LINUX-BG Адрес : http://www.linux-bg.org |
Бърз файъруол с HFSC |
От: Димитър Василев Публикувана на: 21-12-2006 Адрес на статията: http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=history&key=388907124 |
Понеже преди време се обсъждаше HFSC, реших да си позволя един пример за него върху PF. Имайте в предвид че всичко може да варира от трафика, капацитета, желязото ви и какво пропускате. PF не е "универсално ренде" - ако имате потребители които капсуловат трафика си по портове и протоколи - ще трябва да приложите и друго решение евентуално. Долното е само нагледен пример за това как се прави. Пакетите в опашката на дисциплината са повечко защото: 1) трафикът за домашен юзър е малък 2) картите даянат на товар - xl и fxp 3)по-добро разпределение. С _login са означени сесиите за влизане и контрол, _bulk пакетите по самата сесия. Ето и правилата: #PF.conf reloaded - 16.12.2006 # tg="block log quick" tg_in="block in log quick" tg_out="block out log quick" # bw="bandwidth" ext_if="xl1" int_if="fxp0" l="lo0" int_net="" # # DNS="{IP, IP}" # dhcp1="255.255.255.255/32" dhcp2="172.20.0.9/32" # bootstrap_server="67" # bootstrap_client="68" # q="qlimit" # services="22,5190,6666,6667,5190,80,443" # # # Tables: similar to macros, but more flexible for many addresses. # table <misfits> persist file "/etc/pf/misfits" # # table <bgpeer> persist file "/etc/pf/bgpeer2" # # # Options: tune the behavior of pf, default values are given. set timeout { interval 5, frag 20, src.track 20 } set timeout { tcp.first 30, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 90, tcp.finwait 20, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } # set timeout { adaptive.start 6000, adaptive.end 12000 } # set limit { states 20000, frags 20000, src-nodes 2000 } set loginterface $ext_if set optimization normal set block-policy drop set state-policy if-bound set require-order yes set fingerprints "/etc/pf.os" # # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all min-ttl 2 max-mss 1440 fragment reassemble scrub out all min-ttl 1 no-df max-mss 1440 fragment reassemble random-id #scrub log no-df fragment reassemble # # Queueing: rule-based bandwidth control. # altq on $ext_if bandwidth 1000Mb hfsc queue { tcp_ack_out, www, ftp, ssh tcp_ack_in} queue tcp_ack_out $bw 10Mb priority 6 hfsc (ecn realtime 6Mb linkshare 10% upperlimit 9Mb) $q 1000 queue tcp_ack_in $bw 10Mb priority 7 hfsc (ecn default realtime 6Mb linkshare 10% upperlimit 9Mb) $q 1000 # # #start intl www # queue www $bw 30Mb priority 5 hfsc (ecn realtime 30Mb linkshare 20% upperlimit 35Mb) $q 1000 { www_in, www_out } queue www_in $bw 15Mb priority 5 hfsc (ecn realtime 10Mb linkshare 5% upperlimit 10Mb) $q 1000 queue www_out $bw 15Mb priority 6 hfsc (ecn realtime 10Mb linkshare 5% upperlimit 10Mb) $q 1000 # # # ftp # queue ftp $bw 50Mb priority 5 hfsc (ecn realtime 30Mb linkshare 20% upperlimit 35Mb) $q 1000 { ftp_login, ftp_bulk } queue ftp_bulk $bw 70% priority 5 hfsc (ecn realtime 30Mb linkshare 20% upperlimit 35Mb) $q 1000 queue ftp_login $bw 30% priority 7 hfsc (ecn realtime 20Mb linkshare 20% upperlimit 25Mb) $q 1000 #ssh # queue ssh $bw 120Mb priority 7 hfsc (ecn realtime 50Mb linkshare 30% upperlimit 150Mb) $q 1000 { ssh_login, ssh_bulk } queue ssh_login $bw 50Mb priority 7 hfsc (ecn realtime 30Mb linkshare 10% upperlimit 35Mb) $q 1000 queue ssh_bulk $bw 50Mb priority 5 hfsc (ecn realtime 30Mb linkshare 10% upperlimit 40Mb) $q 1000 # # NAT # # nat on $ext_if from !($ext_if) to any -> ($ext_if) # # FTP proxying # nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $int_net to any port ftp -> 127.0.0.1 port 8021 # # # spamd-setup puts addresses to be redirected into table <spamd>. #table <spamd> persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 # # Filtering: the implicit first two rules are # antispoof quick for {$ext_if, $int_if,$l } # # pass quick on {$l} all keep state # # block log on $ext_if all $tg_in on $ext_if inet proto udp from any to any port=syslog $tg_in on $ext_if from any to any flags P/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FSRPAUEW $tg_in on $ext_if from any to any flags FPU/FPU $tg_in on $ext_if from any to any flags /FSRA $tg_in on $ext_if from any to any flags FS/FSRA $tg_in on $ext_if from any to any flags FSPU/FSPRAU $tg_in on $ext_if from any to any flags FPU/FSRPAU $tg_in on $ext_if from any to any flags /FSRPAU $tg_in on $ext_if from any to any flags F/FSRA $tg_in on $ext_if from any to any flags U/FSRAU $tg_in on $ext_if from any to any flags S/FSRPAU $tg_in on $ext_if from any to any flags P/FSRPAU $tg_in on $ext_if from any to any flags A/A $tg_in on $ext_if from any to any flags P/P # anchor "ftp-proxy/*" pass out on $ext_if keep state # pass in quick on $ext_if inet proto tcp from any port 21 to $ext_if user proxy keep state queue ftp_bulk pass out quick on $ext_if inet proto tcp from any to any port 21 user proxy keep state queue ftp_login # pass out quick on $ext_if inet proto tcp from any to any port { 22, 5190, 6666,6667, 5190 } keep state queue ssh_login pass in quick on $ext_if inet proto tcp from any port { 22, 5190, 6666,6667, 5190 } to any keep state queue ssh_bulk # pass out quick on $ext_if inet proto tcp from any to any port { 80, 443 } keep state queue www_out pass in quick on $ext_if inet proto tcp from any port { 80, 443 } keep state queue www_in Приемаме бира и дарения за Фют. Весели празници! |
Авторите на сайта, както и техните сътрудници запазват авторските права върху собствените си материали публикувани тук,
но те са copyleft т.е. могат свободно да бъдат копирани и разпространявани с изискването изрично да се упоменава името на автора,
както и да се публикува на видно място, че те са взети от оригиналния им URL-адрес на този сървър (http://www.linux-bg.org). Авторските права на преводните материали принадлежат на техните автори. Ако с публикуването тук на някакъв материал неволно са нарушени нечии права - след констатирането на този факт материалът ще бъде свален.
All trademarks, logos and copyrights mentioned on this site are the property of their respective owners.
|