- 论坛徽章:
- 0
|
参照别人的例子,弄了个pf规则,大家看看中不?
-------------------------------------------------------
openbsd4.3 pf 还没用到实际环境
-------------------------------------------------------
1、配置网桥
vi /etc/bridename.bridge0
ass em0 add em1 up
:wq
reboot
2、配置pf
vi /etc/rc.conf
pf=NO 改为 pf=YES
:wq
3、修改pf防火墙规则
vi /etc/pf.conf
# macros
ext_if = "em0" # 对外网卡 ext_if
int_if = "em1" # 对内网卡 int_if
#altq
altq on $ext_if cbq bandwidth 100% queue { default, http, mail, dns, ftp }
queue default bandwidth 10% priority 0 cbq(default ecn)
queue http bandwidth 20% priority 6 { http_vhosts, http_cust1 }
queue http_vhosts bandwidth 40% cbq(borrow red)
queue http_cust1 bandwidth 100Kb
queue mail bandwidth 10% priority 1
queue dns bandwidth 30% priority 7 cbq(borrow)
queue ftp bandwidth 20% priority 6 cbq
block return in on $ext_if inet all queue rsets
pass in on $ext_if inet proto tcp from any to any port 80 queue http
pass in out on $ext_if inet proto tcp from any to any port 21 queue ftp
pass in out $ext_if inet proto tcp from any to any port 25 queue mail
pass in out $ext_if inet proto tcp from any to any port 53 queue dns
pass out on $ext_if inet all
altq on $int_if cbq bandwidth 100Mb queue { http,ftp,udp }
queue http bandwidth 300Mb cbq(default)
queue ftp bandwidth 30Mb cbq(red)
queue udp bandwidth 20Mb cbq(red)
pass in quick on $int_if proto tcp from any to 10.32.0.162 keep state queue udp
pass in on $int_if inet from any to any flags S/SA keep state (max 50000, source-track rule, max-src-nodes 30000,max-src-states 10,tcp.established 60,tcp.closing 5)
-------------------------------------------------------------------------------
问题:1、这个规则有问题没,这样能不能很好的利用带宽?
2、这样的规则当如何改进?
3、请高手们指点! |
|
免费注册
发表于 2008-10-02 21:57
