Ковыряю PF пока все устраивает, много перелопатил доки.
Ставлю на компе с ADSL пользователей пока устраивает, но есть, которые качают торенты, мешают другим.
Приоритеты пока мало спасают.
Гдето мельком читал, что PF может различать пакеты mtorrent. Или может быть есть возможность ограничивать число пакетов на правило например?
Можно конечно на торренте выставить диапазон портов 50000:59000 и их конкретно ограничивать. Все прекрасно получается, когда клиентов 2 - 3 и можно самому пройтись и выставить эти порты на клиентах. Но когда их много, то ходить и у каждого что-то настраивать это не выход. Иногда можно клиентам объяснить, что есть отдельный комп с торрентом, которому можно кидать заявки, тогда проблема решается на раз, но клиенты разные бывают.
Иногда когда достают то делаю так:
nat on $ext_if from $int_if:network to any port {20:1024} -> ($ext_if)
Думаю, что хороший вариант это ограничивать число пакетов на IP (например диапазон 1024:65535) но пример не встречал на PF
Разные настройки PF
Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Услуги хостинговой компании Host-Food.ru
Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/
-
utf450
- рядовой
- Сообщения: 16
- Зарегистрирован: 2009-10-15 12:08:19
Re: Разные настройки PF
Вот нашел пример как можно ограничить, кусок из pf.conf
################ Macros ###################################
# use a macro for the interface name, so it can be changed easily
ext_if = "fxp0"
int_if = "fxp1"
### Stateful Tracking Options ###
TorSTO = "(max 375, source-track rule, max-src-conn 1, max-src-nodes 375, tcp.established 60)"
################ Options ##################################
# Timeout Options ###
## тут сами выставляем какие вам больше подходят
################ Normaliztation ############################
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble
################ Queueing ##################################
# Example: 512/128 kbps ADSL. Download is 50 kB/s. When a concurrent
# upload saturates the uplink, download drops to 7 kB/s. With the
# priority queue below, download drops only to 48 kB/s.
altq on $ext_if bandwidth 984Kb hfsc queue { q_pri, q_def, q_mus, q_tor }
queue q_pri bandwidth 49% priority 7 hfsc
queue q_def bandwidth 49% priority 5 hfsc (linkshare 49%) {q_smtp,q_http,ssh_login,q_def1}
queue ssh_login bandwidth 96% priority 5 hfsc
queue q_http bandwidth 1% priority 4 hfsc
queue q_smtp bandwidth 1% priority 4 hfsc
queue q_def1 bandwidth 1% priority 3 hfsc (default)
queue q_mus bandwidth 1% qlimit 200 priority 4 hfsc
queue q_tor bandwidth 1% qlimit 25 priority 3 hfsc (upperlimit 272Kb)
################ Translation ###############################
# Translation rules are first match
# NAT internal hosts
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# Redirect Bit Torrent traffic to internal machine
rdr on $ext_if proto tcp from any to any port 7381 -> 192.168.0.41
################ Filtering #################################
нужное вставить
pass out on $ext_if proto tcp from ($ext_if) to any flags S/SA modulate state queue (q_def1,q_pri)
# Tag all packets on the internal interface from the bittorrent machine's ip (alias)
pass in on $int_if from 192.168.0.41 to any tag TORRENT modulate state
pass out on $ext_if proto tcp from ($ext_if) to any port > 1024 flags S/SA tagged TORRENT modulate state queue (q_tor)
pass out on $ext_if proto udp from ($ext_if) to any port > 1024 tagged TORRENT keep state queue (q_tor)
# Allow Bit Torrent traffic to internal machine ip (alias)
pass in on $ext_if proto tcp from any to 192.168.0.41 port 7381 flags S/SA synproxy state $TorSTO queue q_tor
pass in on $ext_if proto udp from any to 192.168.0.41 port 7381 keep state $TorSTO queue q_tor
Остальное дописываем сами...
################ Macros ###################################
# use a macro for the interface name, so it can be changed easily
ext_if = "fxp0"
int_if = "fxp1"
### Stateful Tracking Options ###
TorSTO = "(max 375, source-track rule, max-src-conn 1, max-src-nodes 375, tcp.established 60)"
################ Options ##################################
# Timeout Options ###
## тут сами выставляем какие вам больше подходят
################ Normaliztation ############################
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble
################ Queueing ##################################
# Example: 512/128 kbps ADSL. Download is 50 kB/s. When a concurrent
# upload saturates the uplink, download drops to 7 kB/s. With the
# priority queue below, download drops only to 48 kB/s.
altq on $ext_if bandwidth 984Kb hfsc queue { q_pri, q_def, q_mus, q_tor }
queue q_pri bandwidth 49% priority 7 hfsc
queue q_def bandwidth 49% priority 5 hfsc (linkshare 49%) {q_smtp,q_http,ssh_login,q_def1}
queue ssh_login bandwidth 96% priority 5 hfsc
queue q_http bandwidth 1% priority 4 hfsc
queue q_smtp bandwidth 1% priority 4 hfsc
queue q_def1 bandwidth 1% priority 3 hfsc (default)
queue q_mus bandwidth 1% qlimit 200 priority 4 hfsc
queue q_tor bandwidth 1% qlimit 25 priority 3 hfsc (upperlimit 272Kb)
################ Translation ###############################
# Translation rules are first match
# NAT internal hosts
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# Redirect Bit Torrent traffic to internal machine
rdr on $ext_if proto tcp from any to any port 7381 -> 192.168.0.41
################ Filtering #################################
нужное вставить
pass out on $ext_if proto tcp from ($ext_if) to any flags S/SA modulate state queue (q_def1,q_pri)
# Tag all packets on the internal interface from the bittorrent machine's ip (alias)
pass in on $int_if from 192.168.0.41 to any tag TORRENT modulate state
pass out on $ext_if proto tcp from ($ext_if) to any port > 1024 flags S/SA tagged TORRENT modulate state queue (q_tor)
pass out on $ext_if proto udp from ($ext_if) to any port > 1024 tagged TORRENT keep state queue (q_tor)
# Allow Bit Torrent traffic to internal machine ip (alias)
pass in on $ext_if proto tcp from any to 192.168.0.41 port 7381 flags S/SA synproxy state $TorSTO queue q_tor
pass in on $ext_if proto udp from any to 192.168.0.41 port 7381 keep state $TorSTO queue q_tor
Остальное дописываем сами...
-
utf450
- рядовой
- Сообщения: 16
- Зарегистрирован: 2009-10-15 12:08:19
Re: Разные настройки PF
Вот написал полный вариант для двух пользователей. Все отлично распределяется для каждого юзера.
ADSL (IN=1024 OUT=640)
Меняем на свои сетевые и IP
pppoe (md5)
########### Macros ####################
ext_if = "ng0"
int_if = "re0"
icmp_types="echoreq"
local_net="192.168.1.0/24"
http_ports="{ 80 82 443 8080 }"
################ Options ####################
# Timeout Options
set optimization normal
set timeout tcp.opening 120
set timeout tcp.finwait 180
set timeout tcp.closed 240
set timeout tcp.first 380
set loginterface $ext_if
set block-policy drop
set require-order yes
################ Normaliztation ############################
scrub on $ext_if all random-id min-ttl 254 reassemble tcp fragment reassemble
################ Queueing EXT_IF ##################################
altq on $ext_if bandwidth 628Kb hfsc queue { ack dns def }
queue ack bandwidth 20% priority 7 qlimit 500 hfsc (realtime 10% red ecn)
queue dns bandwidth 10% priority 6 qlimit 500 hfsc (realtime 20% red ecn)
queue def bandwidth 70% hfsc (linkshare 10%) { up_def up_user1 up_user2 }
queue up_def priority 2 qlimit 500 bandwidth 1% hfsc(upperlimit 30% default)
queue up_user1 priority 4 qlimit 500 bandwidth 1% hfsc(upperlimit 100%)
queue up_user2 priority 3 qlimit 500 bandwidth 1% hfsc(upperlimit 100%)
################ Queueing INT_IF ##################################
altq on $int_if hfsc bandwidth 100Mb queue { local_net inet_ext }
queue local_net priority 0 bandwidth 97Mb hfsc
queue inet_ext bandwidth 1000Kb hfsc { dn_inet }
queue dn_inet bandwidth 100% hfsc { dn_inet_def dn_user1_http dn_user1_other dn_user2_http dn_user2_other }
queue dn_inet_def priority 1 qlimit 500 bandwidth 1% hfsc(ecn upperlimit 10% default)
queue dn_user1_http priority 7 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 95%)
queue dn_user1_other priority 2 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 75%)
queue dn_user2_http priority 7 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 95%)
queue dn_user2_other priority 2 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 75%)
################ Translation ###############################
nat on $ext_if from $int_if:network to any -> ($ext_if)
################ Filtering #################################
# loopback
antispoof log quick for lo0 inet
pass quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8
block in quick on $ext_if from any to 255.255.255.255
block log on $ext_if all
block in from no-route to any
block out log quick on $ext_if from ! $ext_if to any
block on $int_if all
# pass out all ICMP connections and keep state
pass inet proto icmp all icmp-type $icmp_types keep state
############### OUT EXT ##################
# pass out all TCP connections and modulate state
pass out quick on $ext_if proto udp from ($ext_if) to any port 53 queue (dns, ack)
pass out on $ext_if proto tcp from ($ext_if) to any flags S/SA modulate state queue (up_def, ack)
pass out on $ext_if tagged UP_USER1_HTTP queue (up_user1, ack)
pass out on $ext_if tagged UP_USER1_OTHER queue (up_user1, ack)
pass out on $ext_if tagged UP_USER2_HTTP queue (up_user2, ack)
pass out on $ext_if tagged UP_USER2_OTHER queue (up_user2, ack)
############### IN INT ##################
pass quick on $int_if proto {tcp udp} from $local_net to $local_net queue local_net
pass in quick on $int_if proto tcp from 192.168.1.2 to any port $http_ports no state tag UP_USER2_HTTP
pass out quick on $int_if proto tcp from any port $http_ports to 192.168.1.2 no state queue dn_user2_http
pass in quick on $int_if from 192.168.1.2 to any no state tag UP_USER2_OTHER
pass out quick on $int_if from any to 192.168.1.2 no state queue dn_user2_other
pass in quick on $int_if proto tcp from 192.168.1.3 to any port $http_ports no state tag UP_USER1_HTTP
pass out quick on $int_if proto tcp from any port $http_ports to 192.168.1.3 no state queue dn_user1_http
pass in quick on $int_if from 192.168.1.3 to any no state tag UP_USER1_OTHER
pass out quick on $int_if from any to 192.168.1.3 no state queue dn_user1_other
ADSL (IN=1024 OUT=640)
Меняем на свои сетевые и IP
pppoe (md5)
########### Macros ####################
ext_if = "ng0"
int_if = "re0"
icmp_types="echoreq"
local_net="192.168.1.0/24"
http_ports="{ 80 82 443 8080 }"
################ Options ####################
# Timeout Options
set optimization normal
set timeout tcp.opening 120
set timeout tcp.finwait 180
set timeout tcp.closed 240
set timeout tcp.first 380
set loginterface $ext_if
set block-policy drop
set require-order yes
################ Normaliztation ############################
scrub on $ext_if all random-id min-ttl 254 reassemble tcp fragment reassemble
################ Queueing EXT_IF ##################################
altq on $ext_if bandwidth 628Kb hfsc queue { ack dns def }
queue ack bandwidth 20% priority 7 qlimit 500 hfsc (realtime 10% red ecn)
queue dns bandwidth 10% priority 6 qlimit 500 hfsc (realtime 20% red ecn)
queue def bandwidth 70% hfsc (linkshare 10%) { up_def up_user1 up_user2 }
queue up_def priority 2 qlimit 500 bandwidth 1% hfsc(upperlimit 30% default)
queue up_user1 priority 4 qlimit 500 bandwidth 1% hfsc(upperlimit 100%)
queue up_user2 priority 3 qlimit 500 bandwidth 1% hfsc(upperlimit 100%)
################ Queueing INT_IF ##################################
altq on $int_if hfsc bandwidth 100Mb queue { local_net inet_ext }
queue local_net priority 0 bandwidth 97Mb hfsc
queue inet_ext bandwidth 1000Kb hfsc { dn_inet }
queue dn_inet bandwidth 100% hfsc { dn_inet_def dn_user1_http dn_user1_other dn_user2_http dn_user2_other }
queue dn_inet_def priority 1 qlimit 500 bandwidth 1% hfsc(ecn upperlimit 10% default)
queue dn_user1_http priority 7 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 95%)
queue dn_user1_other priority 2 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 75%)
queue dn_user2_http priority 7 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 95%)
queue dn_user2_other priority 2 qlimit 500 bandwidth 2% hfsc(ecn upperlimit 75%)
################ Translation ###############################
nat on $ext_if from $int_if:network to any -> ($ext_if)
################ Filtering #################################
# loopback
antispoof log quick for lo0 inet
pass quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8
block in quick on $ext_if from any to 255.255.255.255
block log on $ext_if all
block in from no-route to any
block out log quick on $ext_if from ! $ext_if to any
block on $int_if all
# pass out all ICMP connections and keep state
pass inet proto icmp all icmp-type $icmp_types keep state
############### OUT EXT ##################
# pass out all TCP connections and modulate state
pass out quick on $ext_if proto udp from ($ext_if) to any port 53 queue (dns, ack)
pass out on $ext_if proto tcp from ($ext_if) to any flags S/SA modulate state queue (up_def, ack)
pass out on $ext_if tagged UP_USER1_HTTP queue (up_user1, ack)
pass out on $ext_if tagged UP_USER1_OTHER queue (up_user1, ack)
pass out on $ext_if tagged UP_USER2_HTTP queue (up_user2, ack)
pass out on $ext_if tagged UP_USER2_OTHER queue (up_user2, ack)
############### IN INT ##################
pass quick on $int_if proto {tcp udp} from $local_net to $local_net queue local_net
pass in quick on $int_if proto tcp from 192.168.1.2 to any port $http_ports no state tag UP_USER2_HTTP
pass out quick on $int_if proto tcp from any port $http_ports to 192.168.1.2 no state queue dn_user2_http
pass in quick on $int_if from 192.168.1.2 to any no state tag UP_USER2_OTHER
pass out quick on $int_if from any to 192.168.1.2 no state queue dn_user2_other
pass in quick on $int_if proto tcp from 192.168.1.3 to any port $http_ports no state tag UP_USER1_HTTP
pass out quick on $int_if proto tcp from any port $http_ports to 192.168.1.3 no state queue dn_user1_http
pass in quick on $int_if from 192.168.1.3 to any no state tag UP_USER1_OTHER
pass out quick on $int_if from any to 192.168.1.3 no state queue dn_user1_other