Hi i try to setup a router/firewall/server combination with traffic shaping.
Allready the router/firewall and the server are set up.
Now i wan''t to give the serverjobs priority before the lan and here i
run into trouble...
Here a little overview:
shorewall.conf
MARK_IN_FORWARD_CHAIN=Yes
tcdevices:
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
ppp0 3000kbit 370kbit
tcclasses:
#INTERFACE MARK RATE CEIL PRIORITY
OPTIONS
ppp0 1 full
full 1 tcp-ack,tos-minimize-delay
ppp0 2 9*full/10 9*full/10 2
ppp0 3 8*full/10 8*full/10 3
ppp0 4 7*full/10
7*full/10 4 default
#MARK SOURCE DEST PROTO PORT(S) CLIENT
USER
#
PORT(S)
1 0.0.0.0/0 0.0.0.0/0
icmp echo-request
1 0.0.0.0/0 0.0.0.0/0
icmp echo-reply
1 0.0.0.0/0 0.0.0.0/0 tcp
smtp
1 0.0.0.0/0 0.0.0.0/0 tcp
ssh
2 0.0.0.0/0 0.0.0.0/0 tcp
imaps
2 0.0.0.0/0 0.0.0.0/0 tcp
imap
3 0.0.0.0/0 0.0.0.0/0 tcp
https
3 0.0.0.0/0 0.0.0.0/0 tcp
http
# P2P
RESTORE 0.0.0.0/0 0.0.0.0/0 all
- - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all
- - - !0
4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE 0.0.0.0/0 0.0.0.0/0 all
- - - !0
Is that setup correct or is there something wrong?
If more information is need, please let me now.
Greetings
Mark
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mark Schwarz wrote:> Hi i try to setup a router/firewall/server combination with traffic > shaping. > Allready the router/firewall and the server are set up. > > Now i wan''t to give the serverjobs priority before the lan and here i > run into trouble... > > > Is that setup correct or is there something wrong? > If more information is need, please let me now. >It''s partly right. The main problem that I see is that for most of the applications that you list (imap, imap2, http,...), the server will be running behind your firewall -- so the SOURCE port will be imaps, imap, etc -- not the DEST port. SMTP, on the other hand, can only be shaped for outgoing mail so your rule for SMTP is correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> Hi i try to setup a router/firewall/server combination with traffic >> shaping. >> Allready the router/firewall and the server are set up. >> >> Now i wan''t to give the serverjobs priority before the lan and here i >> run into trouble... >> >> >> Is that setup correct or is there something wrong? >> If more information is need, please let me now. >> >> > > It''s partly right. The main problem that I see is that for most of the > applications that you list (imap, imap2, http,...), the server will be > running behind your firewall -- so the SOURCE port will be imaps, imap, > etc -- not the DEST port. SMTP, on the other hand, can only be shaped > for outgoing mail so your rule for SMTP is correct. > > -Tom >Hi, thanks for your hints. I''ve change my rules to: 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1 $FW 0.0.0.0/0 tcp - smtp 1 $FW 0.0.0.0/0 tcp - ssh 2 $FW 0.0.0.0/0 tcp - imaps 2 $FW 0.0.0.0/0 tcp - imap 3 $FW 0.0.0.0/0 tcp - https 3 $FW 0.0.0.0/0 tcp - http RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 now it looks fine, i think. a "shorewall show mangle" say''s me: Chain tcfor (1 references) pkts bytes target prot opt in out source destination 0 0 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 MARK set 0x1 0 0 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 MARK set 0x1 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xff CONNMARK restore mask 0xff 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xff 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.8.0 --ipp2p MARK set 0x4 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xff CONNMARK save mask 0xff Chain tcout (1 references) pkts bytes target prot opt in out source destination 117 9203 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 MARK set 0x1 904 278K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 MARK set 0x1 680 273K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:993 MARK set 0x2 41 8744 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:143 MARK set 0x2 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 MARK set 0x3 156 189K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK set 0x3 Chain tcpost (1 references) pkts bytes target prot opt in out source destination 1016 287K CLASSIFY all -- * ppp0 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 CLASSIFY set 1:11 721 282K CLASSIFY all -- * ppp0 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 CLASSIFY set 1:12 156 189K CLASSIFY all -- * ppp0 0.0.0.0/0 0.0.0.0/0 MARK match 0x3 CLASSIFY set 1:13 0 0 CLASSIFY all -- * ppp0 0.0.0.0/0 0.0.0.0/0 MARK match 0x4 CLASSIFY set 1:14 2 questions: tcout is the traffic from the firewall directly to the internet ? tcfor is the traffic from the lan over the firewall to the internet ? Greetings Mark ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Mark Schwarz wrote:> > thanks for your hints. I''ve change my rules to: > > 1 0.0.0.0/0 0.0.0.0/0 icmp > echo-request > 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 1 $FW 0.0.0.0/0 tcp - smtpAs I mentioned in my previous post, you had smtp right the first time -- now it''s wrong.> 2 questions: > > tcout is the traffic from the firewall directly to the internet ?tcout is traffic originating on the firewall period -- it may be going to the internet, your local network, your DMZ, ....> tcfor is the traffic from the lan over the firewall to the internet ?tcfor is all forwarded traffic; not only lan->internet but internet->lan as well. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642