После длительного простоя с разбирательством по данному вопросу возобновляю раскопки
В теме http://forum.lissyara.su/viewtopic.php?f=3&t=12525 я описывал свой конфиг, но после некоторого времени решил облегчить жизнь серваку и себе, переписав правила на более-менее новый уровень.
Из
Код: Выделить всё
# ipfw -at list
00100 0 0 allow ip from any to any via lo0
00200 105 9849 Sat Nov 15 16:03:02 2008 count ip from 10.0.0.0/24 to any
00300 0 0 deny ip from any to 127.0.0.0/8
00400 0 0 deny ip from 127.0.0.0/8 to any
00500 0 0 deny ip from 10.0.0.0/24 to any in via rl0
00600 0 0 deny ip from 192.168.1.0/24 to any in via nfe0
00700 0 0 deny ip from any to 10.0.0.0/8 in via rl0
00800 0 0 deny ip from any to 172.16.0.0/12 in via rl0
00900 0 0 deny ip from any to 0.0.0.0/8 in via rl0
01000 0 0 deny ip from any to 169.254.0.0/16 in via rl0
01100 4 112 Sat Nov 15 16:01:30 2008 deny ip from any to 224.0.0.0/4 in via rl0
01200 0 0 deny ip from any to 240.0.0.0/4 in via rl0
01300 0 0 deny icmp from any to any frag
01400 0 0 deny log icmp from any to 255.255.255.255 in via rl0
01500 0 0 deny log icmp from any to 255.255.255.255 out via rl0
01600 30 1384 Sat Nov 15 16:02:34 2008 divert 8668 ip from 10.0.0.0/24 to any out via rl0
01700 22 2408 Sat Nov 15 16:02:33 2008 divert 8668 ip from any to 192.168.1.18 in via rl0
01800 0 0 deny ip from 10.0.0.0/8 to any out via rl0
01900 0 0 deny ip from 172.16.0.0/12 to any out via rl0
02000 0 0 deny ip from 0.0.0.0/8 to any out via rl0
02100 0 0 deny ip from 169.254.0.0/16 to any out via rl0
02200 0 0 deny ip from 224.0.0.0/4 to any out via rl0
02300 0 0 deny ip from 240.0.0.0/4 to any out via rl0
02400 0 0 allow icmp from any to any icmptypes 0,8,11
02500 0 0 pipe 100 ip from 91.192.153.82 20,21 to 10.0.0.0/24
02600 0 0 pipe 1000 ip from 10.0.0.0/24 to 91.192.153.82 dst-port 20,21
02700 22 2408 Sat Nov 15 16:02:33 2008 pipe 1 ip from not 10.0.0.0/24 to table(1) out
02800 39 2485 Sat Nov 15 16:03:01 2008 pipe 2 ip from table(1) to not me in
02900 0 0 pipe 3 ip from not 10.0.0.0/24 to table(2)
03000 0 0 pipe 4 ip from table(2) to not me
03100 0 0 pipe 5 ip from not 10.0.0.0/24 to table(3)
03200 0 0 pipe 6 ip from table(3) to not me
03300 0 0 pipe 7 ip from not 10.0.0.0/24 to table(4)
03400 0 0 pipe 8 ip from table(4) to not me
03500 0 0 pipe 9 ip from not 10.0.0.0/24 to table(5)
03600 0 0 pipe 10 ip from table(5) to not me
03700 140 13564 Sat Nov 15 16:03:02 2008 allow tcp from any to any established
03800 0 0 allow udp from any to 192.168.1.18 dst-port 53 in via rl0
03900 0 0 allow udp from 192.168.1.18 53 to any out via rl0
04000 0 0 allow udp from any 53 to 192.168.1.18 in via rl0
04100 0 0 allow udp from 192.168.1.18 to any dst-port 53 out via rl0
04200 0 0 allow udp from any to any dst-port 123 via rl0
04300 0 0 allow tcp from any to 192.168.1.18 dst-port 53 in via rl0 setup
04400 0 0 allow tcp from any to 192.168.1.18 dst-port 80 via rl0
04500 0 0 allow tcp from any to 192.168.1.18 dst-port 22 in via rl0 setup
04600 0 0 allow tcp from any to 192.168.1.18 dst-port 110,25 via rl0
04700 0 0 allow tcp from any to 192.168.1.18 dst-port 49152-65535 via rl0
04800 0 0 allow udp from any 27000-27025 to 10.0.0.0/24 in via rl0
04900 0 0 allow udp from any 27000-27025 to 10.0.0.0/24 out via nfe0
05000 0 0 allow udp from 10.0.0.0/24 to any dst-port 27000-27025 in via nfe0
05100 0 0 allow udp from 192.168.1.18 to any dst-port 27000-27025 out via rl0
05200 0 0 deny log tcp from any to 192.168.1.18 in via rl0 setup
05300 9 1101 Sat Nov 15 16:03:01 2008 allow ip from 10.0.0.0/24 to 10.0.0.0/24 in via nfe0
05400 0 0 allow ip from 10.0.0.0/24 to 10.0.0.0/24 out via nfe0
05500 0 0 allow ip from 192.168.1.18 to any out xmit rl0
05600 0 0 allow tcp from table(0) to not 10.0.0.0/24 in via nfe0 setup
05700 0 0 deny log ip from any to any
65535 0 0 deny ip from any to any
Код: Выделить всё
#ipfw show
00001 3347837 2352255511 reass ip from any to any in
00002 11491 949435 allow ip from any to any via lo0
00003 68 7601 deny ip from any to not 10.60.77.51 in via vr0
00011 0 0 allow tcp from any to 10.10.10.10 dst-port 9750 in via vr0 setup
00100 0 0 deny ip from any to 127.0.0.0/8
00101 0 0 deny ip from 127.0.0.0/8 to any
00102 167 17454 deny ip from table(99) to any in via vr0
00103 0 0 deny tcp from 10.0.0.8 to not me dst-port 25 in via em0
00104 0 0 deny log logamount 100 tcp from any to not me dst-port 25 in via em0
00105 0 0 deny ip from table(66) to any in via em0
00150 0 0 deny ip from table(71) to any in
00151 0 0 fwd 10.0.0.1,80 tcp from not table(100) to not me dst-port 80,443 in via em0 setup limit src-addr 1
00152 23 736 deny ip from not table(100) to not me in via em0
00153 0 0 deny icmp from any to any frag
00154 0 0 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00155 0 0 reject tcp from any to any tcpflags syn,fin,ack,psh,rst,urg
00156 0 0 reject tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg
00157 0 0 reject tcp from any to any not established tcpflags fin
00158 0 0 reject log logamount 100 ip from any to any not verrevpath in
00159 0 0 deny icmp from any to 255.255.255.255 via vr0
00300 1321286 185609157 nat 1 ip from 10.0.0.0/24 to any out via vr0
00301 1968685 2140289466 nat 1 ip from any to 10.60.77.51 in via vr0
00400 0 0 deny ip from not 10.60.77.51 to any out via vr0
00402 23133 1959586 allow icmp from any to any icmptypes 0,3,4,8,10,11,30
00700 5938084 4453861894 allow tcp from any to any established
03000 28 2127 allow udp from any to 10.60.77.51 dst-port 53 in via vr0
03001 4986 1270266 allow udp from any 53 to 10.60.77.51 in via vr0
03002 6 240 allow tcp from any to 10.60.77.51 dst-port 53 in via vr0 setup
03300 3596 177496 allow tcp from any to 10.60.77.51 dst-port 20,21,50000-60000,25,465,110,995,143,993,80,443,8000,10011,30033 in via vr0 setup
03301 10764 472837 allow udp from any to 10.60.77.51 dst-port 123,6277,9987 in via vr0
03600 1 48 allow log logamount 100 tcp from any to 10.60.77.51 dst-port 22 in via vr0 setup
06000 0 0 deny ip from any to me ipoptions ssrr,lsrr,rr,ts in via vr0
06001 12269 615028 deny tcp from any to 10.60.77.51 in via vr0
08000 197837 108794044 allow ip from 10.60.77.51 to any out xmit vr0
09000 0 0 deny log logamount 100 tcp from not 80.78.32.0/19,86.111.65.5 to 10.0.0.65 dst-port 3389
65535 128030905 92895767734 allow ip from any to any
Что с ним делать и куда лепить эти самые sched не понятно вообще!!!
На сколько я понял из мана
Код: Выделить всё
In practice, pipes can be used to set hard limits to the bandwidth that a
flow can use, whereas queues can be used to determine how different flows
share the available bandwidth.
A graphical representation of the binding of queues, flows, schedulers
and links is below.
(flow_mask|sched_mask) sched_mask
+---------+ weight Wx +-------------+
| |->-[flow]-->--| |-+
-->--| QUEUE x | ... | | |
| |->-[flow]-->--| SCHEDuler N | |
+---------+ | | |
... | +--[LINK N]-->--
+---------+ weight Wy | | +--[LINK N]-->--
| |->-[flow]-->--| | |
-->--| QUEUE y | ... | | |
| |->-[flow]-->--| | |
+---------+ +-------------+ |
+-------------+
Из текста понятно что PIPE используют для жесткого ограничения скорости, а QUEUE - для разделения имеющейся скорости между клиентами.
А как и где использовать SCHED вообще не понятно!!!
Если кто разобрался - поделитесь знаниями, буду очень признателен!