[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SFTP + pf + queueing: seemingly incorrect bandwidth limiting



Christopher Snell wrote:
--------begin clip----------------
% scp -P 40022 bigfile me_(_at_)_10_(_dot_)_0_(_dot_)_0_(_dot_)_22:~/
cjs_(_at_)_10_(_dot_)_0_(_dot_)_0_(_dot_)_22's password: bigfile 1% 2112KB 422.3KB/s 05:35 ETA
-----------end clip----------------

a. if this means your pushing bigfile from a machine outside $ext_if then there's nothing you can do about queing. queing can only happen on the way out of an interface.


b. if this means your pushing bigfile from inside $ext_if to an outside machine, you need something like this as well:

pass out on $ext_if from any to 10.0.0.22 port 40022 \
	flags S/SA keep state queue (ssh_bulk, ssh_interactive)


--------begin clip----------------
ext_if = "xl0"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"
icmp_types = "echoreq"
scrub in all
scrub reassemble tcp
altq on $ext_if cbq bandwidth 50Kb queue { std, ssh, http }
queue std priority 2 cbq(default)
queue http priority 1
queue ssh bandwidth 10Kb { ssh_interactive, ssh_bulk } queue ssh_bulk priority 1
queue ssh_interactive priority 3
block all pass quick on lo0 all
antispoof for $ext_if inet
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port 40022 queue (ssh_bulk, ssh_interactive) keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port 113 flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 80 queue http keep state
pass out on $ext_if proto tcp from $ext_if to any queue default flags S/SA keep state
pass out on $ext_if proto { udp, icmp } from ($ext_if) to any queue default keep
state



Visit your host, monkey.org