Prioritizing your friends

From freebsd.xn--wesstrm-f1a.se

Jump to: navigation, search

Contents

Overview

One of the wiki's secondary goals is to automatically give your friends priority to your upload bandwidth. The firewall configuration is prepared for this but you still need to add a few things to make it work.

Instructions

Create the necessary config file

You need a file to store the IP addresses of the friends you want to prioritize. If your friends have dynamic IP addresses they can register a free domain at DynDNS.com and keep it updated and you can put those domain names in the file. Remember to keep configuration files that are not part of the base operating system in /usr/local/etc. In this example the file will be called /usr/local/etc/friends.hosts but you can call it whatever you like. Create it and fill it with a few IP addresses and hostnames. These are just some examples for testing and the last one really makes no sense, it only shows that you can mix hostnames and IP addresses.

pp.dyndns.biz
www.freebsd.org
192.168.0.5

Add firewall rules

You already have a queue defined in /etc/pf.conf called q_p2p for the purpose of this guide, but you'll need to add a table to hold the IP addresses of our friends. Find the # TABLES section and add this line after the table called hackers.

table <friends> file "/usr/local/etc/friends"

The hostnames can't be loaded directly into pf on startup because it might fail if name resolution isn't available and then the firewall rules won't load at all. /usr/local/etc/friends is a file that will contain only the IP addresses that corresponds to the hostnames you enter in /usr/local/etc/friends.hosts and for now you'll have to create an empty file with that name.

# touch /usr/local/etc/friends

A small crontab job will take care of the task to regularly lookup the hostnames and put their addresses into this file and then update the friends table when necessary but more on that later.

You'll need to add a few firewall rules to catch the traffic to and from your friends and put it in the correct queue. You'll have to adjust the rules to fit your own configuration but you should be able to follow the general logic. First, have a look at the rules allowing incoming traffic to various services. In the section # Incoming to router you have rules allowing icmp and ssh but this traffic is already put in q_p2 and q_p1 which are both higher prioritized than q_p2p so you don't need to add anything here.

The situation is different in the section # Incoming to computer 1. Here you have two rules that allow incoming connections from anyone to port 6881 and put that traffic in the default queue. If your friends create connections to port 6881 you need to catch them before these rules to put them in q_p2p. Copy and paste the following rules and put them before the two rules already present there. Remember, first matching rule wins.

pass in quick on $ext_if inet proto tcp from <friends> to $comp1 port 6881 flags S/SA synproxy state queue (q_p2p, q_p2)
pass in quick on $ext_if inet proto udp from <friends> to $comp1 port 6881 keep state queue q_p2p

Second, you also need to add rules in the section # Global outgoing prioritized to catch any connection from you to your friends. Copy and paste the following lines and place them last in that section.

pass out quick on $ext_if inet proto tcp from any to <friends> flags S/SA modulate state queue (q_p2p, q_p2)
pass out quick on $ext_if inet proto udp from any to <friends> keep state queue q_p2p

These rules are put last because the other rules in that section put traffic in higher prioritized queues and you still want that to happen even if it happens to be traffic to your friends.

Now, perform the usual routine of checking the firewall rules and reload them if no errors are reported.

# pfctl -nf /etc/pf.conf
# pfctl -F rules ; pfctl -f /etc/pf.conf

Install tableutil

Tableutil is a small utility that can do wonders with lists of IP addresses and ranges. You'll need it to convert your friends' hostnames to a nice list of IP addresses you can feed into your firewall table.

# cd /usr/ports/net/tableutil
# make
# make install clean

Create a crontab job

Add this line to crontab to have it refresh your friends' IP addresses once a minute.

* * * * * sh -c "/usr/local/bin/tableutil -q text /usr/local/etc/friends.hosts 1> /usr/local/etc/friends 2>/dev/null" ; /sbin/pfctl -t friends -Treplace -f /usr/local/etc/friends >/dev/null 2>&1

The cryptic syntax at the end is there to suppress any output from the commands since it would've generated a system email each time. This particular command is extra cryptic because it includes redirects within the command itself. Wait until a minute has passed and check that the table now contains a few IP addresses.

# pfctl -t friends -T show
   69.147.83.33
   85.226.58.26
   192.168.0.5

Summary

  • Keep config files that don't belong to the base operating system in /usr/local/etc.


Next guide: Apache
Personal tools