Script utilizado para realizar o controle de banda no sistema wi-fi da Futurecom2005. O primeiro problema encontrado foi que o sistema utilizava VLANs para dividir o tráfego enquanto que o controle de banda é somente possível em interfaces físicas. Felizmente funcionou a contento.
AP_NET="172.20.0.0/22"
MAN_NET="192.168.48.0/0"
VLAN100="201.25.199.254"
VLAN200="201.34.160.254"
VLAN300="201.34.161.254"
VLAN400="172.20.3.254"
VLAN500="192.168.48.254"
VLAN100_INTF="vlan1"
VLAN200_INTF="vlan2"
VLAN300_INTF="vlan3"
VLAN400_INTF="vlan4"
VLAN500_INTF="vlan5"
ME="{ 192.168.48.254, 201.25.199.254, 201.34.160.254, \
201.34.161.254, 172.20.3.254}"
SSH="{ 192.168.48.254, 201.25.199.254 }"
EXT="em0"
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, \
tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, \
tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, \
udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, \
other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
##set loginterface none
set optimization normal
#set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
scrub in all
### bandwidth
altq on $EXT
cbq bandwidth 15Mb
queue { ots, ssh, voip, web, dhcp }
queue ots bandwidth 10% priority 0 cbq(default ecn)
queue ssh bandwidth 100Kb priority 7 cbq(borrow)
queue voip bandwidth 30% priority 5 cbq(borrow)
queue web bandwidth 60% priority 3 { http, mail, msn, dns }
queue http bandwidth 60% cbq(borrow red)
queue mail bandwidth 30% cbq(borrow red)
queue msn bandwidth 10% cbq(borrow red)
queue dns bandwidth 10% cbq(borrow red)
queue dhcp bandwidth 10% priority 5 cbq(borrow)
nat on $VLAN100_INTF from $AP_NET to any -> ($VLAN100_INTF)
block in log all
block return in on $EXT inet all queue ots
pass out all
#pass in all
pass out inet proto tcp from any to any port 80 keep state queue http
pass out on $EXT inet proto tcp from any to any port { 80, 443 } \
keep state queue http
pass out on $EXT inet proto tcp from any to any port { 25, 110, 143, \
465, 993, 995 } keep state queue mail
pass in on $EXT inet proto tcp from any to any port 1863 keep state \
queue msn
pass out on $EXT inet proto tcp from any to any port 1863 keep state \
queue msn
pass in on $EXT inet proto tcp from any to any port 22 keep state queue \
ssh
pass out on $EXT inet proto tcp from any to any port 22 keep state queue \
ssh
pass in on $EXT inet proto udp from any to any port 5060 keep state \
queue voip
pass out on $EXT inet proto udp from any to any port 5060 keep state \
queue voip
pass in on $EXT inet proto udp from any to any port 10000:20000 keep \
state queue voip
pass out on $EXT inet proto udp from any to any port 10000:20000 keep \
state queue voip
pass in on $EXT inet proto udp from any to any port 67:68 keep state \
queue dhcp
pass out on $EXT inet proto udp from any to any port 67:68 keep state \
queue dhcp
pass in on $EXT inet proto udp from any to any port 53 keep state queue \
dns
pass out on $EXT inet proto udp from any to any port 53 keep state queue \
dns
#pass in quick proto tcp from any to $SSH port 22 keep state
#block in proto tcp from any to any port 80
pass in quick proto tcp from any to $ME port 80
pass in quick proto udp from any to any port 53 keep state
pass in quick proto udp from any port 53 to any keep state
pass in quick proto { tcp, udp } from any to $ME port { 67, 68 } keep state
pass in quick proto { tcp, udp } from $AP_NET to $VLAN400 port { 67, 68 } \
keep state
pass in quick proto { tcp, udp } from any to $ME port { 67, 68 } keep state
#pass in proto { tcp, udp, icmp } from any to any
block in quick log proto { tcp, udp } from any to any port { 135, 136, 137, \
138, 139, 445, 1433, 1434 }
pass in quick proto udp from any to $ME port 161 keep
state pass in quick proto udp from any port 161 to $ME keep state
#block in log from any to $MAN_NET
#block out log from $MAN_NET to any pass out from $ME to any
#block in quick log from any to $MAN_NET
#block in quick log from $MAN_NET to any
pass in quick proto icmp from any to $ME keep state
pass out quick proto icmp from $ME to any keep state
pass out quick proto tcp from $ME to 192.168.48.0/24 keep state
pass in quick proto udp from 192.168.48.0/24 to $ME port 161 keep state
pass in from any to any
block in log from any to $ME
