Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiter dosn't work

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bambo
      last edited by

      I Write 2 limiter to limit upload and download but it dosn't work.
      The info from pfctl is like the following and I can't find any place to define the dnpipe:
      [2.0-BETA5][root@office.zhenghongkeji.com]/(18): pfctl -sa | grep dnpipe
      pass in quick on vr0 proto tcp from <dynamicip>to any port = http flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTP with limit" dnpipe(2, 1)
      pass in quick on vr0 proto tcp from <dynamicip>to any port = https flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTPS with limit" dnpipe(2, 1)
      pass in quick on vr0 proto tcp from <dynamicip>to any port = 4000 flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)
      pass in quick on vr0 proto udp from <dynamicip>to any port = 4000 keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)</dynamicip></dynamicip></dynamicip></dynamicip>

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Show the other rules as well.
        That just does not tell nothing as info.

        1 Reply Last reply Reply Quote 0
        • B
          Bambo
          last edited by

          All rules running are the following. It looks like IPs in DynamicIP don't limit by anything because dnpipe 1 and 2 are not defined yet.
          [2.0-BETA5][root@office.zhenghongkeji.com]/root(1): pfctl -sr
          scrub in on pppoe0 all fragment reassemble
          scrub in on vr0 all fragment reassemble
          anchor "relayd/" all
          block drop in log all label "Default deny rule"
          block drop out log all label "Default deny rule"
          block drop in quick inet6 all
          block drop out quick inet6 all
          block drop quick proto tcp from any port = 0 to any
          block drop quick proto tcp from any to any port = 0
          block drop quick proto udp from any port = 0 to any
          block drop quick proto udp from any to any port = 0
          block drop quick from <snort2c>to any label "Block snort2c hosts"
          block drop quick from any to <snort2c>label "Block snort2c hosts"
          block drop quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
          block drop quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"
          block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
          block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
          block drop in quick from <virusprot>to any label "virusprot overload table"
          block drop in log quick on pppoe0 from <bogons>to any label "block bogon networks from WAN"
          block drop in on ! pppoe0 inet from 119.130.16.221 to any
          block drop in inet from 119.130.16.221 to any
          block drop in on pppoe0 inet6 from fe80::221:85ff:fec7:370c to any
          block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
          block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
          block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
          block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
          block drop in on ! vr0 inet from 192.168.80.0/24 to any
          block drop in inet from 192.168.80.253 to any
          block drop in on vr0 inet6 from fe80::226:5aff:fe83:f580 to any
          pass in on vr0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
          pass in on vr0 inet proto udp from any port = bootpc to 192.168.80.253 port = bootps keep state label "allow access to DHCP server"
          pass out on vr0 inet proto udp from 192.168.80.253 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
          pass in on lo0 all flags S/SA keep state label "pass loopback"
          pass out on lo0 all flags S/SA keep state label "pass loopback"
          pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
          pass out route-to (pppoe0 119.130.16.1) inet from 119.130.16.221 to ! 119.130.16.221 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
          pass in quick on vr0 proto tcp from any to (vr0) port = http flags S/SA keep state label "anti-lockout rule"
          pass in quick on vr0 proto tcp from any to (vr0) port = ssh flags S/SA keep state label "anti-lockout rule"
          pass on pppoe0 proto udp from any to any port = 4000 keep state label "USER_RULE"
          pass in quick on pppoe0 reply-to (pppoe0 119.130.16.1) inet proto udp all keep state label "USER_RULE"
          pass in quick on vr0 inet proto tcp from 192.168.80.198 to any flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 inet proto udp from 192.168.80.198 to any keep state label "USER_RULE"
          pass in quick on vr0 inet proto icmp all keep state label "USER_RULE"
          pass in quick on vr0 proto udp from any to any port = domain keep state label "USER_RULE"
          pass in quick on vr0 proto tcp from <dynamicip>to any port = http flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTP with limit" dnpipe(2, 1)
          pass in quick on vr0 proto tcp from <dynamicip>to any port = https flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTPS with limit" dnpipe(2, 1)
          pass in quick on vr0 proto tcp from <dynamicip>to any port = 3722 flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access DriveGenius" dnpipe(2, 1)
          pass in quick on vr0 proto tcp from <dynamicip>to any port = 4000 flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)
          pass in quick on vr0 proto udp from <dynamicip>to any port = 4000 keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)
          block drop in quick on vr0 from <dynamicip>to any label "USER_RULE: Dynamic allocated IP stop here"
          pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 proto udp from any to any port = smtp keep state label "USER_RULE"
          pass in quick on vr0 proto tcp from any to any port = http flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 inet proto tcp from 192.168.80.0/24 to 192.168.80.253 port = 3000 flags S/SA keep state label "USER_RULE: ntop port"
          pass in quick on vr0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 proto tcp from any to any port = pop3s flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 proto tcp from any to any port = smtps flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 proto tcp from any to any port = pptp flags S/SA keep state label "USER_RULE"
          pass in quick on vr0 proto tcp from any to any port = 3389 flags S/SA keep state label "USER_RULE: Windows remote desktop"
          pass in quick on vr0 proto tcp from any to any port = 4000 flags S/SA keep state label "USER_RULE: QQ"
          pass in quick on vr0 proto udp from any to any port = 4000 keep state label "USER_RULE: QQ"
          pass in quick on vr0 proto tcp from any to <remote_manage>port = 3022 flags S/SA keep state label "USER_RULE: Huadu and Conghua ssh"
          pass in quick on vr0 proto tcp from any to <hangzhou>port = 3212 flags S/SA keep state label "USER_RULE: Hangzhou ssh"
          pass in quick on vr0 proto tcp from any to <hangzhou>port = 3222 flags S/SA keep state label "USER_RULE: Hangzhou ssh"
          pass in quick on vr0 proto tcp from any to any port = afs3-prserver flags S/SA keep state label "USER_RULE: Guangzhou yizhidu System"
          pass in quick on vr0 proto tcp from any to any port = 8000 flags S/SA keep state label "USER_RULE: EPMonitor video monitor port"
          pass in quick on vr0 proto tcp from any to any port = 8090 flags S/SA keep state label "USER_RULE: Zhenghong epmonitor system"
          pass in quick on vr0 proto tcp from any to any port = 8443 flags S/SA keep state label "USER_RULE: Tax system of guangzou"
          pass in quick on vr0 proto tcp from any to any port = 3308 flags S/SA keep state label "USER_RULE: Yuchanghong need this port"
          pass in quick on vr0 proto tcp from any to any port = 8088 flags S/SA keep state label "USER_RULE: Bambo need this port for ftp"
          pass in quick on vr0 proto tcp from any to any port 32999 >< 34001 flags S/SA keep state label "USER_RULE: Bambo need this port for ftp"
          block drop in quick on vr0 inet from 192.168.80.0/24 to any label "USER_RULE: Block any TCP"
          anchor "tftp-proxy/          " all
          anchor "miniupnpd" all</hangzhou></hangzhou></remote_manage></dynamicip></dynamicip></dynamicip></dynamicip></dynamicip></dynamicip></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c>

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.