Shorewall users - Dec 2002 - Marking packets...

--=..n75r?kBjMc4+t
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

	I''m not having alot of luck trying to get my packet marking setup the
way
I need it... Basically, I want open access from my house to the two
network blocks at the office... But, I want to throttle the connection to
the Internet.. Here''s what I have now:

	From /etc/shorewall/tcrules:

#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT PORT(S)
1		172.16.1.4	64.216.105.0/25,208.191.32.0/24	all
2		172.16.1.4	0.0.0.0/0	all
3		64.216.105.0/25,208.191.32.0/24	64.216.105.3	all
4		0.0.0.0/0	64.216.105.3	all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

	How it ends up:

[root@mine shorewall]# shorewall status | grep -i mark
   37  2268 MARK       all  --  *      *       172.16.1.4          
64.216.105.0/25    MARK set 0x1 
  661 99200 MARK       all  --  *      *       172.16.1.4          
208.191.32.0/24    MARK set 0x1 
 3036  254K MARK       all  --  *      *       172.16.1.4          
0.0.0.0/0          MARK set 0x2 
    0     0 MARK       all  --  *      *       64.216.105.0/25     
64.216.105.3       MARK set 0x3 
  663  803K MARK       all  --  *      *       208.191.32.0/24     
64.216.105.3       MARK set 0x3 
 2538 2703K MARK       all  --  *      *       0.0.0.0/0           
64.216.105.3       MARK set 0x4 

	From /etc/shorewall/tcstart:

run_tc  qdisc add dev eth0 root handle 20: cbq bandwidth 10Mbit avpkt 1000
run_tc  class add dev eth0 parent 20:0 classid 20:1 cbq bandwidth 10Mbit
rate 10Mbit allot 1514 weight 1Mbit prio 8 maxburst 20 avpkt 1000
run_tc  class add dev eth0 parent 20:1 classid 20:100 cbq bandwidth 10Mbit
rate 64Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000 bounded
run_tc  class add dev eth0 parent 20:1 classid 20:200 cbq bandwidth 10Mbit
rate 128Kbit allot 1514 weight 12Kbit prio 5 maxburst 20 avpkt 1000
bounded
run_tc  class add dev eth0 parent 20:1 classid 20:300 cbq bandwidth 10Mbit
rate 192Kbit allot 1514 weight 19Kbit prio 5 maxburst 20 avpkt 1000
bounded
run_tc  class add dev eth0 parent 20:1 classid 20:400 cbq bandwidth 10Mbit
rate 256Kbit allot 1514 weight 25Kbit prio 5 maxburst 20 avpkt 1000
bounded


run_tc  qdisc add dev eth0 parent 20:100 sfq quantum 1514b perturb 10
run_tc  qdisc add dev eth0 parent 20:200 sfq quantum 1514b perturb 10
run_tc  qdisc add dev eth0 parent 20:300 sfq quantum 1514b perturb 10
run_tc  qdisc add dev eth0 parent 20:400 sfq quantum 1514b perturb 10

run_tc  filter add dev eth0 parent 20: protocol ip prio 50 handle 3 fw
flowid 20:1
run_tc  filter add dev eth0 parent 20: protocol ip prio 50 handle 4 fw
flowid 20:400


	Whatever gets caught by handle 3, also ends up in handle 4, so is
throttled back to 256k, instead of being open.. I tried altering tcrules
like this:

4		0.0.0.0/0:!64.216.105.0/25,!208.191.32.0/24	64.216.105.3	all

	But, it didn''t like that.. Can''t blame a guy for trying ;)
Any
suggestions on how to make this work?

--- 
Homer Parker

http://www.homershut.net
telnet://bbs.homershut.net


--=..n75r?kBjMc4+t
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE96W0YrgrN227HZ+8RApRMAJ4tCxk7B4oqqY4/Elh9CEEh8GZZDQCgwz2m
ydR34bw38Lhod8Eaz3cVcxA=RQBd
-----END PGP SIGNATURE-----

--=..n75r?kBjMc4+t--

--On Saturday, November 30, 2002 07:59:48 PM -0600 Homer Parker 
<hparker@homershut.net> wrote:
> 	I''m not having alot of luck trying to get my packet marking setup
the way
>
>
> 	Whatever gets caught by handle 3, also ends up in handle 4, so is
> throttled back to 256k, instead of being open.. I tried altering tcrules
> like this:
Why don''t you just reverse the order of the rules?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net

--ue=.nhfFs:aEj''N/
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sun, 01 Dec 2002 16:28:52 -0800 Tom Eastep <teastep@shorewall.net>
wrote....
> 
> 
> --On Saturday, November 30, 2002 07:59:48 PM -0600 Homer Parker 
> <hparker@homershut.net> wrote:
> 
> > 	I''m not having alot of luck trying to get my packet marking
setup
> > 	the way
> >
> >
> > 	Whatever gets caught by handle 3, also ends up in handle 4, so is
> > throttled back to 256k, instead of being open.. I tried altering
> > tcrules like this:
> 
> Why don''t you just reverse the order of the rules?
	I actually gave up on doing on the firewall at the house.. I''m going
to
be implementing Bering routers in two other places between me and the
Internet, and will manage it that way... But, my question then would be,
does it just go with the last rule found? That''s not what I''m
seeing, as I
saw traffic in both classe, just more in teh one that went to 0.0.0.0/0...



--- 
Homer Parker

http://www.homershut.net
telnet://bbs.homershut.net


--ue=.nhfFs:aEj''N/
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE96rWZrgrN227HZ+8RAhwZAKC1Bm8XHSeZJnlMLB0yHVFnrqwf1ACePJf0
4pTFnuC3PpAf2duvmVN1uDo=THOM
-----END PGP SIGNATURE-----

--ue=.nhfFs:aEj''N/--

--On Sunday, December 01, 2002 07:21:26 PM -0600 Homer Parker 
<hparker@homershut.net> wrote:
> On Sun, 01 Dec 2002 16:28:52 -0800 Tom Eastep <teastep@shorewall.net>
> wrote....
>
>>
>>
>> --On Saturday, November 30, 2002 07:59:48 PM -0600 Homer Parker
>> <hparker@homershut.net> wrote:
>>
>> > 	I''m not having alot of luck trying to get my packet
marking setup
>> > 	the way
>> >
>> >
>> > 	Whatever gets caught by handle 3, also ends up in handle 4, so is
>> > throttled back to 256k, instead of being open.. I tried altering
>> > tcrules like this:
>>
>> Why don''t you just reverse the order of the rules?
>
> 	I actually gave up on doing on the firewall at the house.. I''m
going to
> be implementing Bering routers in two other places between me and the
> Internet, and will manage it that way... But, my question then would be,
> does it just go with the last rule found? That''s not what
I''m seeing, as I
> saw traffic in both classe, just more in teh one that went to 0.0.0.0/0...
>
The last tc rule that matches the packet is the one that will determine the 
packet''s mark value.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net

--)iH7n83u..3=.M/L
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sun, 01 Dec 2002 18:19:59 -0800 Tom Eastep <teastep@shorewall.net>
wrote....
> The last tc rule that matches the packet is the one that will determine
> the packet''s mark value.
	That''s different... Learn something new everyday ;) I will keep that
in
mind though, thanks!

--- 
Homer Parker

http://www.homershut.net
telnet://bbs.homershut.net


--)iH7n83u..3=.M/L
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE96scRrgrN227HZ+8RAhtvAJ4r1GD6bHonM4UALdFamFJKQnKuqQCgxsRm
er1oitN9aAizcUmWUwlVTq4=l99q
-----END PGP SIGNATURE-----

--)iH7n83u..3=.M/L--