請(qǐng)幫忙看看我的PF規(guī)則(能限制指定的工作站下載和連接數(shù),但限制上傳不行啊!)

lhm_3000

請(qǐng)看pf.conf:
ext_if0="tun0"
int_if="fxp3"
lan_net="192.168.123.0/24"
table <work_ip> {192.168.123.0/24}
#table <lan_ip> persist file "/etc/pf_rules/lan.ip"

deny_ports="{135, 137, 138, 139, 445, 593, 4444, 6881><6889, 6969}"
deny_address="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types="echoreq"
udp_services="{53}"
video_ports="{554, 1755, 8080}"
http_ports="{80, 443}"

boss_net="{ 192.168.123.3, 192.168.123.4 }"
my_net="192.168.123.5"

set block-policy return
set optimization aggressive
set loginterface $ext_if0

scrub in on $ext_if0 all fragment reassemble

altq on $int_if cbq bandwidth 1024Kb queue {hi_in,low_in,my_in}
queue hi_in on $int_if bandwidth 700Kb cbq(default)
queue low_in on $int_if bandwidth 124Kb cbq(red)
queue my_in on $int_if bandwidth 200Kb cbq(red)

#altq on $ext_if0 cbq bandwidth 100% queue { std_out, http_out, ssh_out, dns_out, video_out }
#  queue std_out  bandwidth 25% cbq(default)
#  queue http_out bandwidth 40% priority 3 cbq(red borrow)
#  queue ssh_out  bandwidth 10% priority 4
#  queue dns_out  bandwidth 5% priority 5
#  queue video_out bandwidth 20% priority 6 cbq(red borrow)

altq on $ext_if0 cbq bandwidth 100% queue { hi_out, low_out }
queue hi_out bandwidth 70% cbq(default)
queue low_out bandwidth 30% cbq(red)

nat on $ext_if0 from $lan_net to any -> ($ext_if0)

block all
block quick inet6 all

block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU

pass quick on lo0 all

antispoof quick for { $int_if $ext_if0 } inet

block in quick on $ext_if0 os NMAP
block in quick on $ext_if0 inet from $deny_address to ($ext_if0)
block out quick on $ext_if0 inet from ($ext_if0) to $deny_address

block in quick on $int_if proto {tcp, udp} from $int_if:network to any port $deny_ports flags S/SA
block in quick on $ext_if0 proto {tcp, udp} from any to ($ext_if0) port $deny_ports flags S/SA

pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass out quick inet proto icmp all icmp-type $icmp_types keep state

# filter rules for inbounds
pass in on $ext_if0 inet proto tcp from any to ($ext_if0) port ssh flags S/SA keep state
pass in on $ext_if0 inet proto tcp from port 20 to ($ext_if0) user proxy flags S/SA keep state

# filter rules for out bounds
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any flags S/SA keep state queue std_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port ssh flags S/SA keep state queue ssh_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $video_ports flags S/SA keep state queue video_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $http_ports flags S/SA keep state queue http_out
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any port domain keep state queue dns_out

pass out on $ext_if0 inet keep state
pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out
pass out on $ext_if0 inet from 192.168.123.5 to any keep state queue loW_out
# filter rules for lan
pass in on $int_if inet from <work_ip> to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue low_in
pass in on $int_if inet from $boss_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue hi_in
pass in on $int_if inet from $my_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue my_in
現(xiàn)在可以
block in quick on $ext_if0 os NMAP
block in quick on $ext_if0 inet from $deny_address to ($ext_if0)
block out quick on $ext_if0 inet from ($ext_if0) to $deny_address

block in quick on $int_if proto {tcp, udp} from $int_if:network to any port $deny_ports flags S/SA
block in quick on $ext_if0 proto {tcp, udp} from any to ($ext_if0) port $deny_ports flags S/SA

pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass out quick inet proto icmp all icmp-type $icmp_types keep state

# filter rules for inbounds
pass in on $ext_if0 inet proto tcp from any to ($ext_if0) port ssh flags S/SA keep state
pass in on $ext_if0 inet proto tcp from port 20 to ($ext_if0) user proxy flags S/SA keep state

# filter rules for out bounds
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any flags S/SA keep state queue std_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port ssh flags S/SA keep state queue ssh_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $video_ports flags S/SA keep state queue video_out
#pass out on $ext_if0 inet proto tcp from ($ext_if0) to any port $http_ports flags S/SA keep state queue http_out
#pass out on $ext_if0 inet proto {tcp, udp} from ($ext_if0) to any port domain keep state queue dns_out

pass out on $ext_if0 inet keep state
pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out
pass out on $ext_if0 inet from 192.168.123.5 to any keep state queue loW_out
# filter rules for lan
pass in on $int_if inet from <work_ip> to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue low_in
pass in on $int_if inet from $boss_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue hi_in
pass in on $int_if inet from $my_net to any keep state \
(source-track rule, max-src-nodes 200, max-src-states 200, tcp.established 60, tcp.closing 5) queue my_in
現(xiàn)在可以限制指定的工作站下載和連接數(shù)了,但是限制指定的工作站上傳就是搞不好啊!
這條規(guī)則:pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out
還是這樣寫(xiě)pass out on $ext_if0 inet from any to  192.168.123.3 keep state queue hi_out
都不行啊!

llzqq

PF的帶寬限制只能做到限制出口流量。對(duì)進(jìn)來(lái)的流量無(wú)能為力。

colddawn

原帖由 llzqq 于 2007-6-8 09:50 發(fā)表
PF的帶寬限制只能做到限制出口流量。對(duì)進(jìn)來(lái)的流量無(wú)能為力。

應(yīng)該是可以，不過(guò)入流量方向的限制必須在內(nèi)網(wǎng)網(wǎng)卡做，出流量的限制必須在外網(wǎng)網(wǎng)卡做，我記得是這樣要求的。

lhm_3000

我同意colddawn 的說(shuō)法，我實(shí)踐過(guò)：要限制工作站下載時(shí)，現(xiàn)在通過(guò)內(nèi)網(wǎng)的網(wǎng)卡做，比如：pass in on $int_if inet from <work_ip> to any keep state queue low_in，就可以了；但是限制工作站上傳就不知道怎么寫(xiě)了，我覺(jué)得限制也應(yīng)該是通過(guò)外網(wǎng)設(shè)備如ADSL的tun0,但是這樣寫(xiě)：pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out，不行��！

llzqq

下面這段取自PF的FAQ：

注意隊(duì)列只是對(duì)流出外部接口的數(shù)據(jù)包起作用。當(dāng)數(shù)據(jù)包流入內(nèi)部接口時(shí)再做隊(duì)列將是非常遲的，因?yàn)楫?dāng)內(nèi)部接口收到這些數(shù)據(jù)包時(shí)他們已經(jīng)耗用了帶寬。唯一的解決辦法是在相鄰的路由器啟用隊(duì)列，或者，如果接受到數(shù)據(jù)包的主機(jī)被當(dāng)作是個(gè)路由器，那么在數(shù)據(jù)包流出該路由器的接口上啟用隊(duì)列。

lhm_3000

有點(diǎn)不明白!PF難道對(duì)流量控制方面,還沒(méi)有IPFW或IPTABLES方便?!能不能給個(gè)通俗易懂的方案?

lhm_3000

還有就是,為什么當(dāng)我對(duì)下載進(jìn)行限制時(shí),要用內(nèi)部接口,才可以生效呢?

myuebbs

限制上傳應(yīng)該在外網(wǎng)接口上作PASS out ..........queue .... 限制

這條規(guī)則:pass out on $ext_if0 inet from 192.168.123.3 to any keep state queue hi_out
還是這樣寫(xiě)pass out on $ext_if0 inet from any to  192.168.123.3 keep state queue hi_out
都不行啊!

應(yīng)該是上一條才對(duì)
我以為依據(jù)PF的工作原理 對(duì)PF Pass in 里作QUEUE限制是不起草效果的

[ 本帖最后由 myuebbs 于 2007-6-9 19:13 編輯 ]

lhm_3000

問(wèn)題奇怪的是：對(duì)下載限制時(shí)，我反復(fù)試過(guò)用pass out 沒(méi)有效果，用pass in就可以，還有針對(duì)限制上傳不知道如何寫(xiě)

ktdudu

兄弟搞定沒(méi)有啊