue netbook_ext_http_inet
pass in quick on vr0 inet proto icmp from 10.10.10.4 to any keep state queue netbook_ext_icmp_inet
pass in quick on vr0 inet proto tcp from 10.10.10.4 to any flags S/SA keep state queue netbook_ext_other_inet
pass in quick on vr0 inet proto udp from 10.10.10.4 to any keep state queue netbook_ext_other_inet
pass out quick on ng0 inet proto udp from 94.242.144.39 to any port = domain keep state queue server_ext_dns_inet
pass out quick on ng0 inet proto icmp from 94.242.144.39 to any keep state queue server_ext_icmp_inet
pass out quick on ng0 inet proto tcp from 94.242.144.39 to any port = http flags S/SA keep state queue server_ext_http_inet
pass out quick on ng0 inet proto tcp from 94.242.144.39 to any port = socks flags S/SA keep state queue server_ext_http_inet
pass out quick on ng0 inet proto tcp from 94.242.144.39 to any port = 8080 flags S/SA keep state queue server_ext_http_inet
pass out quick on ng0 inet proto tcp from 94.242.144.39 port = http to any flags S/SA keep state queue server_ext_http_inet
pass out quick on ng0 inet proto tcp from 94.242.144.39 port = ssh to any flags S/SA keep state queue server_ext_ssh_inet
pass out quick on ng0 inet proto tcp from 94.242.144.39 to any flags S/SA keep state queue server_ext_other_inet
pass out quick on ng0 inet proto udp from 94.242.144.39 to any keep state queue server_ext_other_inet
pass in all flags S/SA keep state
pass out all flags S/SA keep state

ALTQ:
queue root_vr0 on vr0 bandwidth 100Mb priority 0 cbq( wrr root ) {main}
queue  main on vr0 bandwidth 98Mb priority 3 cbq( red borrow default )
queue root_ng0 on ng0 bandwidth 1.15Mb priority 0 cbq( wrr root ) {computer_ext_inet, server_ext_inet, netbook_ext_inet}
queue  computer_ext_inet on ng0 bandwidth 400Kb cbq( borrow ) {computer_ext_icmp_inet, computer_ext_mail_inet, computer_ext_http_inet, computer_ext_other_ine
queue   computer_ext_icmp_inet on ng0 bandwidth 20Kb priority 7 cbq( red borrow )
queue   computer_ext_mail_inet on ng0 bandwidth 140Kb priority 5 cbq( red borrow )
queue   computer_ext_http_inet on ng0 bandwidth 140Kb priority 3 cbq( red borrow )
queue   computer_ext_other_inet on ng0 bandwidth 100Kb cbq( red borrow default )
queue  server_ext_inet on ng0 bandwidth 350Kb cbq( borrow ) {server_ext_dns_inet, server_ext_icmp_inet, server_ext_ssh_inet, server_ext_http_inet, server_ext
queue   server_ext_dns_inet on ng0 bandwidth 35Kb priority 6 cbq( red borrow )
queue   server_ext_icmp_inet on ng0 bandwidth 17.50Kb priority 7 cbq( red borrow )
queue   server_ext_ssh_inet on ng0 bandwidth 105Kb priority 5 cbq( red borrow )
queue   server_ext_http_inet on ng0 bandwidth 105Kb priority 3 cbq( red borrow )
queue   server_ext_other_inet on ng0 bandwidth 87.50Kb cbq( red borrow )
queue  netbook_ext_inet on ng0 bandwidth 400Kb cbq( borrow ) {netbook_ext_icmp_inet, netbook_ext_mail_inet, netbook_ext_http_inet, netbook_ext_other_inet}
queue   netbook_ext_icmp_inet on ng0 bandwidth 20Kb priority 7 cbq( red borrow )
queue   netbook_ext_mail_inet on ng0 bandwidth 140Kb priority 5 cbq( red borrow )
queue   netbook_ext_http_inet on ng0 bandwidth 140Kb priority 3 cbq( red borrow )
queue   netbook_ext_other_inet on ng0 bandwidth 100Kb cbq( red borrow )
queue root_ng1 on ng1 bandwidth 1.65Mb priority 0 cbq( wrr root ) {computer_ext_dml, server_ext_dml, netbook_ext_dml}
queue  computer_ext_dml on ng1 bandwidth 150Kb cbq( borrow ) {computer_ext_icmp_dml, computer_ext_http_dml, computer_ext_other_dml}
queue   computer_ext_icmp_dml on ng1 bandwidth 7.50Kb priority 7 cbq( red borrow default )
queue   computer_ext_http_dml on ng1 bandwidth 75Kb priority 3 cbq( red borrow )
queue   computer_ext_other_dml on ng1 bandwidth 67.50Kb cbq( red borrow )
queue  server_ext_dml on ng1 bandwidth 200Kb cbq( borrow ) {server_ext_dns_dml, server_ext_icmp_dml, server_ext_ssh_dml, server_ext_http_dml, server_ext_othe
queue   server_ext_dns_dml on ng1 bandwidth 20Kb priority 6 cbq( red borrow )
queue   server_ext_icmp_dml on ng1 bandwidth 10Kb priority 7 cbq( red borrow )
queue   server_ext_ssh_dml on ng1 bandwidth 60Kb priority 5 cbq( red borrow )
queue   server_ext_http_dml on ng1 bandwidth 60Kb priority 3 cbq( red borrow )
queue   server_ext_other_dml on ng1 bandwidth 50Kb cbq( red borrow )
queue  netbook_ext_dml on ng1 bandwidth 150Kb cbq( borrow ) {netbook_ext_icmp_dml, netbook_ext_http_dml, netbook_ext_other_dml}
queue   netbook_ext_icmp_dml on ng1 bandwidth 7.50Kb priority 7 cbq( red borrow )
queue   netbook_ext_http_dml on ng1 bandwidth 75Kb priority 3 cbq( red borrow )
queue   netbook_ext_other_dml on ng1 bandwidth 67.50Kb cbq( red borrow )

STATES:
all tcp 10.152.198.24:411 <- 10.10.10.2:21622       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:21622 -> 10.152.198.24:411       ESTABLISHED:ESTABLISHED
all tcp 10.152.209.194:6881 <- 10.10.10.2:25492       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:25492 -> 10.152.209.194:6881       ESTABLISHED:ESTABLISHED
all tcp 10.152.203.3:411 <- 10.10.10.2:26331       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:26331 -> 10.152.203.3:411       ESTABLISHED:ESTABLISHED
all tcp 10.152.195.95:411 <- 10.10.10.2:27156       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:27156 -> 10.152.195.95:411       ESTABLISHED:ESTABLISHED
all tcp 10.152.198.136:411 <- 10.10.10.2:28675       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:28675 -> 10.152.198.136:411       ESTABLISHED:ESTABLISHED
all tcp 10.152.210.242:411 <- 10.10.10.2:28882       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:28882 -> 10.152.210.242:411       ESTABLISHED:ESTABLISHED
all tcp 10.152.196.50:411 <- 10.10.10.2:29268       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:29268 -> 10.152.196.50:411       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:6666 <- 92.113.4.35:2023       ESTABLISHED:ESTABLISHED
all tcp 92.113.4.35:2023 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 10.152.196.140:411 <- 10.10.10.2:40458       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:40458 -> 10.152.196.140:411       ESTABLISHED:ESTABLISHED
all tcp 10.152.252.98:59039 <- 10.10.10.2:15284       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:15284 -> 10.152.252.98:59039       ESTABLISHED:ESTABLISHED
all tcp 10.152.197.159:411 <- 10.10.10.2:48004       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:48004 -> 10.152.197.159:411       ESTABLISHED:ESTABLISHED
all tcp 93.84.88.249:64219 <- 10.10.10.2:42952       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:42952 -> 93.84.88.249:64219       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:6666 <- 10.152.206.229:18248       ESTABLISHED:ESTABLISHED
all tcp 10.152.206.229:18248 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 80.94.239.2:32627 <- 10.10.10.2:20922       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:20922 -> 80.94.239.2:32627       ESTABLISHED:ESTABLISHED
all tcp 94.125.51.76:34370 <- 10.10.10.2:36750       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:36750 -> 94.125.51.76:34370       ESTABLISHED:ESTABLISHED
all tcp 93.84.88.249:64219 <- 10.10.10.2:8093       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:8093 -> 93.84.88.249:64219       ESTABLISHED:ESTABLISHED
all tcp 90.151.144.39:21358 <- 10.10.10.2:51656       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:51656 -> 90.151.144.39:21358       ESTABLISHED:ESTABLISHED
all tcp 93.84.88.249:64219 <- 10.10.10.2:52327       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:52327 -> 93.84.88.249:64219       ESTABLISHED:ESTABLISHED
all tcp 10.152.196.177:411 <- 10.10.10.2:57186       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:57186 -> 10.152.196.177:411       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:6666 <- 83.167.21.11:3214       ESTABLISHED:ESTABLISHED
all tcp 83.167.21.11:3214 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 93.84.88.249:64219 <- 10.10.10.2:22146       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:22146 -> 93.84.88.249:64219       ESTABLISHED:ESTABLISHED
all tcp 92.127.116.116:63223 <- 10.10.10.2:23356       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:23356 -> 92.127.116.116:63223       ESTABLISHED:ESTABLISHED
all tcp 89.221.22.138:45362 <- 10.10.10.2:29552       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:29552 -> 89.221.22.138:45362       ESTABLISHED:ESTABLISHED
all tcp 94.125.51.76:34370 <- 10.10.10.2:35543       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:35543 -> 94.125.51.76:34370       ESTABLISHED:ESTABLISHED
all tcp 94.125.51.76:34370 <- 10.10.10.2:42004       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:42004 -> 94.125.51.76:34370       ESTABLISHED:ESTABLISHED
all tcp 94.125.51.76:34370 <- 10.10.10.2:42004       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:42004 -> 94.125.51.76:34370       ESTABLISHED:ESTABLISHED
all tcp 92.47.86.212:55396 <- 10.10.10.2:43650       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:43650 -> 92.47.86.212:55396       ESTABLISHED:ESTABLISHED
all tcp 94.125.51.76:34370 <- 10.10.10.2:54162       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:54162 -> 94.125.51.76:34370       ESTABLISHED:ESTABLISHED
all tcp 10.152.211.45:32121 <- 10.10.10.2:60769       ESTABLISHED:ESTABLISHED
all tcp 10.152.208.228:60769 -> 10.152.211.45:32121       ESTABLISHED:ESTABLISHED
all tcp 92.47.86.212:55396 <- 10.10.10.2:62588       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:62588 -> 92.47.86.212:55396       ESTABLISHED:ESTABLISHED
all udp 94.242.144.39:6666 <- 212.106.62.102:49967       MULTIPLE:MULTIPLE
all udp 212.106.62.102:49967 -> 10.10.10.2:6666       MULTIPLE:MULTIPLE
all tcp 94.242.144.39:6666 <- 93.84.88.249:3071       ESTABLISHED:ESTABLISHED
all tcp 93.84.88.249:3071 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:6666 <- 84.109.161.147:2406       ESTABLISHED:ESTABLISHED
all tcp 84.109.161.147:2406 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:6666 <- 85.174.132.118:1188       ESTABLISHED:ESTABLISHED
all tcp 85.174.132.118:1188 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:6666 <- 217.115.186.68:15916       ESTABLISHED:ESTABLISHED
all tcp 217.115.186.68:15916 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:6666 <- 78.36.132.76:49417       ESTABLISHED:ESTABLISHED
all tcp 78.36.132.76:49417 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all tcp 217.25.225.21:51413 <- 10.10.10.2:23159       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:23159 -> 217.25.225.21:51413       ESTABLISHED:ESTABLISHED
all tcp 188.17.9.142:40818 <- 10.10.10.2:23711       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:23711 -> 188.17.9.142:40818       ESTABLISHED:ESTABLISHED
all udp 94.242.144.39:6666 <- 93.81.8.128:57944       MULTIPLE:MULTIPLE
all udp 93.81.8.128:57944 -> 10.10.10.2:6666       MULTIPLE:MULTIPLE
all udp 10.152.208.228:6666 <- 10.152.157.174:35694       MULTIPLE:MULTIPLE
all udp 10.152.157.174:35694 -> 10.10.10.2:6666       MULTIPLE:MULTIPLE
all tcp 94.242.144.39:6666 <- 87.218.124.18:1455       FIN_WAIT_2:FIN_WAIT_2
all tcp 87.218.124.18:1455 -> 10.10.10.2:6666       FIN_WAIT_2:FIN_WAIT_2
all tcp 94.242.144.39:6666 <- 89.162.241.112:59510       ESTABLISHED:ESTABLISHED
all tcp 89.162.241.112:59510 -> 10.10.10.2:6666       ESTABLISHED:ESTABLISHED
all udp 10.152.208.228:6666 <- 10.152.204.245:49967       MULTIPLE:MULTIPLE
all udp 10.152.204.245:49967 -> 10.10.10.2:6666       MULTIPLE:MULTIPLE
all tcp 62.148.136.156:55160 <- 10.10.10.2:28129       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28129 -> 62.148.136.156:55160       TIME_WAIT:TIME_WAIT
all udp 127.0.0.1:62247 -> 127.0.0.1:512       SINGLE:NO_TRAFFIC
all udp 127.0.0.1:512 <- 127.0.0.1:62247       NO_TRAFFIC:SINGLE
all tcp 94.242.144.39:6666 <- 212.106.62.102:3028       TIME_WAIT:TIME_WAIT
all tcp 212.106.62.102:3028 -> 10.10.10.2:6666       TIME_WAIT:TIME_WAIT
all tcp 10.152.12.86:57848 <- 10.10.10.2:28318       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28318 -> 10.152.12.86:57848       TIME_WAIT:TIME_WAIT
all tcp 10.152.12.38:10188 <- 10.10.10.2:28336       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28336 -> 10.152.12.38:10188       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.12.68:43360 <- 10.10.10.2:28352       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28352 -> 10.152.12.68:43360       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.201.152:56379 <- 10.10.10.2:28340       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28340 -> 10.152.201.152:56379       TIME_WAIT:TIME_WAIT
all tcp 10.152.200.242:415 <- 10.10.10.2:28365       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28381 -> 10.152.204.190:30585       TIME_WAIT:TIME_WAIT
all tcp 88.205.152.64:56511 <- 10.10.10.2:28387       FIN_WAIT_2:FIN_WAIT_2
all tcp 94.242.144.39:28387 -> 88.205.152.64:56511       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.211.200:51609 <- 10.10.10.2:28392       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28392 -> 10.152.211.200:51609       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.203.174:57944 <- 10.10.10.2:28394       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28394 -> 10.152.203.174:57944       FIN_WAIT_2:FIN_WAIT_2
all tcp 90.189.45.123:54148 <- 10.10.10.2:28395       FIN_WAIT_2:FIN_WAIT_2
all tcp 94.242.144.39:28395 -> 90.189.45.123:54148       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.204.190:30585 <- 10.10.10.2:28402       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28402 -> 10.152.204.190:30585       TIME_WAIT:TIME_WAIT
all tcp 62.148.136.111:31715 <- 10.10.10.2:28403       FIN_WAIT_2:FIN_WAIT_2
all tcp 94.242.144.39:28403 -> 62.148.136.111:31715       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.158.126:55160 <- 10.10.10.2:28409       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28409 -> 10.152.158.126:55160       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.152.203.174:34408       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.203.174:34408 -> 10.10.10.2:6666       FIN_WAIT_2:FIN_WAIT_2
all tcp 212.106.61.80:52311 <- 10.10.10.2:28327       CLOSED:SYN_SENT
all tcp 94.242.144.39:28327 -> 212.106.61.80:52311       SYN_SENT:CLOSED
all tcp 10.152.158.8:54380 <- 10.10.10.2:28338       CLOSED:SYN_SENT
all tcp 10.152.208.228:28338 -> 10.152.158.8:54380       SYN_SENT:CLOSED
all tcp 10.152.163.187:28379 <- 10.10.10.2:28329       CLOSED:SYN_SENT
all tcp 10.152.208.228:28329 -> 10.152.163.187:28379       SYN_SENT:CLOSED
all tcp 10.152.208.228:6666 <- 10.10.10.2:28331       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28335       CLOSED:SYN_SENT
all tcp 10.152.205.16:37705 <- 10.10.10.2:28425       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28425 -> 10.152.205.16:37705       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.205.51:17225 <- 10.10.10.2:28418       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28418 -> 10.152.205.51:17225       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28346       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28353       CLOSED:SYN_SENT
all tcp 10.152.158.150:20899 <- 10.10.10.2:28349       CLOSED:SYN_SENT
all tcp 10.152.208.228:28349 -> 10.152.158.150:20899       SYN_SENT:CLOSED
all tcp 10.152.195.95:80 <- 10.10.10.2:28438       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28438 -> 10.152.195.95:80       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.198.216:21497 <- 10.10.10.2:28439       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28439 -> 10.152.198.216:21497       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.162.76:63222 <- 10.10.10.2:28446       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28446 -> 10.152.162.76:63222       TIME_WAIT:TIME_WAIT
all tcp 10.152.215.62:10507 <- 10.10.10.2:28455       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28455 -> 10.152.215.62:10507       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28360       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28363       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28362       CLOSED:SYN_SENT
all tcp 10.152.152.23:52385 <- 10.10.10.2:28369       CLOSED:SYN_SENT
all tcp 10.152.208.228:28369 -> 10.152.152.23:52385       SYN_SENT:CLOSED
all tcp 10.152.4.213:11811 <- 10.10.10.2:28370       CLOSED:SYN_SENT
all tcp 10.152.208.228:28370 -> 10.152.4.213:11811       SYN_SENT:CLOSED
all tcp 10.152.4.213:11811 <- 10.10.10.2:28367       CLOSED:SYN_SENT
all tcp 10.152.208.228:28367 -> 10.152.4.213:11811       SYN_SENT:CLOSED
all tcp 10.152.12.101:37090 <- 10.10.10.2:28460       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28460 -> 10.152.12.101:37090       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.207.59:30501 <- 10.10.10.2:28463       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28463 -> 10.152.207.59:30501       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.200.242:415 <- 10.10.10.2:28465       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28465 -> 10.152.200.242:415       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.213.60:32925 <- 10.10.10.2:28466       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28466 -> 10.152.213.60:32925       FIN_WAIT_2:FIN_WAIT_2
all tcp 91.77.63.40:42222 <- 10.10.10.2:28474       FIN_WAIT_2:FIN_WAIT_2
all tcp 94.242.144.39:28474 -> 91.77.63.40:42222       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.255.69:29715 <- 10.10.10.2:28480       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28480 -> 10.152.255.69:29715       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.152.207:6881 <- 10.10.10.2:28483       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28483 -> 10.152.152.207:6881       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.153.90:20841 <- 10.10.10.2:28468       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28468 -> 10.152.153.90:20841       TIME_WAIT:TIME_WAIT
all tcp 10.152.159.249:25665 <- 10.10.10.2:28475       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28475 -> 10.152.159.249:25665       TIME_WAIT:TIME_WAIT
all tcp 10.152.157.251:22011 <- 10.10.10.2:28500       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28500 -> 10.152.157.251:22011       TIME_WAIT:TIME_WAIT
all tcp 10.152.3.79:36880 <- 10.10.10.2:28503       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28503 -> 10.152.3.79:36880       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.213.60:32925 <- 10.10.10.2:28504       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28504 -> 10.152.213.60:32925       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.210.26:15965 <- 10.10.10.2:28506       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28506 -> 10.152.210.26:15965       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.152.254.3:2091       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.254.3:2091 -> 10.10.10.2:6666       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.205.16:37705 <- 10.10.10.2:28516       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28516 -> 10.152.205.16:37705       TIME_WAIT:TIME_WAIT
all tcp 80.254.110.33:55921 <- 10.10.10.2:28508       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28508 -> 80.254.110.33:55921       TIME_WAIT:TIME_WAIT
all tcp 10.152.4.131:15222 <- 10.10.10.2:28501       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28501 -> 10.152.4.131:15222       TIME_WAIT:TIME_WAIT
all tcp 10.152.200.242:415 <- 10.10.10.2:28524       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28524 -> 10.152.200.242:415       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.157.251:22011 <- 10.10.10.2:28538       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28538 -> 10.152.157.251:22011       TIME_WAIT:TIME_WAIT
all tcp 10.152.154.82:17885 <- 10.10.10.2:28531       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28531 -> 10.152.154.82:17885       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.205.16:37705 <- 10.10.10.2:28550       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28550 -> 10.152.205.16:37705       FIN_WAIT_2:FIN_WAIT_2
all tcp 92.241.255.188:39509 <- 10.10.10.2:28561       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28561 -> 92.241.255.188:39509       TIME_WAIT:TIME_WAIT
all tcp 92.47.86.212:55396 <- 10.10.10.2:28570       ESTABLISHED:ESTABLISHED
all tcp 94.242.144.39:28570 -> 92.47.86.212:55396       ESTABLISHED:ESTABLISHED
all tcp 84.42.27.9:55201 <- 10.10.10.2:28572       FIN_WAIT_2:FIN_WAIT_2
all tcp 94.242.144.39:28572 -> 84.42.27.9:55201       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28597 -> 10.152.215.62:10507       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28601       CLOSED:SYN_SENT
all tcp 10.152.201.93:21822 <- 10.10.10.2:28602       CLOSED:SYN_SENT
all tcp 10.152.208.228:28602 -> 10.152.201.93:21822       SYN_SENT:CLOSED
all tcp 94.242.130.188:58372 <- 10.10.10.2:28604       CLOSED:SYN_SENT
all tcp 94.242.144.39:28604 -> 94.242.130.188:58372       SYN_SENT:CLOSED
all tcp 10.152.201.243:59277 <- 10.10.10.2:28605       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28605 -> 10.152.201.243:59277       FIN_WAIT_2:FIN_WAIT_2
all tcp 77.94.188.201:52854 <- 10.10.10.2:28511       CLOSED:SYN_SENT
all tcp 94.242.144.39:28511 -> 77.94.188.201:52854       SYN_SENT:CLOSED
all tcp 83.149.32.174:11168 <- 10.10.10.2:28510       CLOSED:SYN_SENT
all tcp 94.242.144.39:28510 -> 83.149.32.174:11168       SYN_SENT:CLOSED
all tcp 10.152.208.228:6666 <- 10.10.10.2:28518       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28517       CLOSED:SYN_SENT
all tcp 78.106.97.9:18894 <- 10.10.10.2:28519       CLOSED:SYN_SENT
all tcp 94.242.144.39:28519 -> 78.106.97.9:18894       SYN_SENT:CLOSED
all tcp 212.106.52.35:48252 <- 10.10.10.2:28609       CLOSED:SYN_SENT
all tcp 94.242.144.39:28609 -> 212.106.52.35:48252       SYN_SENT:CLOSED
all tcp 10.152.207.207:52356 <- 10.10.10.2:28611       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28611 -> 10.152.207.207:52356       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.10.10.2:28612       CLOSED:SYN_SENT
all tcp 10.152.154.248:13284 <- 10.10.10.2:28614       CLOSED:SYN_SENT
all tcp 10.152.208.228:28614 -> 10.152.154.248:13284       SYN_SENT:CLOSED
all tcp 10.152.195.188:60197 <- 10.10.10.2:28616       CLOSED:SYN_SENT
all tcp 10.152.208.228:28616 -> 10.152.195.188:60197       SYN_SENT:CLOSED
all tcp 10.152.201.86:20363 <- 10.10.10.2:28618       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28618 -> 10.152.201.86:20363       FIN_WAIT_2:FIN_WAIT_2
all tcp 212.106.52.35:48252 <- 10.10.10.2:28620       CLOSED:SYN_SENT
all tcp 94.242.144.39:28620 -> 212.106.52.35:48252       SYN_SENT:CLOSED
all tcp 82.138.49.136:23448 <- 10.10.10.2:28621       CLOSED:SYN_SENT
all tcp 94.242.144.39:28621 -> 82.138.49.136:23448       SYN_SENT:CLOSED
all tcp 10.152.208.228:6666 <- 10.10.10.2:28626       CLOSED:SYN_SENT
all tcp 10.152.210.234:21715 <- 10.10.10.2:28627       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28627 -> 10.152.210.234:21715       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28630       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28632       CLOSED:SYN_SENT
all tcp 77.85.139.162:55626 <- 10.10.10.2:28633       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28633 -> 77.85.139.162:55626       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28527       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28526       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28525       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.152.153.179:1119       TIME_WAIT:TIME_WAIT
all tcp 10.152.153.179:1119 -> 10.10.10.2:6666       TIME_WAIT:TIME_WAIT
all tcp 10.152.11.68:6881 <- 10.10.10.2:28638       CLOSED:SYN_SENT
all tcp 10.152.208.228:28638 -> 10.152.11.68:6881       SYN_SENT:CLOSED
all tcp 10.152.154.177:58672 <- 10.10.10.2:28639       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28639 -> 10.152.154.177:58672       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.10.10.2:28641       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28644       CLOSED:SYN_SENT
all tcp 10.152.211.192:37325 <- 10.10.10.2:28645       CLOSED:SYN_SENT
all tcp 10.152.208.228:28657 -> 10.152.199.210:28811       SYN_SENT:CLOSED
all tcp 10.152.210.9:57944 <- 10.10.10.2:28658       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28658 -> 10.152.210.9:57944       TIME_WAIT:TIME_WAIT
all tcp 62.148.155.190:12877 <- 10.10.10.2:28659       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28659 -> 62.148.155.190:12877       TIME_WAIT:TIME_WAIT
all tcp 94.138.23.84:2666 <- 10.10.10.2:28664       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28664 -> 94.138.23.84:2666       TIME_WAIT:TIME_WAIT
all tcp 212.106.53.90:22011 <- 10.10.10.2:28669       CLOSED:SYN_SENT
all tcp 94.242.144.39:28669 -> 212.106.53.90:22011       SYN_SENT:CLOSED
all tcp 212.106.62.104:57405 <- 10.10.10.2:28670       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28670 -> 212.106.62.104:57405       TIME_WAIT:TIME_WAIT
all tcp 10.152.253.233:63222 <- 10.10.10.2:28672       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28672 -> 10.152.253.233:63222       TIME_WAIT:TIME_WAIT
all tcp 10.152.154.248:13284 <- 10.10.10.2:28674       CLOSED:SYN_SENT
all tcp 10.152.208.228:28674 -> 10.152.154.248:13284       SYN_SENT:CLOSED
all tcp 10.152.9.179:26842 <- 10.10.10.2:28676       CLOSED:SYN_SENT
all tcp 10.152.208.228:28676 -> 10.152.9.179:26842       SYN_SENT:CLOSED
all tcp 10.152.208.228:6666 <- 10.152.157.251:1295       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.157.251:1295 -> 10.10.10.2:6666       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.152.157.251:1300       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.157.251:1300 -> 10.10.10.2:6666       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.152.204.52:6364       TIME_WAIT:TIME_WAIT
all tcp 10.152.204.52:6364 -> 10.10.10.2:6666       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:6666 <- 93.81.8.128:44512       FIN_WAIT_2:FIN_WAIT_2
all tcp 93.81.8.128:44512 -> 10.10.10.2:6666       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.10.10.2:28706       CLOSED:SYN_SENT
all tcp 10.152.200.32:54437 <- 10.10.10.2:28705       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28705 -> 10.152.200.32:54437       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28709       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28712       CLOSED:SYN_SENT
all tcp 10.152.160.229:23678 <- 10.10.10.2:28713       CLOSED:SYN_SENT
all tcp 10.152.208.228:28713 -> 10.152.160.229:23678       SYN_SENT:CLOSED
all tcp 212.106.57.172:33499 <- 10.10.10.2:28715       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28715 -> 212.106.57.172:33499       TIME_WAIT:TIME_WAIT
all tcp 10.152.158.158:19031 <- 10.10.10.2:28721       CLOSED:SYN_SENT
all tcp 10.152.208.228:28721 -> 10.152.158.158:19031       SYN_SENT:CLOSED
all tcp 10.152.10.67:14401 <- 10.10.10.2:28722       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28722 -> 10.152.10.67:14401       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28724       CLOSED:SYN_SENT
all tcp 10.152.158.8:54380 <- 10.10.10.2:28726       CLOSED:SYN_SENT
all tcp 10.152.208.228:28726 -> 10.152.158.8:54380       SYN_SENT:CLOSED
all tcp 10.152.208.228:6666 <- 10.10.10.2:28727       CLOSED:SYN_SENT
all tcp 10.152.211.238:52780 <- 10.10.10.2:28730       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28730 -> 10.152.211.238:52780       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.10.10.2:28731       CLOSED:SYN_SENT
all tcp 62.148.138.20:13701 <- 10.10.10.2:28732       CLOSED:SYN_SENT
all tcp 94.242.144.39:28732 -> 62.148.138.20:13701       SYN_SENT:CLOSED
all tcp 10.152.1.237:27247 <- 10.10.10.2:28735       CLOSED:SYN_SENT
all tcp 212.106.62.69:10507 <- 10.10.10.2:28753       CLOSED:SYN_SENT
all tcp 94.242.144.39:28753 -> 212.106.62.69:10507       SYN_SENT:CLOSED
all tcp 10.152.8.144:28327 <- 10.10.10.2:28755       CLOSED:SYN_SENT
all tcp 10.152.208.228:28755 -> 10.152.8.144:28327       SYN_SENT:CLOSED
all tcp 10.152.1.237:27247 <- 10.10.10.2:28757       CLOSED:SYN_SENT
all tcp 10.152.208.228:28757 -> 10.152.1.237:27247       SYN_SENT:CLOSED
all tcp 94.178.75.99:33905 <- 10.10.10.2:28759       FIN_WAIT_2:FIN_WAIT_2
all tcp 94.242.144.39:28759 -> 94.178.75.99:33905       FIN_WAIT_2:FIN_WAIT_2
all tcp 95.52.72.205:19087 <- 10.10.10.2:28763       CLOSED:SYN_SENT
all tcp 94.242.144.39:28763 -> 95.52.72.205:19087       SYN_SENT:CLOSED
all tcp 84.52.107.163:45563 <- 10.10.10.2:28764       CLOSED:SYN_SENT
all tcp 94.242.144.39:28764 -> 84.52.107.163:45563       SYN_SENT:CLOSED
all tcp 10.152.213.60:32925 <- 10.10.10.2:28768       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28768 -> 10.152.213.60:32925       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.157.166:18950 <- 10.10.10.2:28769       CLOSED:SYN_SENT
all tcp 10.152.208.228:28769 -> 10.152.157.166:18950       SYN_SENT:CLOSED
all tcp 10.152.208.228:6666 <- 10.10.10.2:28773       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28775       CLOSED:SYN_SENT
all tcp 94.178.197.188:33905 <- 10.10.10.2:28776       CLOSED:SYN_SENT
all tcp 94.242.144.39:28776 -> 94.178.197.188:33905       SYN_SENT:CLOSED
all tcp 80.73.6.130:57232 <- 10.10.10.2:28761       TIME_WAIT:TIME_WAIT
all tcp 94.242.144.39:28761 -> 80.73.6.130:57232       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.152.254.3:2293       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.254.3:2293 -> 10.10.10.2:6666       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:6666 <- 10.10.10.2:28780       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28781       CLOSED:SYN_SENT
all tcp 10.152.157.166:18950 <- 10.10.10.2:28784       CLOSED:SYN_SENT
all tcp 10.152.208.228:28784 -> 10.152.157.166:18950       SYN_SENT:CLOSED
all tcp 10.152.208.228:6666 <- 10.10.10.2:28785       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28788       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28789       CLOSED:SYN_SENT
all tcp 212.106.60.122:59039 <- 10.10.10.2:28791       CLOSED:SYN_SENT
all tcp 94.242.144.39:28791 -> 212.106.60.122:59039       SYN_SENT:CLOSED
all tcp 10.152.153.220:26574 <- 10.10.10.2:28793       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.208.228:28793 -> 10.152.153.220:26574       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.152.2.12:41117 <- 10.10.10.2:28795       CLOSED:SYN_SENT
all tcp 10.152.208.228:28795 -> 10.152.2.12:41117       SYN_SENT:CLOSED
all tcp 10.152.207.207:52356 <- 10.10.10.2:28796       CLOSED:SYN_SENT
all tcp 10.152.208.228:28796 -> 10.152.207.207:52356       SYN_SENT:CLOSED
all tcp 10.152.4.131:15222 <- 10.10.10.2:28771       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28771 -> 10.152.4.131:15222       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28668       CLOSED:SYN_SENT
all tcp 10.152.157.166:18950 <- 10.10.10.2:28665       CLOSED:SYN_SENT
all tcp 10.152.208.228:28665 -> 10.152.157.166:18950       SYN_SENT:CLOSED
all tcp 10.152.210.9:57944 <- 10.10.10.2:28803       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28803 -> 10.152.210.9:57944       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28804       CLOSED:SYN_SENT
all tcp 10.152.4.213:11811 <- 10.10.10.2:28805       CLOSED:SYN_SENT
all tcp 10.152.208.228:28805 -> 10.152.4.213:11811       SYN_SENT:CLOSED
all tcp 10.152.208.228:28811 -> 10.152.15.247:39718       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28814       CLOSED:SYN_SENT
all tcp 10.152.208.228:6666 <- 10.10.10.2:28815       CLOSED:SYN_SENT
all tcp 10.152.215.62:10507 <- 10.10.10.2:28816       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28816 -> 10.152.215.62:10507       TIME_WAIT:TIME_WAIT
all tcp 10.152.159.249:25665 <- 10.10.10.2:28800       TIME_WAIT:TIME_WAIT
all tcp 10.152.208.228:28800 -> 10.152.159.249:25665       TIME_WAIT:TIME_WAIT

INFO:
Status: Enabled for 0 days 11:21:47           Debug: Urgent

State Table                          Total             Rate
  current entries                      415
  searches                        27989518          684.2/s
  inserts                           695676           17.0/s
  removals                          695261           17.0/s
Counters
  match                             700030           17.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                          164            0.0/s
  state-mismatch                       718            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                    30s
tcp.opening                   5s
tcp.established           18000s
tcp.closing                  60s
tcp.finwait                  30s
tcp.closed                   30s
tcp.tsdiff                   10s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

OS FINGERPRINTS:
696 fingerprints loaded
Очереди:

Код: Выделить всё

# pfctl -sq -v
queue root_vr0 on vr0 bandwidth 100Mb priority 0 cbq( wrr root ) {main}
  [ pkts:    6224409  bytes: 3704840495  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  main on vr0 bandwidth 98Mb priority 3 cbq( red borrow default )
  [ pkts:    6224409  bytes: 3704840495  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue root_ng0 on ng0 bandwidth 1.15Mb priority 0 cbq( wrr root ) {computer_ext_inet, server_ext_inet, netbook_ext_inet}
  [ pkts:    2842760  bytes:  480342440  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  computer_ext_inet on ng0 bandwidth 400Kb cbq( borrow ) {computer_ext_icmp_inet, computer_ext_mail_inet, computer_ext_http_inet, computer_ext_other_inet}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:  11547  suspends:      0 ]
queue   computer_ext_icmp_inet on ng0 bandwidth 20Kb priority 7 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   computer_ext_mail_inet on ng0 bandwidth 140Kb priority 5 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   computer_ext_http_inet on ng0 bandwidth 140Kb priority 3 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   computer_ext_other_inet on ng0 bandwidth 100Kb cbq( red borrow default )
  [ pkts:    1147309  bytes:  184216808  dropped pkts:   1814 bytes: 811422 ]
  [ qlength:   0/ 50  borrows:  71250  suspends:   1753 ]
queue  server_ext_inet on ng0 bandwidth 350Kb cbq( borrow ) {server_ext_dns_inet, server_ext_icmp_inet, server_ext_ssh_inet, server_ext_http_inet, server_ext_other_inet}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:  41877  suspends:      0 ]
queue   server_ext_dns_inet on ng0 bandwidth 35Kb priority 6 cbq( red borrow )
  [ pkts:        706  bytes:      55455  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   server_ext_icmp_inet on ng0 bandwidth 17.50Kb priority 7 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   server_ext_ssh_inet on ng0 bandwidth 105Kb priority 5 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   server_ext_http_inet on ng0 bandwidth 105Kb priority 3 cbq( red borrow )
  [ pkts:      19116  bytes:    6022207  dropped pkts:     50 bytes:  43014 ]
  [ qlength:   0/ 50  borrows:   2281  suspends:    163 ]
queue   server_ext_other_inet on ng0 bandwidth 87.50Kb cbq( red borrow )
  [ pkts:    1675629  bytes:  290047970  dropped pkts:  17666 bytes: 4464710 ]
  [ qlength:   0/ 50  borrows: 384225  suspends:   2586 ]
queue  netbook_ext_inet on ng0 bandwidth 400Kb cbq( borrow ) {netbook_ext_icmp_inet, netbook_ext_mail_inet, netbook_ext_http_inet, netbook_ext_other_inet}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   netbook_ext_icmp_inet on ng0 bandwidth 20Kb priority 7 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   netbook_ext_mail_inet on ng0 bandwidth 140Kb priority 5 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   netbook_ext_http_inet on ng0 bandwidth 140Kb priority 3 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   netbook_ext_other_inet on ng0 bandwidth 100Kb cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue root_ng1 on ng1 bandwidth 1.65Mb priority 0 cbq( wrr root ) {computer_ext_dml, server_ext_dml, netbook_ext_dml}
  [ pkts:    4834016  bytes: 5147428682  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  computer_ext_dml on ng1 bandwidth 150Kb cbq( borrow ) {computer_ext_icmp_dml, computer_ext_http_dml, computer_ext_other_dml}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows: 2476344  suspends:      0 ]
queue   computer_ext_icmp_dml on ng1 bandwidth 7.50Kb priority 7 cbq( red borrow default )
  [ pkts:    2498450  bytes: 3457003780  dropped pkts:   6715 bytes: 9177344 ]
  [ qlength:   0/ 50  borrows: 2476584  suspends:      0 ]
queue   computer_ext_http_dml on ng1 bandwidth 75Kb priority 3 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   computer_ext_other_dml on ng1 bandwidth 67.50Kb cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  server_ext_dml on ng1 bandwidth 200Kb cbq( borrow ) {server_ext_dns_dml, server_ext_icmp_dml, server_ext_ssh_dml, server_ext_http_dml, server_ext_other_dml}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows: 1977612  suspends:      0 ]
queue   server_ext_dns_dml on ng1 bandwidth 20Kb priority 6 cbq( red borrow )
  [ pkts:        787  bytes:      53375  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   server_ext_icmp_dml on ng1 bandwidth 10Kb priority 7 cbq( red borrow )
  [ pkts:         70  bytes:       5950  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   server_ext_ssh_dml on ng1 bandwidth 60Kb priority 5 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   server_ext_http_dml on ng1 bandwidth 60Kb priority 3 cbq( red borrow )
  [ pkts:      30936  bytes:    3227315  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:    911  suspends:      0 ]
queue   server_ext_other_dml on ng1 bandwidth 50Kb cbq( red borrow )
  [ pkts:    2303773  bytes: 1687138262  dropped pkts:   4580 bytes: 2704718 ]
  [ qlength:   0/ 50  borrows: 2097460  suspends:      0 ]
queue  netbook_ext_dml on ng1 bandwidth 150Kb cbq( borrow ) {netbook_ext_icmp_dml, netbook_ext_http_dml, netbook_ext_other_dml}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   netbook_ext_icmp_dml on ng1 bandwidth 7.50Kb priority 7 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   netbook_ext_http_dml on ng1 bandwidth 75Kb priority 3 cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue   netbook_ext_other_dml on ng1 bandwidth 67.50Kb cbq( red borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-17 18:19:53

Ну что, никто не знает? :smile: Неохота из-за такой фигни на линукс переезжать...
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-17 21:06:11

В общем правила срабатывают правильно:

Код: Выделить всё

pass in quick on vr0 inet proto tcp from 10.10.10.2 to any port = http flags S/SA keep state queue computer_ext_http_inet
  [ Evaluations: 5248      Packets: 57        Bytes: 8625        States: 0     ]
  [ Inserted: uid 0 pid 3116 ]
Но пакеты в очередь не попадают:

Код: Выделить всё

queue   computer_ext_http_inet on ng0 bandwidth 140Kb priority 3 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
Почему пакеты из сработавшего правила не попадают в очередь? :st:
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-17 22:53:43

Тихо сам с собой веду я беседу. :crazy: Предполагаю, что pf не может различить пакеты, помеченные для определенной очереди, после прохождения их через kernel nat. Соответственно все они сваливаются в дефолтовую. Как побороть, есть у кого идеи? Кроме использования nat средствами pf, до этого я и сам додумался. :smile:
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-20 21:41:49

Всем спасибо. Таки разобрался...
Вернуться к началу
paradox
проходил мимо
Сообщения: 11620
Зарегистрирован: 2008-02-21 18:15:41

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение paradox » 2009-02-20 21:44:50

молодец)
опиши решения
что бы потом народ повторно не поднимал тему с вопросом
Вернуться к началу
Аватара пользователя
zingel
beastie
Сообщения: 6204
Зарегистрирован: 2007-10-30 3:56:49
Откуда: Moscow
Контактная информация:
Контактная информация пользователя zingel

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение zingel » 2009-02-20 21:46:41

да, в 7.1-STABLE это пофикшено, вчера.
Z301171463546 - можно пожертвовать мне денег
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-20 22:27:25

paradox писал(а):молодец)
опиши решения
что бы потом народ повторно не поднимал тему с вопросом
В принципе решение топорное, прописал очереди в pf.conf, а правила по которым пакеты попадают в очереди в правилах ipfw ( спасибо Covax'у за статью http://www.lissyara.su/?id=1660 ). :smile:

rc.gw.firewall

Код: Выделить всё

#==================================================================================================================
${FwCmd} add 100 count altq lan_computer all from ${comp_addr} to ${lan_in_ip},${lan_in_net} via ${lan_in}
${FwCmd} add 200 count altq lan_computer all from ${lan_in_ip},${lan_in_net} to ${comp_addr} via ${lan_in}
${FwCmd} add 300 count altq lan_netbook all from ${nout_addr} to ${lan_in_ip},${lan_in_net} via ${lan_in}
${FwCmd} add 400 count altq lan_netbook all from ${lan_in_ip},${lan_in_net} to ${nout_addr} via ${lan_in}
#==================================================================================================================
${FwCmd} add 500 count altq computer_in_http_dml tcp from ${dml_local} 80,411,1080,8080 to ${comp_addr} via ${lan_in}
${FwCmd} add 600 count altq computer_in_icmp_dml icmp from ${dml_local} to ${comp_addr} via ${lan_in}
${FwCmd} add 700 count altq computer_in_other_dml all from ${dml_local} to ${comp_addr} via ${lan_in}
#==================================================================================================================
${FwCmd} add 800 count altq netbook_in_http_dml tcp from ${dml_local} 80,411,1080,8080 to ${nout_addr} via ${lan_in}
${FwCmd} add 900 count altq netbook_in_icmp_dml icmp from ${dml_local} to ${nout_addr} via ${lan_in}
${FwCmd} add 1000 count altq netbook_in_other_dml all from ${dml_local} to ${nout_addr} via ${lan_in}
#==================================================================================================================
${FwCmd} add 1100 count altq computer_in_http_inet tcp from any 80,411,1080,8080 to ${comp_addr} via ${lan_in}
${FwCmd} add 1200 count altq computer_in_icmp_inet icmp from any to ${comp_addr} via ${lan_in}
${FwCmd} add 1300 count altq computer_in_other_inet all from any to ${comp_addr} via ${lan_in}
#==================================================================================================================
${FwCmd} add 1400 count altq netbook_in_http_inet tcp from any 80,411,1080,8080 to ${nout_addr} via ${lan_in}
${FwCmd} add 1500 count altq netbook_in_icmp_inet icmp from any to ${nout_addr} via ${lan_in}
${FwCmd} add 1600 count altq netbook_in_other_inet all from any to ${nout_addr} via ${lan_in}
#==================================================================================================================

#==================================================================================================================
${FwCmd} add 1700 count altq computer_ext_http_dml tcp from ${comp_addr} to ${dml_local} 80,411,1080,8080 via ${lan_in}
${FwCmd} add 1800 count altq computer_ext_icmp_dml icmp from ${comp_addr} to ${dml_local} via ${lan_in}
${FwCmd} add 1900 count altq computer_ext_other_dml all from ${comp_addr} to ${dml_local} via ${lan_in}
#==================================================================================================================
${FwCmd} add 2000 count altq netbook_ext_http_dml tcp from ${nout_addr} to ${dml_local} 80,411,1080,8080 via ${lan_in}
${FwCmd} add 2100 count altq netbook_ext_icmp_dml icmp from ${nout_addr} to ${dml_local} via ${lan_in}
${FwCmd} add 2200 count altq netbook_ext_other_dml all from ${nout_addr} to ${dml_local} via ${lan_in}
#==================================================================================================================
${FwCmd} add 2300 count altq server_ext_dns_dml udp from ${dml_ip} to ${dml_local} 53 via ${lan_dml}
${FwCmd} add 2400 count altq server_ext_icmp_dml icmp from ${dml_ip} to ${dml_local} via ${lan_dml}
${FwCmd} add 2500 count altq server_ext_http_dml tcp from ${dml_ip} to ${dml_local} 80,411,1080,8080 via ${lan_dml}.
${FwCmd} add 2600 count altq server_ext_http_dml tcp from ${dml_ip} 80 to ${dml_local} via ${lan_dml}
${FwCmd} add 2700 count altq server_ext_ssh_dml tcp from ${dml_ip} 22 to ${dml_local} via ${lan_dml}
${FwCmd} add 2800 count altq server_ext_other_dml all from ${dml_ip} to ${dml_local} via ${lan_dml}
#==================================================================================================================
${FwCmd} add 2900 count altq computer_ext_http_inet tcp from ${comp_addr} to any 80,411,1080,8080 via ${lan_in}
${FwCmd} add 3000 count altq computer_ext_icmp_inet icmp from ${comp_addr} to any via ${lan_in}
${FwCmd} add 3100 count altq computer_ext_other_inet all from ${comp_addr} to any via ${lan_in}
#==================================================================================================================
${FwCmd} add 3200 count altq netbook_ext_http_inet tcp from ${nout_addr} to any 80,411,1080,8080 via ${lan_in}
${FwCmd} add 3300 count altq netbook_ext_icmp_inet icmp from ${nout_addr} to any via ${lan_in}
${FwCmd} add 3400 count altq netbook_ext_other_inet all from ${nout_addr} to any via ${lan_in}
#==================================================================================================================
${FwCmd} add 3500 count altq server_ext_dns_inet udp from me to any 53 via ${lan_inet}
${FwCmd} add 3600 count altq server_ext_icmp_inet icmp from me to any via ${lan_inet}
${FwCmd} add 3700 count altq server_ext_http_inet tcp from me to any 80,411,1080,8080 via ${lan_inet}.
${FwCmd} add 3800 count altq server_ext_http_inet tcp from me 80 to any via ${lan_inet}
${FwCmd} add 3900 count altq server_ext_ssh_inet tcp from me 22 to any via ${lan_inet}
${FwCmd} add 4000 count altq server_ext_other_inet all from me to any via ${lan_inet}
#==================================================================================================================
${FwCmd} add 4100 check-state

.... [правила]
да, в 7.1-STABLE это пофикшено, вчера.
Хорошая новость, но пожалуй подожду релиза. ;-)

PS. Может кто навскидку помнит, hfsc поддерживает вложенные очереди (как cbq)? Т.е. конструкции вида:

Код: Выделить всё

altq on ... hfsc ... queue ...
  queue 1 ...
  queue 2 ...
  queue 3 ...
Вернуться к началу
paradox
проходил мимо
Сообщения: 11620
Зарегистрирован: 2008-02-21 18:15:41

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение paradox » 2009-02-20 22:33:39

hfsc уде как то обсуждался
поищи по форуму
а если мануалы нужны но нём то лучше в openbsd посмотри
там с примерами
Вернуться к началу
Аватара пользователя
voider
лейтенант
Сообщения: 830
Зарегистрирован: 2008-02-21 20:35:03
Откуда: msk

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение voider » 2009-02-21 0:56:42

не знаю почему непопадают у меня все попадает или я чето не догоняю? рабочий конф

Код: Выделить всё

ext_if="re0"
int_if="rl0"
vpn_if="ng0"

table <private_net> { 192.168.0.0/24, 10.0.0.0/8, 34.41.22.87 }

set optimization aggressive
set block-policy drop
set require-order yes
set skip on lo0
scrub in all fragment reassemble
scrub out all random-id max-mss 1460


altq on $int_if bandwidth 100Mb hfsc queue { inet_in, default_in }
        queue default_in bandwidth 97Mb priority 0 hfsc(default)
        queue inet_in bandwidth 2560Kb priority 7 hfsc{ q_comp1_in, q_comp2_in, q_comp3_in }
                queue q_comp1_in bandwidth 1024Kb priority 5 hfsc(realtime 1024Kb upperlimit 2560Kb)
                queue q_comp2_in bandwidth 1024Kb priority 5 hfsc(realtime 1024Kb upperlimit 2048Kb)
                queue q_comp3_in bandwidth 512Kb priority 5 hfsc(realtime 512Kb upperlimit 512Kb)


nat on $ext_if proto { tcp udp icmp } from $int_if:network to any -> ($ext_if)
nat on $vpn_if proto { tcp udp icmp } from $int_if:network to any -> ($vpn_if)

pass out on $int_if from ! <private_net> to $comp1 queue q_comp1_in
pass out on $int_if from ! <private_net> to $comp2 queue q_comp2_in
pass out on $int_if from ! <private_net> to $comp3 queue q_comp3_in
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-21 11:57:35

voider писал(а):не знаю почему непопадают у меня все попадает или я чето не догоняю? рабочий конф
nat у меня в ipfw, а не в pf...
Вернуться к началу
Аватара пользователя
voider
лейтенант
Сообщения: 830
Зарегистрирован: 2008-02-21 20:35:03
Откуда: msk

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение voider » 2009-02-21 13:07:40

mnz_home а что мешает его сдалеть на pf? Недостаток знаний ? или лень?
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-21 13:27:03

voider писал(а):mnz_home а что мешает его сдалеть на pf? Недостаток знаний ? или лень?
Пока нет желания трогать то, что хорошо работает.
Вернуться к началу
Аватара пользователя
voider
лейтенант
Сообщения: 830
Зарегистрирован: 2008-02-21 20:35:03
Откуда: msk

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение voider » 2009-02-21 23:08:44

2mnz_home раз вы создали эту тему и хотите чего то узнать значит это не работает так как вы хотите :) => вы лжете:)
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-21 23:28:47

voider писал(а):2mnz_home раз вы создали эту тему и хотите чего то узнать значит это не работает так как вы хотите :) => вы лжете:)
Тот факт, что я создал эту тему и хочу что-то узнать сосвсем не означает, что ipfw и kernel nat работают не так как я хочу, а точнее они работают в точности так, как мне надо. Поэтому вариант с отдельным шейпером был предпочтительнее... => вы лжете, что я лгу. :ROFL: Чем nat в pf лучше ядерного? Кстати, благодарю за пример с hfsc. Настроил шейпер - сказка, utorrent с 8 закачками и 500 подключениями теперь совсем не мешает веб-сервингу. :good:
Вернуться к началу
Аватара пользователя
voider
лейтенант
Сообщения: 830
Зарегистрирован: 2008-02-21 20:35:03
Откуда: msk

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение voider » 2009-02-22 0:06:36

mnz_home писал(а): Чем nat в pf лучше ядерного?
не знаю :)
Кстати, благодарю за пример с hfsc. Настроил шейпер - сказка, utorrent с 8 закачками и 500 подключениями теперь совсем не мешает веб-сервингу. :good:
пасиба ,ксати ,чтобы торент не забивал всю линию просто максимальную скачку нужно сделать чуть меньше ,тогда она этот "чучуть" не будет трогать и он остатеньться для сёрфинга :)
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-22 20:45:23

voider писал(а):пасиба ,ксати ,чтобы торент не забивал всю линию просто максимальную скачку нужно сделать чуть меньше ,тогда она этот "чучуть" не будет трогать и он остатеньться для сёрфинга :)
Вы имеете ввиду ограничивать скорость в utorrent? Так и было раньше. Но захотелось чтобы при отсутствии прочей активности utorrent забирал ВСЮ полосу. И динамически отдавал при появлении приоритетного трафика от компьютеров.
Вернуться к началу
Аватара пользователя
voider
лейтенант
Сообщения: 830
Зарегистрирован: 2008-02-21 20:35:03
Откуда: msk

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение voider » 2009-02-22 20:51:31

на самом деле он так и делал у меня этот уторент ,но потом некоторые сайты стали иногда ошибку выдавать и срабатываало только со второго раза ,поэтому ирешил что альтку медленно реагирует на изменеия поэтому я чуть меньше полосу сделал
Вернуться к началу
mnz_home
проходил мимо

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение mnz_home » 2009-02-22 23:32:01

voider писал(а):на самом деле он так и делал у меня этот уторент ,но потом некоторые сайты стали иногда ошибку выдавать и срабатываало только со второго раза ,поэтому ирешил что альтку медленно реагирует на изменеия поэтому я чуть меньше полосу сделал
Про это правило не забыли когда нарезали полосы? ;-)
REMEMBER: Do not set your upload bandwidth too high otherwise the queue in pf will be useless. A safe rule is to set the maximum bandwidth at around 97% of the total upload speed available to you. Setting your max speed lower is preferable to setting it too high.
https://calomel.org/pf_hfsc.html
Вернуться к началу
Аватара пользователя
voider
лейтенант
Сообщения: 830
Зарегистрирован: 2008-02-21 20:35:03
Откуда: msk

Re: PF и ALTQ, что я делаю не так?

Непрочитанное сообщение voider » 2009-02-23 0:13:14

вот как раз и не читал это :) сам кароче додумался :) методом дедукции :)) спасибо за ссылочку тепрь я знаю что можно в процентах максимум скачки ставить :)
Вернуться к началу