Hi, I am confused about the tcrules syntax. When I try to shape a web server running on fw with this line: 4 fw 0.0.0.0/0 tcp - 80 it works but the "80" must be in CLIENT PORT, my logic says it should be in the "PORT" column (doesn''t work there) am I missing something or are the columns labeled wrong? thx Jan
obviously I am missing something important... what is the difference between 4 fw 0.0.0.0/0 tcp - 80 and 4 fw eth1 tcp - 80 and 4 fw all tcp - 80 eth1 is my the one I am doing tests on only the first line has any effect, Jan Jan Schermer wrote:> Hi, > I am confused about the tcrules syntax. When I try to shape a web server > running on fw with this line: > > 4 fw 0.0.0.0/0 tcp - 80 > > it works > but the "80" must be in CLIENT PORT, my logic says it should be in the > "PORT" column (doesn''t work there) > am I missing something or are the columns labeled wrong? > > thx > Jan > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Jan Schermer wrote:> Hi, > I am confused about the tcrules syntax. When I try to shape a web server > running on fw with this line: > > 4 fw 0.0.0.0/0 tcp - 80 > > it works > but the "80" must be in CLIENT PORT, my logic says it should be in the > "PORT" column (doesn''t work there) > am I missing something or are the columns labeled wrong? >If you look at a current version of the tcrules file, you will find that the column in question is labeled SOURCE. Since you are shaping the replies from a web server, the source port in the packets is 80. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
So the right syntax is this? 4 0.0.0.0/0 $FW tcp 80 - because that also doesn''t work for me :) Jan Tom Eastep wrote:> Jan Schermer wrote: > >>Hi, >>I am confused about the tcrules syntax. When I try to shape a web server >>running on fw with this line: >> >>4 fw 0.0.0.0/0 tcp - 80 >> >>it works >>but the "80" must be in CLIENT PORT, my logic says it should be in the >>"PORT" column (doesn''t work there) >>am I missing something or are the columns labeled wrong? >> > > > If you look at a current version of the tcrules file, you will find that > the column in question is labeled SOURCE. Since you are shaping the > replies from a web server, the source port in the packets is 80. > > -Tom
Jan Schermer wrote:> obviously I am missing something important... > > what is the difference between > > 4 fw 0.0.0.0/0 tcp - 80 > andMarks output from the firewall with source port 80.> 4 fw eth1 tcp - 80Marks output from the firewall routed out of interface eth1 with source port 80.> and > 4 fw all tcp - 80 >Marks output from the firewall on an interface called ''all'' with source port 80. I should change that to raise an error if there is no interface named ''all''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jan Schermer wrote:> So the right syntax is this? > > 4 0.0.0.0/0 $FW tcp 80 - > > because that also doesn''t work for me :) >No, that is not what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''m at loss then. If I want to shape a download of a file from my webserver running on fw, what should the line read? Jan Tom Eastep wrote:> Jan Schermer wrote: > >>So the right syntax is this? >> >>4 0.0.0.0/0 $FW tcp 80 - >> >>because that also doesn''t work for me :) >> > > > No, that is not what you want. > > -Tom
Jan Schermer wrote:> I''m at loss then. > If I want to shape a download of a file from my webserver running on fw, > what should the line read? >To MARK responses from a web server running on the Shorewall system: <mark> $FW 0.0.0.0/0 tcp - 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ok, but that means that "PORTS" and "CLIENT PORTS" columns are swapped :) Jan Tom Eastep wrote:> Jan Schermer wrote: > >>I''m at loss then. >>If I want to shape a download of a file from my webserver running on fw, >>what should the line read? >> > > > To MARK responses from a web server running on the Shorewall system: > > <mark> $FW 0.0.0.0/0 tcp - 80 > > -Tom
Jan Schermer wrote:> Ok, but that means that "PORTS" and "CLIENT PORTS" columns are swapped :) >Let''s just say that the columns used to be named in a confusing manner. Remember, you are looking at an earlier version of the tcrules file. As I''ve already mentioned once, the CLIENT PORTS column is labeled SOURCE PORT(S) in the current file and you would have realized that if you would have bothered to read the online documentation. And for responses from a web server, the SOURCE PORT is 80. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ah :) mea maxima culpa... thanks Jan Tom Eastep wrote:> Jan Schermer wrote: > >>Ok, but that means that "PORTS" and "CLIENT PORTS" columns are swapped :) >> > > > Let''s just say that the columns used to be named in a confusing manner. > Remember, you are looking at an earlier version of the tcrules file. > > As I''ve already mentioned once, the CLIENT PORTS column is labeled > SOURCE PORT(S) in the current file and you would have realized that if > you would have bothered to read the online documentation. > > And for responses from a web server, the SOURCE PORT is 80. > > -Tom