PF HFSC traffic shapping per port ?

[bryn1u]

Hey,

I'm testing that rule from calomel blog https://calomel.org/pf_hfsc.html

### FIOS Upload = 20Mb/s (queue at 97%)
 altq on $ExtIf bandwidth 19.40Mb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd }
  queue ack        bandwidth 30% qlimit 500 hfsc (realtime   20%)
  queue dns        bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue ssh        bandwidth 20% qlimit 500 hfsc (realtime   20%) {ssh_login, ssh_bulk}
   queue ssh_login bandwidth 50% qlimit 500 hfsc
   queue ssh_bulk  bandwidth 50% qlimit 500 hfsc
  queue bulk       bandwidth 20% qlimit 500 hfsc (realtime   20% default, ecn)
  queue web        bandwidth  5% qlimit 500 hfsc (realtime  (10%, 10000, 5%))
  queue mail       bandwidth  5% qlimit 500 hfsc (realtime    5%)
  queue bittor     bandwidth  1% qlimit 500 hfsc (upperlimit 95%)
  queue spamd      bandwidth  1% qlimit 500 hfsc (upperlimit 1Kb)

I want to achieve possibility to traffic shaping per port. I see in the rule above that bandwidth is shaping for services like DNS, SSH, web, mail. Is it possible to traffic shaping per port for example 3344 or 5566 or 5555 etc ? If not could you give me some recipe how to do it with PF?

Thank you,

 

[usdmatt]

As per the pf documentation, the queue statements just create the queues. You then need to configure pf rules to pass traffic into them:

     queue std bandwidth 10% cbq(default)
     queue http    bandwidth 60% priority 2 cbq(borrow red) \
       { employees,    developers }
     queue  developers bandwidth 75% cbq(borrow)
     queue  employees bandwidth    15%
     queue mail    bandwidth 10% priority 0 cbq(borrow ecn)
     queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
     queue  ssh_interactive bandwidth 50% priority 7 cbq(borrow)
     queue  ssh_bulk bandwidth 50% priority 0 cbq(borrow)

     block return out on dc0 inet all queue std
     pass out on dc0 inet proto tcp from $developerhosts to any port 80 queue developers
     pass out on dc0 inet proto tcp from $employeehosts to any port 80 queue employees
     pass out on dc0 inet proto tcp from any to any port 22 queue(ssh_bulk, ssh_interactive)
     pass out on dc0 inet proto tcp from any to any port 25 queue mail

The pass rules above match specific traffic (including the port number) and assign it to the correct queue. You'll just need to create appropriate rules for your environment. Note that the queue name is not configuring a specific service and can be anything that's meaningful to your use case. It's the rule that matches the traffic.

 

[bryn1u]

As per the pf documentation, the queue statements just create the queues. You then need to configure pf rules to pass traffic into them:

     queue std bandwidth 10% cbq(default)
     queue http    bandwidth 60% priority 2 cbq(borrow red) \
       { employees,    developers }
     queue  developers bandwidth 75% cbq(borrow)
     queue  employees bandwidth    15%
     queue mail    bandwidth 10% priority 0 cbq(borrow ecn)
     queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
     queue  ssh_interactive bandwidth 50% priority 7 cbq(borrow)
     queue  ssh_bulk bandwidth 50% priority 0 cbq(borrow)

     block return out on dc0 inet all queue std
     pass out on dc0 inet proto tcp from $developerhosts to any port 80 queue developers
     pass out on dc0 inet proto tcp from $employeehosts to any port 80 queue employees
     pass out on dc0 inet proto tcp from any to any port 22 queue(ssh_bulk, ssh_interactive)
     pass out on dc0 inet proto tcp from any to any port 25 queue mail

The pass rules above match specific traffic (including the port number) and assign it to the correct queue. You'll just need to create appropriate rules for your environment.

Oh, Thank you ! I will try.

1) Can I use HFSC instead CBQ ?
2) If I will use CBQ can I use Mbit instead % ?
3) I used:

altq on $ExtIf bandwidth 19.40Mb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd }

In your rules it doesn't exist. It should looks like you wrote or you cut that part ?
Sorry I'm asking about such basic things. I have always used ipfw and want to switch to the pf. I even read the book of pf but I don't understand enough to make proper working environment.

 

[usdmatt]

You're better off following the guide you originally posted if possible. I did have a quick look at it seemed to mention adding the pf rules to put traffic into the queues near the bottom.

I know very little about pf and have never used queues.

 

[bryn1u]

I know very little about pf and have never used queues.

Heh, but thanks to you i understood more then from others articles. Do you use IPFW ?

 

[usdmatt]

In all honesty I tend to use off the shelf firewalls and just use FreeBSD as a server. I find manually configuring more advanced networking/traffic shaping/etc in all the *nix operating systems far more hassle than it's worth.

 

[bryn1u]

In all honesty I tend to use off the shelf firewalls and just use FreeBSD as a server. I find manually configuring more advanced networking/traffic shaping/etc in all the *nix operating systems far more hassle than it's worth.

Im just looking for some solutions related to traffic shapping. Maybe do you have some cool solutions ?
thanks