Hi all, I moved wshaper 1.1 cbq file to tcstart, but none of my tcrules are being observed. The only way I can set the marks is by editing the tcstart file. Is there a way to incorporate for tcstart to read and apply my set marks in tcrules? Thank you, ~Andrew Nady.
Andrew N. wrote:> Hi all, > > I moved wshaper 1.1 cbq file to tcstart, but none of my tcrules are being > observed. The only way I can set the marks is by editing the tcstart file. > Is there a way to incorporate for tcstart to read and apply my set marks in > tcrules? >Have you set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yes, I have set that variable, and it reads the rules written in the tcrules file, but when I "watch" the interface mark 10 or 20 or 30 do not apply. Only when I set the "NOPRIOPORTSRC=" or other variables in the tcstart, the 1:30 and the others start to work. ~Andrew. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Tuesday, January 25, 2005 8:48 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Question on tcrules implementation Andrew N. wrote:> Hi all, > > I moved wshaper 1.1 cbq file to tcstart, but none of my tcrules are being > observed. The only way I can set the marks is by editing the tcstart file. > Is there a way to incorporate for tcstart to read and apply my set marksin> tcrules? >Have you set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Andrew N. wrote:> Yes, I have set that variable, and it reads the rules written in the tcrules > file, but when I "watch" the interface mark 10 or 20 or 30 do not apply. > Only when I set the "NOPRIOPORTSRC=" or other variables in the tcstart, the > 1:30 and the others start to work. >Then clearly your tcrules file is marking the wrong packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I think I got it, I was not setting the marks :( with the according numbers. Thanks Tom. ~Andrew Nady. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Tuesday, January 25, 2005 9:23 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Question on tcrules implementation Andrew N. wrote:> Yes, I have set that variable, and it reads the rules written in thetcrules> file, but when I "watch" the interface mark 10 or 20 or 30 do not apply. > Only when I set the "NOPRIOPORTSRC=" or other variables in the tcstart,the> 1:30 and the others start to work. >Then clearly your tcrules file is marking the wrong packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
With CBQ I guess I can not use the "mark" settings. Bahhh -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Andrew N. Sent: Tuesday, January 25, 2005 10:00 PM To: ''Mailing List for Shorewall Users'' Subject: RE: [Shorewall-users] Question on tcrules implementation I think I got it, I was not setting the marks :( with the according numbers. Thanks Tom. ~Andrew Nady. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Tuesday, January 25, 2005 9:23 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Question on tcrules implementation Andrew N. wrote:> Yes, I have set that variable, and it reads the rules written in thetcrules> file, but when I "watch" the interface mark 10 or 20 or 30 do not apply. > Only when I set the "NOPRIOPORTSRC=" or other variables in the tcstart,the> 1:30 and the others start to work. >Then clearly your tcrules file is marking the wrong packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Andrew N. wrote:> With CBQ I guess I can not use the "mark" settings. BahhhI believe that to be nonsense but you haven''t shown us one single entry in any of your configuration files! How do you expect any of us to help you when all you do is give us a summary of your warped view of what you think the problem is??? Note: If you understood what the problem REALLY is, you wouldn''t have to ask us in the first place, would you? Please give us something to look at! - Your tcrules file. - The output of "shorewall status" (AS A TEXT ATTACHMENT). - Your tcstart file (All of us who use Wondershaper are wise enough to use the HTB version so none of us have a copy of the CBQ thingy...). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Currently I use wondershaper 1.1 with the cbq file as tcstart on a pppoe
connection with 2.5Mbs down and 680kbs up.
In tcrules I am placing the following to test the ftp protocol:
15 fw 0.0.0.0/0 tcp 21 -
16 fw 0.0.0.0/0 tcp - 21
I would like to move this traffic to 1:30
Output from shorewall status:
----SNIP----
Chain PREROUTING (policy ACCEPT 4061K packets, 2529M bytes)
pkts bytes target prot opt in out source destination
1807 761K pretos all -- * * 0.0.0.0/0 0.0.0.0/0
1802 760K tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 3653K packets, 2324M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 401K packets, 202M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3863K packets, 2461M bytes)
pkts bytes target prot opt in out source destination
443 101K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
439 100K tcout all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 4248K packets, 2662M bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS
set 0x10
441 100K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS
set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS
set 0x02
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS
set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS
set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS
set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
731 64680 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS
set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS
set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS
set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS
set 0x08
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 MARK
set 0xf
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 MARK
set 0x10
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
---END---
-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep
Sent: Tuesday, January 25, 2005 11:16 PM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Question on tcrules implementation
Andrew N. wrote:> With CBQ I guess I can not use the "mark" settings. Bahhh
I believe that to be nonsense but you haven''t shown us one single entry
in any of your configuration files! How do you expect any of us to help
you when all you do is give us a summary of your warped view of what you
think the problem is???
Note: If you understood what the problem REALLY is, you wouldn''t have
to
ask us in the first place, would you?
Please give us something to look at!
- Your tcrules file.
- The output of "shorewall status" (AS A TEXT ATTACHMENT).
- Your tcstart file (All of us who use Wondershaper are wise enough to
use the HTB version so none of us have a copy of the CBQ thingy...).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Andrew N. wrote:> Currently I use wondershaper 1.1 with the cbq file as tcstart on a pppoe > connection with 2.5Mbs down and 680kbs up. > In tcrules I am placing the following to test the ftp protocol: > > 15 fw 0.0.0.0/0 tcp 21 - > 16 fw 0.0.0.0/0 tcp - 21Neither rule will have much traffic since what you are marking is the FTP *CONTROL* channel -- are you trying to mark FTP data traffic? Currently, there is no way in Shorewall to identify passive-mode FTP traffic (active-mode traffic has source port 20). Also, are you running an FTP server on the firewall or an FTP client? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Andrew N. wrote: > >>Currently I use wondershaper 1.1 with the cbq file as tcstart on a pppoe >>connection with 2.5Mbs down and 680kbs up. >>In tcrules I am placing the following to test the ftp protocol: >> >>15 fw 0.0.0.0/0 tcp 21 - >>16 fw 0.0.0.0/0 tcp - 21 > > > Neither rule will have much traffic since what you are marking is the > FTP *CONTROL* channel -- are you trying to mark FTP data traffic? > Currently, there is no way in Shorewall to identify passive-mode FTP > traffic (active-mode traffic has source port 20). > > Also, are you running an FTP server on the firewall or an FTP client?The reason that I ask is that if you are running a server, then your server can most likely be configured to use a particular range of passive ports. If, for example, you configure the server to use 7000:7999 then you can mark outbound FTP data traffic using: x fw 0.0.0.0/0 tcp - 7000:7999 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, FTP server is running in the DMZ zone. I''ll try to set the data ports as you mentioned. Also could you clue me in as to how the "mark" is being set in CBQ mode. As I understand HTB mode has a set conf file for traffic marking. The reason why I ask is if I set the ''smtp'' protocol the same way as I do the ''ftp'' there is nothing happening on 1:30 priority when I run the "watch" Command. Thanks, ~Andrew Nady. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, January 26, 2005 12:32 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Question on tcrules implementation Tom Eastep wrote:> Andrew N. wrote: > >>Currently I use wondershaper 1.1 with the cbq file as tcstart on a pppoe >>connection with 2.5Mbs down and 680kbs up. >>In tcrules I am placing the following to test the ftp protocol: >> >>15 fw 0.0.0.0/0 tcp 21 - >>16 fw 0.0.0.0/0 tcp - 21 > > > Neither rule will have much traffic since what you are marking is the > FTP *CONTROL* channel -- are you trying to mark FTP data traffic? > Currently, there is no way in Shorewall to identify passive-mode FTP > traffic (active-mode traffic has source port 20). > > Also, are you running an FTP server on the firewall or an FTP client?The reason that I ask is that if you are running a server, then your server can most likely be configured to use a particular range of passive ports. If, for example, you configure the server to use 7000:7999 then you can mark outbound FTP data traffic using: x fw 0.0.0.0/0 tcp - 7000:7999 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Andrew N. wrote:> FTP server is running in the DMZ zone.Well, your tcrules file isn''t marking that traffic -- it is only marking traffic originating ON THE FIREWALL and traffic addressed TO THE FIREWALL. I''ll try to set the data ports as you> mentioned. Also could you clue me in as to how the "mark" is being set in > CBQ mode.Wondershaper is self-contained -- IT REQUIRES NO EXTERNAL MARKING WHATSOEVER.> As I understand HTB mode has a set conf file for traffic marking.It has exactly one file which I install as /etc/shorewall/tcstart; just like the CBQ version -- I modify that file per the instructions in the file and that''s all!!!> The reason why I ask is if I set the ''smtp'' protocol the same way as I do > the ''ftp'' there is nothing happening on 1:30 priority when I run the "watch" > Command.Enough -- this has nothing whatsoever to do with Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key