Hi,
I''m fairly new to shorewall (I used to be a FIAIF user).
I''m basically trying to setup traffic shaping on my firewall/gateway.
I''d like to get highest prio for interactive traffic (SSH, but not SCP)
I''d like guaranteed bandwidth for VoIP traffic
I''d like guaranteed bandwidth for DNS traffic
I''d like guaranteed bandwidth for WWW traffic
I''d like best effort for the rest.
Here is how I did config shorewall:
/etc/shorewall/tcclasses:
ppp0 1 20*full/100 40*full/100 1
tcp-ack,tos-minimize-delay
ppp0 2 20*full/100 30*full/100 2
tos=0x68/0xfc,tos=0xb8/0xfc
ppp0 3 20*full/100 25*full/100 3
ppp0 4 40*full/100 85*full/100 4
ppp0 5 5*full/100 40*full/100 4 default
/etc/shorewall/tcdevices:
ppp0 25000kbit 830kbit
/etc/shorewall/tcrules:
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
1:T 0.0.0.0/0 0.0.0.0/0 tcp ssh
2:T 0.0.0.0/0 0.0.0.0/0 udp sip,iax
2:T 0.0.0.0/0 0.0.0.0/0 tcp sip,iax
3:T 0.0.0.0/0 0.0.0.0/0 tcp domain
3:T 0.0.0.0/0 0.0.0.0/0 udp domain
4:T 0.0.0.0/0 0.0.0.0/0 tcp www,https,smtp
5:T 0.0.0.0/0 0.0.0.0/0 tcp 4652
5:T 0.0.0.0/0 0.0.0.0/0 udp 4652
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - -
- !0
Is my setup correct ?
Did I miss something obvious ?
Thanks
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
Laurent CARON wrote:> Hi, > > I''m fairly new to shorewall (I used to be a FIAIF user). > > I''m basically trying to setup traffic shaping on my firewall/gateway. > > I''d like to get highest prio for interactive traffic (SSH, but not SCP) > I''d like guaranteed bandwidth for VoIP traffic > I''d like guaranteed bandwidth for DNS traffic > I''d like guaranteed bandwidth for WWW traffic > I''d like best effort for the rest. > > Here is how I did config shorewall: > > /etc/shorewall/tcclasses: > ppp0 1 20*full/100 40*full/100 1 > tcp-ack,tos-minimize-delayYou are *guaranteeing* 20% of the bandwidth for this high-priority traffic but are limiting it to 40% -- *why*?> ppp0 2 20*full/100 30*full/100 2 > tos=0x68/0xfc,tos=0xb8/0xfcSame with VOIP -- why not let it use all of the bandwidth if there is no lower-priority traffic.> ppp0 3 20*full/100 25*full/100 3 > ppp0 4 40*full/100 85*full/100 4 > ppp0 5 5*full/100 40*full/100 4 default > > /etc/shorewall/tcdevices: > ppp0 25000kbit 830kbit > > /etc/shorewall/tcrules: > 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 1:T 0.0.0.0/0 0.0.0.0/0 tcp ssh > 2:T 0.0.0.0/0 0.0.0.0/0 udp sip,iax > 2:T 0.0.0.0/0 0.0.0.0/0 tcp sip,iaxSIP and IAX traffic that is also marked tos-minimize-delay will go in this class rather than the first; is that what you want?> 3:T 0.0.0.0/0 0.0.0.0/0 tcp domain > 3:T 0.0.0.0/0 0.0.0.0/0 udp domain > 4:T 0.0.0.0/0 0.0.0.0/0 tcp www,https,smtp > 5:T 0.0.0.0/0 0.0.0.0/0 tcp 4652 > 5:T 0.0.0.0/0 0.0.0.0/0 udp 4652 > SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - > - !0 >There is no point in saving the packet mark if you don''t restore the mark at the top of the rules and bail out if the connection was already marked. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
On Tue, Apr 21, 2009 at 01:34:48PM -0700, Tom Eastep wrote:> You are *guaranteeing* 20% of the bandwidth for this high-priority > traffic but are limiting it to 40% -- *why*?This kind of interactive traffic has no *real* reason of using more than 40% of the uplink. Maybe it is a good idea to let it be able to use the full capacity though.> > ppp0 2 20*full/100 30*full/100 2 > > tos=0x68/0xfc,tos=0xb8/0xfc > > Same with VOIP -- why not let it use all of the bandwidth if there is no > lower-priority traffic.Sounds you''re right> > > ppp0 3 20*full/100 25*full/100 3 > > ppp0 4 40*full/100 85*full/100 4 > > ppp0 5 5*full/100 40*full/100 4 default > > > > /etc/shorewall/tcdevices: > > ppp0 25000kbit 830kbit > > > > /etc/shorewall/tcrules: > > 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request > > 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > > 1:T 0.0.0.0/0 0.0.0.0/0 tcp ssh > > 2:T 0.0.0.0/0 0.0.0.0/0 udp sip,iax > > 2:T 0.0.0.0/0 0.0.0.0/0 tcp sip,iax > > SIP and IAX traffic that is also marked tos-minimize-delay will go in > this class rather than the first; is that what you want?You mean that sip and iax will all go in class 2 ?> There is no point in saving the packet mark if you don''t restore the > mark at the top of the rules and bail out if the connection was already > marked.I''m gonna remove it ;) Cheers ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Laurent CARON wrote:> On Tue, Apr 21, 2009 at 01:34:48PM -0700, Tom Eastep wrote: >> You are *guaranteeing* 20% of the bandwidth for this high-priority >> traffic but are limiting it to 40% -- *why*? > > This kind of interactive traffic has no *real* reason of using more than > 40% of the uplink. Maybe it is a good idea to let it be able to use the > full capacity though. > >>> ppp0 2 20*full/100 30*full/100 2 >>> tos=0x68/0xfc,tos=0xb8/0xfc >> Same with VOIP -- why not let it use all of the bandwidth if there is no >> lower-priority traffic. > > Sounds you''re right > >>> ppp0 3 20*full/100 25*full/100 3 >>> ppp0 4 40*full/100 85*full/100 4 >>> ppp0 5 5*full/100 40*full/100 4 default >>> >>> /etc/shorewall/tcdevices: >>> ppp0 25000kbit 830kbit >>> >>> /etc/shorewall/tcrules: >>> 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request >>> 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply >>> 1:T 0.0.0.0/0 0.0.0.0/0 tcp ssh >>> 2:T 0.0.0.0/0 0.0.0.0/0 udp sip,iax >>> 2:T 0.0.0.0/0 0.0.0.0/0 tcp sip,iax >> SIP and IAX traffic that is also marked tos-minimize-delay will go in >> this class rather than the first; is that what you want? > > You mean that sip and iax will all go in class 2 ?Yes -- there is a bug in the way that Shorewall-perl prioritizes the filter rules that causes fw mark rules to have a higher precedence (lower pref) than TOS rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
On Tue, Apr 21, 2009 at 02:07:28PM -0700, Tom Eastep wrote:> > You mean that sip and iax will all go in class 2 ? > > Yes -- there is a bug in the way that Shorewall-perl prioritizes the > filter rules that causes fw mark rules to have a higher precedence > (lower pref) than TOS rules.So I basically have to chose between: - Classifying by TOS - Classifying by port but not both. If I''m right, I''ll stop bothering you with my questions ;) Thanks ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Laurent CARON wrote:> On Tue, Apr 21, 2009 at 02:07:28PM -0700, Tom Eastep wrote: >>> You mean that sip and iax will all go in class 2 ? >> Yes -- there is a bug in the way that Shorewall-perl prioritizes the >> filter rules that causes fw mark rules to have a higher precedence >> (lower pref) than TOS rules. > > So I basically have to chose between: > - Classifying by TOS > - Classifying by port > > but not both. > > If I''m right, I''ll stop bothering you with my questions ;)You can classify by both. But if there is both a port match and a TOS match, then the port match wins currently. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
-- http://photo-gallery.gemneye.org:1115/Gallery2/ This is what you said Tom Eastep>> >> Here is how I did config shorewall: >> >> /etc/shorewall/tcclasses: >> ppp0 1 20*full/100 40*full/100 1 >> tcp-ack,tos-minimize-delay > > You are *guaranteeing* 20% of the bandwidth for this high-priority > traffic but are limiting it to 40% -- *why*? > >> ppp0 2 20*full/100 30*full/100 2 >> tos=0x68/0xfc,tos=0xb8/0xfc > > Same with VOIP -- why not let it use all of the bandwidth if there is no > lower-priority traffic. > >> ppp0 3 20*full/100 25*full/100 3 >> ppp0 4 40*full/100 85*full/100 4 >> ppp0 5 5*full/100 40*full/100 4 default >>I thought I remember reading in a previous thread that the sum of the rate column could not be higher then 100%? Is that not true with this configuration? ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Scott Ruckh wrote: >> >> ppp0 3 20*full/100 25*full/100 3 >> >> ppp0 4 40*full/100 85*full/100 4 >> >> ppp0 5 5*full/100 40*full/100 4 default >> >> >> I thought I remember reading in a previous thread that the sum of the >> rate >> column could not be higher then 100%? Is that not true with this >> configuration? Note that last row (5) is an child of (4). I am not sure, but looks logical. ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p