Por: @cdiego
Publicado em: 2018-10-10
FireQoS
FireQoS precisa ser instalado com o pacote do firehol, mas firewall vem conf vazio que não tem risco de iniciar
Tem pacote, mas não tem repositório
Sintaxe mais simples que o HTB e tudo feito num arquivo só /etc/fireqos.conf
Tem dependência de um pacote iprange que é um acessório que faz cálculo de redes
Tem vários sinônimos para as mesmas configurações
rate = min = commited
ceil = max
port = ports
Se usar percentuais, tem como tratar upload e download numa classe
Exemplo de up e down com classes com %:
interface wan0 bidirecional unifique input rate 35Mbit output rate 10Mbit
class voip prio 0 rate 15% ceil 90% pfifo
match udp ports 4569 # IAX
match udp ports 10000:10100 # SIP-RTP
match udp ports 9082 # SKYPE
Exemplo de up e down separados:
interface wan0 unifique-in input rate 35Mbit
class ...
match ...
interface wan0 unifique-out output rate 10Mbit
class ...
match ...
Ele cria automaticamente as interfaces ifb
/etc/init.d/fireqos tem opções interessantes, até tcpdump, mas é perigoso, cria uma interface virtual para monitoramento da classe
match permite classificação avançada, resolve o problema de range de portas
https://firehol.org/fireqos-manual/fireqos-params-match/
Referência do match:
at { root | name }
class name
syn|syns
ack|acks
{ proto|protocol protocol [,protocol...] } |tcp|udp|icmp|gre|ipv6|ip
{ tos | priority } tosid [,tosid...]
{ DSCP } classname [,classname...]
mark mark [,mark...]
connmark mark [,mark...]
rawmark mark [,mark...]
custommark name mark [,mark...]
{ port | ports } port[:range] [ ,port[:range]... ]
{ sport | sports } port[:range] [ ,port[:range]... ]
{ dport | dports } port[:range] [ ,port[:range]... ]
{ ip | net | host } net [,net...]
src net [,net...]
dst net [,net...]
{ srcmac | smac } mac
{ dstmac | dmac } mac
prio id
input
output
custom 'custom tc parameters'
estimator interval decay
police police
insidegre
Pode ter duas condições na mesma linha
match host 200.200.189.189 port 1234 # Will never match
Exemplo completo iTFLEX
# --------
# Unifique
# --------
# Download
interface wan0 unifique-in input rate 35Mbit
class voip prio 0 rate 15% ceil 90% pfifo
match udp ports 4569 # IAX
match udp ports 10000:10100 # SIP-RTP
match udp ports 9082 # SKYPE
class hipri prio 1 rate 15% ceil 90% pfifo
match ip 8.8.8.8
match ip 200.160.2.3
class vpn prio 1 rate 15% ceil 90%
match udp ports 1193:1196 # Instâncias openvpn iTFLEX
class suporte prio 3 rate 15% ceil 90%
match tcp ports 22,23,24,26 # SSH
match tcp ports 22957:22958 # SSH
match tcp ports 2201,2202,2222 # SSH
match tcp ports 3389 # WTS
match tcp ports 5900:5900 # VNC
match tcp ports 10000:10003 # WEBMIN
match tcp ports 10050:10051 # Zabbix
class web prio 3 rate 15% ceil 90%
match tcp sports 80,443 # Cliente de Navegação
match tcp sports 20,21 # Cliente de download
class mx prio 4 rate 15% ceil 90%
match tcp ports 25 # SMTP
match tcp ports 587 # Submision
match tcp ports 110 # POP
match tcp ports 143 # IMAP
match tcp ports 993 # IMAPS
match tcp ports 995 # POP3S
class default prio 7 rate 10% ceil 80%
# Upload
interface wan0 unifique-out output rate 10Mbit
class voip prio 0 rate 15% ceil 90% pfifo
match udp ports 4569 # IAX
match udp ports 10000:10100 # SIP-RTP
match udp ports 9082 # SKYPE
class hipri prio 1 rate 15% ceil 90% pfifo
match ip 8.8.8.8
match ip 200.160.2.3
class vpn prio 1 rate 15% ceil 90%
match udp ports 1193:1196 # Instâncias openvpn iTFLEX
class suporte prio 3 rate 15% ceil 90%
match tcp ports 22,23,24,26 # SSH
match tcp ports 22957:22958 # SSH
match tcp ports 2201,2202,2222 # SSH
match tcp ports 3389 # WTS
match tcp ports 5900:5900 # VNC
match tcp ports 10000:10003 # WEBMIN
match tcp ports 10050:10051 # Zabbix
class sites prio 3 rate 15% ceil 90%
match tcp sports 80,443 # Fornecendo HTTP
match tcp sports 20,21 # Fornecendo FTP
class mx prio 4 rate 15% ceil 90%
match tcp ports 25 # SMTP
match tcp ports 587 # Submision
match tcp ports 110 # POP
match tcp ports 143 # IMAP
match tcp ports 993 # IMAPS
match tcp ports 995 # POP3S
class default prio 7 rate 10% ceil 80%
# ---
# GVT
# ----
# Download
interface wan1 gvt-in input rate 15Mbit
class voip prio 0 rate 15% ceil 90% pfifo
match udp ports 4569 # IAX
match udp ports 10000:10100 # SIP-RTP
match udp ports 9082 # SKYPE
class hipri prio 1 rate 15% ceil 90% pfifo
match ip 8.8.8.8
match ip 200.160.2.3
class vpn prio 1 rate 15% ceil 90%
match udp ports 1193:1196 # Instâncias openvpn iTFLEX
class suporte prio 3 rate 15% ceil 90%
match tcp ports 22,23,24,26 # SSH
match tcp ports 22957:22958 # SSH
match tcp ports 2201,2202,2222 # SSH
match tcp ports 3389 # WTS
match tcp ports 5900:5900 # VNC
match tcp ports 10000:10003 # WEBMIN
match tcp ports 10050:10051 # Zabbix
class web prio 3 rate 15% ceil 90%
match tcp sports 80,443 # Cliente de Navegação
match tcp sports 20,21 # Cliente de download
class mx prio 4 rate 15% ceil 90%
match tcp ports 25 # SMTP
match tcp ports 587 # Submision
match tcp ports 110 # POP
match tcp ports 143 # IMAP
match tcp ports 993 # IMAPS
match tcp ports 995 # POP3S
class default prio 7 rate 10% ceil 80%
# Upload
interface wan1 gvt-out input rate 1Mbit
class voip prio 0 rate 15% ceil 90% pfifo
match udp ports 4569 # IAX
match udp ports 10000:10100 # SIP-RTP
match udp ports 9082 # SKYPE
class hipri prio 1 rate 15% ceil 90% pfifo
match ip 8.8.8.8
match ip 200.160.2.3
class vpn prio 1 rate 15% ceil 90%
match udp ports 1193:1196 # Instâncias openvpn iTFLEX
class suporte prio 3 rate 15% ceil 90%
match tcp ports 22,23,24,26 # SSH
match tcp ports 22957:22958 # SSH
match tcp ports 2201,2202,2222 # SSH
match tcp ports 3389 # WTS
match tcp ports 5900:5900 # VNC
match tcp ports 10000:10003 # WEBMIN
match tcp ports 10050:10051 # Zabbix
class sites prio 3 rate 15% ceil 90%
match tcp sports 80,443 # Fornecendo HTTP
match tcp sports 20,21 # Fornecendo FTP
class mx prio 4 rate 15% ceil 90%
match tcp ports 25 # SMTP
match tcp ports 587 # Submision
match tcp ports 110 # POP
match tcp ports 143 # IMAP
match tcp ports 993 # IMAPS
match tcp ports 995 # POP3S
class default prio 7 rate 10% ceil 80%