Shorewall users - Mar 2007 - QUEUE and external Traffic Control

I have been using Shorewall for a long time (2 years) as my traffic
controller. In that time the amount of things that need to be
controlled has outgrown wSshorewall can do (and still be manageable).
So I went searching for a different program and came across bwm_tools
(http://bwm-tools.pr.linuxrulz.org/). I am trying to integrate
shorewall and this program together and I know I need to use the QUEUE
function so I read the Kazaa Filtering article and tried adding the
suggested rules to my Shorewall rules file. That did not work, I did
not see any traffic flowing through to the bandwidth manager.
>From what I understand all traffic that is accepted into my firewall
should be routed via the bwmd chain which is where the bwm-tools
program expects it. Shorewall does not need to mark it or anything
just pass the traffic along. How can I make Shorewall do that? My
guess is I am using the QUEUE target wrong.

My environment is as follows:
Shorewall 3.4.1
CentOS 4.3
bwm-tools 0.2.3

ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:90:27:eb:d1:99 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.141/24 brd 192.168.100.255 scope global eth0
    inet6 fe80::290:27ff:feeb:d199/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:03:47:b1:95:b5 brd ff:ff:ff:ff:ff:ff
    inet 10.2.0.1/24 brd 10.2.0.255 scope global eth1
    inet6 fe80::203:47ff:feb1:95b5/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:03:47:b1:95:b6 brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Andrew Niemantsverdriet wrote:
> I have been using Shorewall for a long time (2 years) as my traffic
> controller. In that time the amount of things that need to be
> controlled has outgrown wSshorewall can do (and still be manageable).
> So I went searching for a different program and came across bwm_tools
> (http://bwm-tools.pr.linuxrulz.org/). I am trying to integrate
> shorewall and this program together and I know I need to use the QUEUE
> function so I read the Kazaa Filtering article and tried adding the
> suggested rules to my Shorewall rules file. That did not work, I did
> not see any traffic flowing through to the bandwidth manager.
> 
If you are managing traffic headed to the net, I would try this:

1) Any xxx->net ACCEPT policies should be replaced by QUEUE policies.
2) Any xxx->net ACCEPT rules should be replaced by QUEUE rules.
3) Set FASTACCEPT=No in shorewall.conf
4) Add this in the ESTABLISHED section of the rules file:

	QUEUE	all	net

5) Add this in the RELATED section of the rules file:

	QUEUE	all	net

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV