search for: tcrule

Hi, first of all, let me thank you for your great Shoreline Firewall. I use it with great success at home (protecting my WiFi connection). And now if I could have a question about traffic shaping. I did read everything I could find but I still have two problems: first, the MARK from tcrules is not working in HTB based simple tc filter line ("handle $MARK fw classid 1:20"). If I switch this tcstart''s line to "u32 match ip dst $IPADDR flowid 1:20" suddenly the shaping starts working. I cannot figure this one out, really. I''ll provide more details l...

...d like to suggest a couple of improvements to the MultiISP.html documentation page. I followed the examples in that page (but the legacy setup and the USE_DEFAULT_RT one), but I had problems with locally (by the firewall) generated packets: I wanted them to go out using only one ISP, but if I use a tcrules rule to accomplish this, I have all the packets that flow through the correct ISP connection, but 50% of them is given the wrong ip source address (the one from the other ISP NIC). What I found not to be so clearly stated in MultiISP.html is that when a packet is generated by the firewall and the...

Hi all, I moved wshaper 1.1 cbq file to tcstart, but none of my tcrules are being observed. The only way I can set the marks is by editing the tcstart file. Is there a way to incorporate for tcstart to read and apply my set marks in tcrules? Thank you, ~Andrew Nady.

...irst of all, thanks to all shorewall developers. Shorewall is really great. Here is a patch to add the following feature : This patch allows you to mark packets according to the user name under which the program generating output is running. To do so, the patch will allow you to write rules in the tcrules file looking like that : #MARK SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) 30 fw - all - - 10000 This will generate an iptables command looking like that : iptables <...Snip...> -m owner --uid-owner...

I have just installed shorewall 2.0.9, having spent a day and a half tracking down why my tcrules wasn''t working properly in 2.0.8. I didn''t see the announcement of 2.0.9 because it didn''t go to -announce. Anyway I have 2.0.9 now (the package from Debian incoming) and the problem is still there. My tcrules file says: 1 0.0.0.0/0 0.0.0.0/0 tcp 22 1 0.0.0.0/0 0.0.0...

Hi Folks, I''m a new user to Shorewall, it came installed on the redWall firewall that I am using and I''m really happy with both projects! Thanks for all your work on it! I have a question about tcrules and $FW. I''m doing source policy routing and need to be able to add an output rule to the mangle chain with a source that is specific network, not 0.0.0.0/0. It appears that there is no way to do this, and it also appears that $FW is the only way to add an output rule in the mangle...

Hi there. Currently, our network design has two ISP lines and 3 subnets for LAN. Below are some details :- eth0 - isp1 eth1 - isp2 eth2 - subnet1 eth3 - subnet2 eth4 - subnet3 What i wanted to do is to assign incoming port 80 to our local squid server running on the firewall itself and assigned it to eth0(ISP1). I think it shouldnt be a problem as /etc/shorewall/rules provides a sample of the

Hello, It seems that the following restriction is not shown in the online man page for tcrules: ERROR: SOURCE/DEST PORT(S) not allowed with PROTO all : /tmp/shorewall/tcrules (line 2) Please let me know if this is expressed otherwise in the documentation. Thanks. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s...

Hi, I am confused about the tcrules syntax. When I try to shape a web server running on fw with this line: 4 fw 0.0.0.0/0 tcp - 80 it works but the "80" must be in CLIENT PORT, my logic says it should be in the "PORT" column (doesn''t work there) am I missing...

...st of all, I''m trying to use IPP2P to classify my P2P traffic and give it a lower network priority. I''ve already successfully built IPP2P into iptables and the kernel. I read http://www.shorewall.net/IPP2P.html, but it''s confusing me. Using the documentation for normal tcrules in 3.0 (http://www.shorewall.net/traffic_shaping.htm), each match in tcrules is basically a one liner which quite logically matches a protocol/port combo and marks it. So why is the IPP2P example six lines long??? It would seem to me that based on the tcrules documentation, all that''s n...

So after reading the traffic control documentation at shorewall.net I am a little confused. I don''t understand how to use the tcrules file. What I would ideally like to do is setup htb on a per user basis (either by IP or MAC address). If anybody has any hints on the best way to do this or is willing to explain the use of tcrules file a little better (how I could mark it per IP or MAC) I would love to hear it. Also this box si...

According to the documentation there is a limit to marking of 255. Why is this? Can I work around it?

...: private net ppp0: virtual dial up interface for pppoe There is a ftp server on the private net It is listen for port 21 and configured 50000:51000 for PASV connection my related config file as follows /etc/shorewall/rules . DNAT all loc:192.168.103.100 tcp 21,20,50000:51000 . . /etc/shorewall/tcrules 1 ppp0 0.0.0.0 tcp - 80 2 ppp0 0.0.0.0 tcp 21,20,50000:51000 21,20,50000:51000 3 ppp0 0.0.0.0 all /etc/shorewall/tcstart #!/bin/bash tc qdisc add dev ppp0 root handle 1: htb default 30 tc class add dev ppp0 parent 1: classid 1:1 htb rate 440kbit burst 15k tc class add dev ppp0 parent 1:1 class...

Hello Asterisk sits in a Vserver guest (192.168.3.9) on the firewall. I can''t seem to get the sip helper to mark the SIP packets though. I have an ftp client on a different Vserver guest on the firewall. If I put ftp in the HELPER column of tcrules I can mark those packets. With sip in the HELPER column though nothing happens. Attached is a "shorewall dump > dump.txt" that was taken while Asterisk was making a SIP call. You''ll see that under "Chain tcout" there are 0 packets. When "helper match "f...

...ONS REDIRECTED #INTERFACE INTERFACES eth1 2048kbps 1500kbps -- tcclasses --- #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS # DMAX:UMAX eth1 1 100kbps 180kbps 1 tos=0x88/0xfc,tos=0xb8/0xfc eth1 2 full/4 full 2 default -- tcrules --- #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES 1 $FW:w.x.y.z a.b.c.d udp 1194 - - - - 0x18/0xa0 My voip traffic goes into an openvpn vpn tunnel. When I log the Openvpn traffic us...

Hi, I want to configure QoS in my shorewall conf but I have a doubt. Now I am using tcrules with prerouting and with the file providers, like this. 2:P 192.168.0.11 0.0.0.0/0 tcp 25 So, with this way I route my smtp traffic with my provider number 2. Well, now I want to configure QoS with tcclasses and tcdevices, but if I do that I need to use the MARK in the tcclasse...

...\ http://shorewall.net Washington USA \ teastep@shorewall.net -------------- next part -------------- An embedded message was scrubbed... From: =?ISO-8859-1?Q?Fr=E9d=E9ric?= LESPEZ <frederic.lespez@free.fr> Subject: Re: [Shorewall-devel] Re: [PATCH] Marking packets according to user in tcrules Date: Thu, 22 Jan 2004 20:29:50 +0100 Size: 5721 Url: http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20040122/c6d75554/attachment.eml

...''ll Offer you a big Beer) Joffrey -----Message d''origine----- De : shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] De la part de Tom Eastep Envoyé : jeudi 19 octobre 2006 21:46 À : Shorewall Users Objet : Re: [Shorewall-users] Tcrules Helpwith multiISP+ squid& squidguard... Joffrey FLEURICE wrote: > I found that in my kernel config : > > # CONFIG_NET_KEY is not set > CONFIG_INET=y > CONFIG_IP_MULTICAST=y > CONFIG_IP_ADVANCED_ROUTER=y > CONFIG_IP_MULTIPLE_TABLES=y > CONFIG_IP_ROUTE_FWMARK=y > CON...

Don''t know whether you''re interested in errors this trivial. Diff file attached. Regards Fog_Watch. ------------------------------------------------------------------------------

...When i restart the firewall when i put the HIGH_ROUTE_MARKS=Yes i can''t restart it, i receive the following message in the logs: 18:17:35 Compiling /etc/shorewall/providers ... ERROR: Invalid Mark Value (1) with HIGH_ROUTE_MARKS=Yes : /etc/shorewall/providers (line 13) My files have: tcrules: empty Providers:New 1 1 main eth0 192.168.1.1 track,balanceOld 2 2 main eth1 200.40.50.1 track,balance eth2.2Medium 3 3 main eth2 300.33.2.1 track,balance eth2.2 What happens? I nee...