Limiter dosn't work



  • I Write 2 limiter to limit upload and download but it dosn't work.
    The info from pfctl is like the following and I can't find any place to define the dnpipe:
    [2.0-BETA5][root@office.zhenghongkeji.com]/(18): pfctl -sa | grep dnpipe
    pass in quick on vr0 proto tcp from <dynamicip>to any port = http flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTP with limit" dnpipe(2, 1)
    pass in quick on vr0 proto tcp from <dynamicip>to any port = https flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTPS with limit" dnpipe(2, 1)
    pass in quick on vr0 proto tcp from <dynamicip>to any port = 4000 flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)
    pass in quick on vr0 proto udp from <dynamicip>to any port = 4000 keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)</dynamicip></dynamicip></dynamicip></dynamicip>



  • Show the other rules as well.
    That just does not tell nothing as info.



  • All rules running are the following. It looks like IPs in DynamicIP don't limit by anything because dnpipe 1 and 2 are not defined yet.
    [2.0-BETA5][root@office.zhenghongkeji.com]/root(1): pfctl -sr
    scrub in on pppoe0 all fragment reassemble
    scrub in on vr0 all fragment reassemble
    anchor "relayd/" all
    block drop in log all label "Default deny rule"
    block drop out log all label "Default deny rule"
    block drop in quick inet6 all
    block drop out quick inet6 all
    block drop quick proto tcp from any port = 0 to any
    block drop quick proto tcp from any to any port = 0
    block drop quick proto udp from any port = 0 to any
    block drop quick proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
    block drop quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in log quick on pppoe0 from <bogons>to any label "block bogon networks from WAN"
    block drop in on ! pppoe0 inet from 119.130.16.221 to any
    block drop in inet from 119.130.16.221 to any
    block drop in on pppoe0 inet6 from fe80::221:85ff:fec7:370c to any
    block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    block drop in on ! vr0 inet from 192.168.80.0/24 to any
    block drop in inet from 192.168.80.253 to any
    block drop in on vr0 inet6 from fe80::226:5aff:fe83:f580 to any
    pass in on vr0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in on vr0 inet proto udp from any port = bootpc to 192.168.80.253 port = bootps keep state label "allow access to DHCP server"
    pass out on vr0 inet proto udp from 192.168.80.253 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in on lo0 all flags S/SA keep state label "pass loopback"
    pass out on lo0 all flags S/SA keep state label "pass loopback"
    pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (pppoe0 119.130.16.1) inet from 119.130.16.221 to ! 119.130.16.221 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on vr0 proto tcp from any to (vr0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on vr0 proto tcp from any to (vr0) port = ssh flags S/SA keep state label "anti-lockout rule"
    pass on pppoe0 proto udp from any to any port = 4000 keep state label "USER_RULE"
    pass in quick on pppoe0 reply-to (pppoe0 119.130.16.1) inet proto udp all keep state label "USER_RULE"
    pass in quick on vr0 inet proto tcp from 192.168.80.198 to any flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 inet proto udp from 192.168.80.198 to any keep state label "USER_RULE"
    pass in quick on vr0 inet proto icmp all keep state label "USER_RULE"
    pass in quick on vr0 proto udp from any to any port = domain keep state label "USER_RULE"
    pass in quick on vr0 proto tcp from <dynamicip>to any port = http flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTP with limit" dnpipe(2, 1)
    pass in quick on vr0 proto tcp from <dynamicip>to any port = https flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access HTTPS with limit" dnpipe(2, 1)
    pass in quick on vr0 proto tcp from <dynamicip>to any port = 3722 flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access DriveGenius" dnpipe(2, 1)
    pass in quick on vr0 proto tcp from <dynamicip>to any port = 4000 flags S/SA keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)
    pass in quick on vr0 proto udp from <dynamicip>to any port = 4000 keep state label "USER_RULE: Dynamic allocated IP can access QQ with limit" dnpipe(2, 1)
    block drop in quick on vr0 from <dynamicip>to any label "USER_RULE: Dynamic allocated IP stop here"
    pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 proto udp from any to any port = smtp keep state label "USER_RULE"
    pass in quick on vr0 proto tcp from any to any port = http flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 inet proto tcp from 192.168.80.0/24 to 192.168.80.253 port = 3000 flags S/SA keep state label "USER_RULE: ntop port"
    pass in quick on vr0 proto tcp from any to any port = https flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 proto tcp from any to any port = pop3s flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 proto tcp from any to any port = smtps flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 proto tcp from any to any port = pptp flags S/SA keep state label "USER_RULE"
    pass in quick on vr0 proto tcp from any to any port = 3389 flags S/SA keep state label "USER_RULE: Windows remote desktop"
    pass in quick on vr0 proto tcp from any to any port = 4000 flags S/SA keep state label "USER_RULE: QQ"
    pass in quick on vr0 proto udp from any to any port = 4000 keep state label "USER_RULE: QQ"
    pass in quick on vr0 proto tcp from any to <remote_manage>port = 3022 flags S/SA keep state label "USER_RULE: Huadu and Conghua ssh"
    pass in quick on vr0 proto tcp from any to <hangzhou>port = 3212 flags S/SA keep state label "USER_RULE: Hangzhou ssh"
    pass in quick on vr0 proto tcp from any to <hangzhou>port = 3222 flags S/SA keep state label "USER_RULE: Hangzhou ssh"
    pass in quick on vr0 proto tcp from any to any port = afs3-prserver flags S/SA keep state label "USER_RULE: Guangzhou yizhidu System"
    pass in quick on vr0 proto tcp from any to any port = 8000 flags S/SA keep state label "USER_RULE: EPMonitor video monitor port"
    pass in quick on vr0 proto tcp from any to any port = 8090 flags S/SA keep state label "USER_RULE: Zhenghong epmonitor system"
    pass in quick on vr0 proto tcp from any to any port = 8443 flags S/SA keep state label "USER_RULE: Tax system of guangzou"
    pass in quick on vr0 proto tcp from any to any port = 3308 flags S/SA keep state label "USER_RULE: Yuchanghong need this port"
    pass in quick on vr0 proto tcp from any to any port = 8088 flags S/SA keep state label "USER_RULE: Bambo need this port for ftp"
    pass in quick on vr0 proto tcp from any to any port 32999 >< 34001 flags S/SA keep state label "USER_RULE: Bambo need this port for ftp"
    block drop in quick on vr0 inet from 192.168.80.0/24 to any label "USER_RULE: Block any TCP"
    anchor "tftp-proxy/
    " all
    anchor "miniupnpd" all</hangzhou></hangzhou></remote_manage></dynamicip></dynamicip></dynamicip></dynamicip></dynamicip></dynamicip></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c>


Log in to reply