[FreeBSD] pf+altq实战[转]

[FreeBSD] pf+altq实战 实战, altq环境：vmware
系统：freebsd 7.1
编译内核，默认安装的内核不支持altq


安装内核源码,运行 sysinstall， 选择 Configure， 然后是 Distributions、 src，选中其中的 base 和 sys
# cd /usr/src/sys/i386/conf
# cp GENERIC altq
#vi altq
加入:
options       ALTQ
options       ALTQ_CBQ       
options       ALTQ_RED       
options       ALTQ_RIO       
options       ALTQ_HFSC   
options       ALTQ_PRIQ   
options       ALTQ_NOPCC  

编译安装内核
# cd /usr/src
# make buildkernel KERNCONF=altq
# make installkernel KERNCONF=altq

大约十五分钟左右，编译完成，联合altq与pf
装载pf.ko 模块，控制pf角本在/etc/rc.d/pf
写入规则:

altq on le0 cbq bandwidth 140Kb queue { http, ftp, base } #定义总带宽
queue base bandwidth 40% cbq(default) #base占用总带宽的40%,以下依次类推
queue http bandwidth 30%
queue ftp bandwidth 30%
pass out quick on le0 proto tcp from any to any keep state queue base    #配合pf使用预先定义的altq规则
pass out quick on le0 proto tcp from any to any port 80 keep state queue http
pass out quick on le0 proto tcp from any to any port 21 keep state queue ftp
pass out quick on le0 proto { tcp, udp } from any to any port 53 keep state
block all

http://bbs.chinaunix.net/viewthread.php?tid=1425365

#### 以下是我测试修改的代码#########
#============================================
ext_if="nfe0"
http_port="9001"
ftp_port="9002"
base_port="9003"
ssh_port="2233"

altq on $ext_if cbq bandwidth 10% queue { http_in, ftp_in, base_in , ssh_in}    #定义总带宽
queue base_in bandwidth 40% cbq(default)    #base占用总带宽的40%,以下依次类推
queue http_in bandwidth 30%
queue ftp_in bandwidth 25%
queue ssh_in bandwidth 5% priority 1 cbq(borrow)

pass in quick on $ext_if proto tcp from any to any port $ssh_port keep state queue ssh_in
pass in quick on $ext_if proto tcp from any to any port $http_port keep state queue http_in
pass in quick on $ext_if proto tcp from any to any port $ftp_port keep state queue ftp_in
pass in quick on $ext_if proto { tcp, udp } from any to any port $base_port keep state queue base_in
pass in quick on $ext_if proto tcp from any to any keep state queue base_in      #配合pf使用预先定义的altq规则

#block all
pass all


#============================================
测试使用
接收端 : nc -kl 9001 >/dev/null
发送端: nc 192.168.1.123 9001 < ~/big_file.dat

只限制入口带宽，测试成功，测试