Shorewall users - Dec 2002 - Squid / QoS / Trafic Shaping with Shorewall / iptables question

Hello,

I suppose most of you guys have a lot of things to worry about, so short:

Squid is running on the mandrake 9-based firewall box to save on bandwith.
Trafic from LAN to net should have priority over traffic from dmz/forwarded
ports.
I think I have set this up.

What''s tricky is:
The LAN http-requests can optionally be proxied to fw:3128 where squid listens,
and squid''s requests do not originate from lan, but from fw :-(.
That means now in practice: surfing with squid is slower (a squidded http
request is a squid request, thus a request from the fw which is lesser than a
request from lan or dmz where a DNATed (and to shorewall masquaraded but
definitely from the lan, so for iptables more important than squid from the
firewall)
server is running, so the DNATed server wins over normal surfing, which sucks).

How configure iptables / shorewall for trafic shaping / qos that
a) LAN has priority over (dmz and fw''s and forwarded ports to lan)
servers
b) except SQUID, which should have the highest priority.

i.e. people on lan surfing the web shall be considered much more important than
any other traffic the overall system generates to outside
i.e. first priority: squid, second http from lan without squid, third pop, imap
etc., and then comes ftp, ssh from servers, than other traffic from lan, than
other traffic from dmz and so forth -> how to prioritise this?

BTW: Im not a newbie, only new to kernel 2-4 and the dolphin, because I was
"offline" for two years, and last linuxing was on SuSE 7.0
 
As a result: is it possible to sometime in the future add an optional traffic
shaping profile into the fw? that would be so cool for people like me...

Shorewall is cool, the only thing which I liked better in the 2-0 suse firewall
scripts was that there was a variable ALLOW_INCOMING_HIGHPORTS=yes and it
worked... and squid and local lan where still the fastest on the line.

Merry Christmas out there and I would be pleased if anybody could help me.

kind regards and season''s greetings

Sven.

On Friday 06 December 2002 08:20 pm, Sven Witterstein
wrote:
> What''s tricky is:
> The LAN http-requests can optionally be proxied to fw:3128 where squid
> listens, and squid''s requests do not originate from lan, but from
fw :-(.
> That means now in practice: surfing with squid is slower (a squidded http
> request is a squid request, thus a request from the fw which is lesser than
> a request from lan or dmz where a DNATed (and to shorewall masquaraded but
> definitely from the lan, so for iptables more important than squid from the
> firewall) server is running, so the DNATed server wins over normal surfing,
> which sucks).
Sven:
Now that you''ve re-read it, what did the above MEAN to say?

--=20
John Andersen - NORCOM
http://www.norcomsoftware.com/

--On Saturday, December 07, 2002 06:20:39 AM +0100 Sven Witterstein 
<witterstein@web.de> wrote:
> How configure iptables / shorewall for trafic shaping / qos that
> a) LAN has priority over (dmz and fw''s and forwarded ports to lan)
> servers  b) except SQUID, which should have the highest priority.
>
> i.e. people on lan surfing the web shall be considered much more
> important than any other traffic the overall system generates to outside
> i.e. first priority: squid, second http from lan without squid, third
> pop, imap etc., and then comes ftp, ssh from servers, than other traffic
> from lan, than other traffic from dmz and so forth -> how to prioritise
> this?
Have you looked at http://shorewall.sf.net/traffic_shaping.htm?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net