Здраствуйте, возникла проблема с брандмауэром Packet Filter. Маршрутизатор работает под управлением FreeBSD 5.5, интернет приходит через ADSL модем, посредством PPPoE соединения. Изначально NAT разрешен в ppp.conf и фильтруется с помощью выше упомянутого брандмауэра.Так как используется асинхронная линия, изначально решил настроить приоритезацию исходящего траффика, но в последствии, пришлось добавить ограничение полосы пропускания для каждого пользователя с индивидуальным приоритетом. Всё работает хорошо, хотолось-бы ещё лучше, из-за этого решил, так-же поступить и с приходящим траффиком, и сражу напоролся на грабли. Ранее читал, что PF, а именно ALTQ не поддерживает входящий траффик, но не придавал этому особого значение, но перепробовал большое колличество способов у меня так ничего и не вышло, решил заморозить проэкт. Сейчас хочу исправить данное положение с вашей помощью! Использовать дополнительно другой брандмауэр не охото...
Вот мой отрывок кода:
# ------------------------------------------------------------------ #
altq on tun0 cbq bandwidth 4830Kb queue { INET, INET_IN, INET_OUT }
queue INET cbq(default)
queue INET_IN bandwidth 4080Kb \
{ IP1_IN, IP2_IN }
queue IP1_IN bandwidth 800Kb cbq(borrow)
queue IP2_IN bandwidth 800Kb cbq(borrow)queue INET_OUT bandwidth 750Kb \
{ IP1_OUT, IP2_OUT }
queue IP1_OUT bandwidth 150Kb cbq(borrow) \
{ ENT_IP1_OUT, WWW_IP1_OUT, DNS_IP1_OUT, ACK_IP1_OUT }
queue ENT_IP1_OUT priority 4 cbq(red, borrow)
queue WWW_IP1_OUT priority 5 cbq(red, borrow)
queue DNS_IP1_OUT priority 6 cbq(borrow)
queue ACK_IP1_OUT priority 7 cbq(borrow)queue IP2_OUT bandwidth 150Kb cbq(borrow) \
{ ENT_IP2_OUT, WWW_IP2_OUT, DNS_IP2_OUT, ACK_IP2_OUT }
queue ENT_IP2_OUT priority 4 cbq(red, borrow)
queue WWW_IP2_OUT priority 5 cbq(red, borrow)
queue DNS_IP2_OUT priority 6 cbq(borrow)
queue ACK_IP2_OUT priority 7 cbq(borrow)# ------------------------------------------------------------------ #
block in all
block out allpass in on lo0
pass out on lo0pass in quick on xl0 from $netmask to (xl0)
pass out quick on xl0 from (xl0) to $netmaskpass in quick inet proto icmp
#pass in quick on tun0 from any# ------------------------------------------------------------------ #
pass out quick on tun0 inet proto tcp from $ip1 to any \
port $ent_ports keep state queue ENT_IP1_OUTpass out quick on tun0 inet proto tcp from $ip1 to any \
port $www_ports keep state queue WWW_IP1_OUTpass out quick on tun0 inet proto { tcp udp } from $ip1 to any \
port domain keep state queue DNS_IP1_OUTpass out quick on tun0 proto tcp from $ip1 to any flags S/SA \
modulate state queue ACK_IP1_OUTpass out quick on tun0 inet proto icmp from $ip1 to any
pass in quick on tun0 from any to $ip1 queue IP1_IN
# ------------------------------------------------------------------ #
pass out quick on tun0 proto tcp from $ip2 to any flags S/SA \
modulate state queue ACK_IP2_OUTpass out quick on tun0 inet proto { tcp udp } from $ip2 \
to any port domain keep state queue DNS_IP2_OUTpass out quick on tun0 inet proto tcp from $ip2 to any \
port $www_ports keep state queue WWW_IP2_OUTpass out quick on tun0 inet proto tcp from $ip2 to any \
port $ent_ports keep state queue ENT_IP2_OUTpass out quick on tun0 inet proto icmp from $ip2 to any
pass in quick on tun0 from any to $ip2 queue IP2_IN
# ------------------------------------------------------------------ #
Дополнительные вопросы:
1. Возможно заставить PF и ALTQ работать с входящим траффиком?
2. Поделитесь "секретом", какой траффик лучше приоритизировать?
3. В Linux`е мне понравился layer-7, может есть, что-то подобное в FreeBSD?
Возможно посредством PF организовать NAT на виртуальный туннель?
4. Если физически организован доступ в интернет, через такую последовательность rl0 <---> ed0 <---> tun0, значил это, что если назначить правило ed0, но разрешиль полный доступ для rl0 и tun0, посылаемый траффик из rl0 в tun0 не пройдёт? (В iptables вроде так, но в PF этого не заметил, хотел дважды фильтровать траффик, но ничего не вышло)Спасибо за внимание!
Решил дополнить список правил и добавил результат их выполнения:Вот мой отрывок правил:
# ------------------------------------------------------------------ #
ip1 = "192.168.0.1"
ip2 = "192.168.0.2"netmask = "192.168.0.0/24"
www_ports = "{ 80, 443 }"
ent_ports = "{ auth, smtp, pop3s, imaps, ftp }"# ------------------------------------------------------------------ #
altq on tun0 cbq bandwidth 4830Kb queue { INET, INET_IN, INET_OUT }
queue INET cbq(default)
queue INET_IN bandwidth 4080Kb \
{ IP1_IN, IP2_IN }
queue IP1_IN bandwidth 800Kb cbq(borrow)
queue IP2_IN bandwidth 800Kb cbq(borrow)queue INET_OUT bandwidth 750Kb \
{ IP1_OUT, IP2_OUT }
queue IP1_OUT bandwidth 150Kb cbq(borrow) \
{ ENT_IP1_OUT, WWW_IP1_OUT, DNS_IP1_OUT, ACK_IP1_OUT }
queue ENT_IP1_OUT priority 4 cbq(red, borrow)
queue WWW_IP1_OUT priority 5 cbq(red, borrow)
queue DNS_IP1_OUT priority 6 cbq(borrow)
queue ACK_IP1_OUT priority 7 cbq(borrow)queue IP2_OUT bandwidth 150Kb cbq(borrow) \
{ ENT_IP2_OUT, WWW_IP2_OUT, DNS_IP2_OUT, ACK_IP2_OUT }
queue ENT_IP2_OUT priority 4 cbq(red, borrow)
queue WWW_IP2_OUT priority 5 cbq(red, borrow)
queue DNS_IP2_OUT priority 6 cbq(borrow)
queue ACK_IP2_OUT priority 7 cbq(borrow)# ------------------------------------------------------------------ #
block in all
block out allpass in on lo0
pass out on lo0pass in quick on xl0 from $netmask to (xl0)
pass out quick on xl0 from (xl0) to $netmaskpass in quick inet proto icmp
#pass in quick on tun0 from any# ------------------------------------------------------------------ #
pass out quick on tun0 inet proto tcp from $ip1 to any \
port $ent_ports keep state queue ENT_IP1_OUTpass out quick on tun0 inet proto tcp from $ip1 to any \
port $www_ports keep state queue WWW_IP1_OUTpass out quick on tun0 inet proto { tcp udp } from $ip1 to any \
port domain keep state queue DNS_IP1_OUTpass out quick on tun0 proto tcp from $ip1 to any flags S/SA \
modulate state queue ACK_IP1_OUTpass out quick on tun0 inet proto icmp from $ip1 to any
pass in quick on tun0 from any to $ip1 queue IP1_IN
# ------------------------------------------------------------------ #
pass out quick on tun0 proto tcp from $ip2 to any flags S/SA \
modulate state queue ACK_IP2_OUTpass out quick on tun0 inet proto { tcp udp } from $ip2 \
to any port domain keep state queue DNS_IP2_OUTpass out quick on tun0 inet proto tcp from $ip2 to any \
port $www_ports keep state queue WWW_IP2_OUTpass out quick on tun0 inet proto tcp from $ip2 to any \
port $ent_ports keep state queue ENT_IP2_OUTpass out quick on tun0 inet proto icmp from $ip2 to any
pass in quick on tun0 from any to $ip2 queue IP2_IN
# ------------------------------------------------------------------ #
Вот результат обработки правил (команда pfctl -vvsq):
queue root_tun0 bandwidth 4.83Mb priority 0 cbq( wrr root ) {INET, INET_IN, INET_OUT}
[ pkts: 74655618 bytes: 22612363700 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 13.2 packets/s, 138.49Kb/s ]
queue INET bandwidth 4.83Mb cbq( default )
[ pkts: 8102 bytes: 1202925 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue INET_IN bandwidth 4.08Mb {IP1_IN, IP2_IN}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue IP1_IN bandwidth 800Kb cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue IP2_IN bandwidth 800Kb cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue INET_OUT bandwidth 750Kb {IP1_OUT, IP2_OUT}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue IP1_OUT bandwidth 150Kb cbq( borrow ) {ENT_IP1_OUT, WWW_IP1_OUT, DNS_IP1_OUT, ACK_IP1_OUT}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 229061 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ENT_IP1_OUT bandwidth 150Kb priority 4 cbq( red borrow )
[ pkts: 325 bytes: 16708 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue WWW_IP1_OUT bandwidth 150Kb priority 5 cbq( red borrow )
[ pkts: 1350923 bytes: 160134496 dropped pkts: 1869 bytes: 1982559 ]
[ qlength: 0/ 50 borrows: 53349 suspends: 8646 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue DNS_IP1_OUT bandwidth 150Kb priority 6 cbq( borrow )
[ pkts: 7223 bytes: 481453 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ACK_IP1_OUT bandwidth 150Kb priority 7 cbq( borrow )
[ pkts: 4495743 bytes: 282271261 dropped pkts: 5277 bytes: 1294021 ]
[ qlength: 0/ 50 borrows: 175967 suspends: 11160 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue IP2_OUT bandwidth 150Kb cbq( borrow ) {ENT_IP2_OUT, WWW_IP2_OUT, DNS_IP2_OUT, ACK_IP2_OUT}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 27327294 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ENT_IP2_OUT bandwidth 150Kb priority 4 cbq( red borrow )
[ pkts: 1 bytes: 49 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue WWW_IP2_OUT bandwidth 150Kb priority 5 cbq( red borrow )
[ pkts: 38 bytes: 3973 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue DNS_IP2_OUT bandwidth 150Kb priority 6 cbq( borrow )
[ pkts: 12227 bytes: 830899 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue ACK_IP2_OUT bandwidth 150Kb priority 7 cbq( borrow )
[ pkts: 43445960 bytes: 13841777766 dropped pkts: 2569695 bytes: 937297862 ]
[ qlength: 0/ 50 borrows: 27327637 suspends: 1779903 ]
[ measured: 13.2 packets/s, 138.49Kb/s ]