Controle de banda com pf

Categoria: FreeBSD Publicado: Sábado, 29 Outubro 2005 Escrito por Helio Loureiro Imprimir
Script utilizado para realizar o controle de banda no sistema wi-fi da Futurecom2005. O primeiro problema encontrado foi que o sistema utilizava VLANs para dividir o tráfego enquanto que o controle de banda é somente possível em interfaces físicas. Felizmente funcionou a contento.
AP_NET="172.20.0.0/22" 
MAN_NET="192.168.48.0/0" 
VLAN100="201.25.199.254" 
VLAN200="201.34.160.254" 
VLAN300="201.34.161.254" 
VLAN400="172.20.3.254" 
VLAN500="192.168.48.254" 
VLAN100_INTF="vlan1" 
VLAN200_INTF="vlan2" 
VLAN300_INTF="vlan3" 
VLAN400_INTF="vlan4" 
VLAN500_INTF="vlan5" 

ME="{ 192.168.48.254, 201.25.199.254, 201.34.160.254, \
   201.34.161.254, 172.20.3.254}" 
SSH="{ 192.168.48.254, 201.25.199.254 }" 
EXT="em0" 

set timeout { interval 10, frag 30 } 
set timeout { tcp.first 120, tcp.opening 30, \
   tcp.established 86400 } 
set timeout { tcp.closing 900, tcp.finwait 45, \
   tcp.closed 90 } 
set timeout { udp.first 60, udp.single 30, \
   udp.multiple 60 } 
set timeout { icmp.first 20, icmp.error 10 } 
set timeout { other.first 60, other.single 30, \
   other.multiple 60 } 
set timeout { adaptive.start 0, adaptive.end 0 } 
set limit { states 10000, frags 5000 } 

##set loginterface none 
set optimization normal 
#set block-policy drop 
set require-order yes 
set fingerprints "/etc/pf.os" 

scrub in all 

### bandwidth 
altq on $EXT 
cbq bandwidth 15Mb 
queue { ots, ssh, voip, web, dhcp } 
queue ots bandwidth 10% priority 0 cbq(default ecn) 
queue ssh bandwidth 100Kb priority 7 cbq(borrow) 
queue voip bandwidth 30% priority 5 cbq(borrow) 
queue web bandwidth 60% priority 3 { http, mail, msn, dns } 
queue http bandwidth 60% cbq(borrow red) 
queue mail bandwidth 30% cbq(borrow red) 
queue msn bandwidth 10% cbq(borrow red) 
queue dns bandwidth 10% cbq(borrow red) 
queue dhcp bandwidth 10% priority 5 cbq(borrow) 
nat on $VLAN100_INTF from $AP_NET to any -> ($VLAN100_INTF) 

block in log all 
block return in on $EXT inet all queue ots 

pass out all 
#pass in all 

pass out inet proto tcp from any to any port 80 keep state queue http 
pass out on $EXT inet proto tcp from any to any port { 80, 443 } \
   keep state queue http 
pass out on $EXT inet proto tcp from any to any port { 25, 110, 143, \
   465, 993, 995 } keep state queue mail 
pass in on $EXT inet proto tcp from any to any port 1863 keep state \
   queue msn 
pass out on $EXT inet proto tcp from any to any port 1863 keep state \
   queue msn 
pass in on $EXT inet proto tcp from any to any port 22 keep state queue \
   ssh 
pass out on $EXT inet proto tcp from any to any port 22 keep state queue \
   ssh 
pass in on $EXT inet proto udp from any to any port 5060 keep state \
   queue voip 
pass out on $EXT inet proto udp from any to any port 5060 keep state \
   queue voip 
pass in on $EXT inet proto udp from any to any port 10000:20000 keep \
   state queue voip 
pass out on $EXT inet proto udp from any to any port 10000:20000 keep \
   state queue voip 
pass in on $EXT inet proto udp from any to any port 67:68 keep state \
   queue dhcp 
pass out on $EXT inet proto udp from any to any port 67:68 keep state \
   queue dhcp 
pass in on $EXT inet proto udp from any to any port 53 keep state queue \
   dns 
pass out on $EXT inet proto udp from any to any port 53 keep state queue \
   dns 
#pass in quick proto tcp from any to $SSH port 22 keep state 
#block in proto tcp from any to any port 80 
pass in quick proto tcp from any to $ME port 80 
pass in quick proto udp from any to any port 53 keep state 
pass in quick proto udp from any port 53 to any keep state 
pass in quick proto { tcp, udp } from any to $ME port { 67, 68 } keep state 
pass in quick proto { tcp, udp } from $AP_NET to $VLAN400 port { 67, 68 } \
   keep state 
pass in quick proto { tcp, udp } from any to $ME port { 67, 68 } keep state 
#pass in proto { tcp, udp, icmp } from any to any 
block in quick log proto { tcp, udp } from any to any port { 135, 136, 137, \
   138, 139, 445, 1433, 1434 } 
pass in quick proto udp from any to $ME port 161 keep 
state pass in quick proto udp from any port 161 to $ME keep state 

#block in log from any to $MAN_NET 
#block out log from $MAN_NET to any pass out from $ME to any 
#block in quick log from any to $MAN_NET 
#block in quick log from $MAN_NET to any 

pass in quick proto icmp from any to $ME keep state 
pass out quick proto icmp from $ME to any keep state 
pass out quick proto tcp from $ME to 192.168.48.0/24 keep state 
pass in quick proto udp from 192.168.48.0/24 to $ME port 161 keep state 
pass in from any to any 
block in log from any to $ME
Acessos: 6379
Controle de banda com pf

Estatísticas

Imagem do dia
