hallo,
endlich funktioniert meine fw die auf meine wlan/authpf/ovpn bedürfnisse angepasst ist. es gibt nur 1 problem - queue funktioniert nicht. wenn emule (mit max. 37k/sek upload) läuft reisst es mir die download-bandbreite auf ca. 80k/sek. runter. ich habe eine alice 6 mbit leitung (512 upstream).
kennt sich jemand gut genug aus und erkennt evtl. einen fehler?
danke!
/etc/authpf/authpf.rules
/etc/pf.conf
endlich funktioniert meine fw die auf meine wlan/authpf/ovpn bedürfnisse angepasst ist. es gibt nur 1 problem - queue funktioniert nicht. wenn emule (mit max. 37k/sek upload) läuft reisst es mir die download-bandbreite auf ca. 80k/sek. runter. ich habe eine alice 6 mbit leitung (512 upstream).
kennt sich jemand gut genug aus und erkennt evtl. einen fehler?
danke!
/etc/authpf/authpf.rules
# wlan
wlan_if = "ral0"
# allow authenticated hosts to connect to openvpn daemon
pass in quick on $wlan_if proto udp from $user_ip to ($wlan_if) port 1194 keep state
/etc/pf.conf
# macros ============================================================
ext_if = "tun0"
int_if = "xl0"
wlan_if = "ral0"
vpn_if = "tun1"
tcp_flags = "flags S/SA keep state"
int_net = "192.168.0.0/24"
# emule ============================================================
mule_ip = "192.168.0.100"
mule_tcp = "{ 4661, 4662 }"
mule_udp = "{ 4665, 4672 }"
# abusers table =====================================================
table <abusers> persist
# authpf table
table <authpf_users> persist
# Options ===========================================================
set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 3600 }
set timeout { tcp.closing 120, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 20000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
# traffic normalization =============================================
scrub in all random-id min-ttl 255 max-mss 1492 fragment reassemble
scrub out all max-mss 1300
# Queueing ==========================================================
altq on $ext_if priq bandwidth 580Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 2 priq (default)
# redirect =========================================================
rdr on $ext_if inet proto tcp from !$int_net to any port 4661:4662 -> $mule_ip port 4661:*
rdr on $ext_if inet proto udp from !$int_net to any port 4665 -> $mule_ip port 4665
rdr on $ext_if inet proto udp from !$int_net to any port 4672 -> $mule_ip port 4672
# nat ===============================================================
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# authpf ============================================================
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"
anchor "authpf/*"
# Filtering =========================================================
# silently drop broadcasts cable modem noise
block in quick on $ext_if from any to 255.255.255.255
# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if inet proto tcp from any to any flags /S
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags A/A
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags SF/SF
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags SR/SR
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if inet proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if inet proto tcp from any to any flags SFRAUP/SFRAUP
# Drop spoofed packets IP blocks
block in log quick on $ext_if from { <RFC1918> } to any
block out log quick on $ext_if from any to { <RFC1918> }
# block anything coming from source we have no back routes for
block in from no-route to any
# block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any
block log quick from <abusers>
block log all
### OUTGOING
pass out on $ext_if inet proto tcp all flags S/SA modulate state queue (q_def, q_pri)
pass out on $ext_if inet proto { udp, icmp } all keep state
### INCOMING
# wireless interface (allow limited ssh to avoid brute-force attacks)
pass in quick on $wlan_if inet proto tcp to ($wlan_if) port ssh $tcp_flags \
(max-src-conn 10, max-src-conn-rate 15/5, overload <abusers> flush global) queue (q_def, q_pri)
pass in quick on $ext_if inet proto tcp from any to any port $mule_tcp flags S/SAFR keep state label eMuleTCP
pass in quick on $ext_if inet proto udp from any to any port $mule_udp keep state label eMuleUDP
# allow everything from wired lan, vpn and loopback
pass quick on { lo, $int_if, $vpn_if }
# antispoof protection for all interfaces
antispoof quick for { lo, $int_if, $wlan_if, $vpn_if }