Hello to all. I have readed the documentation about traffic shapping using shorewall in version 3RC2 but don''t work apparently for me. Here is my configuration: eth0: loc - 192.168.1.254 eth1: net - 10.1.1.254 My eth1 is connected to a adsl modem router with 608kbps downstream and 320kbps upstream. I have configured dhcp server in the firewall. I have tried a lot of configurations for traffic shapping but they don''t work for me. Based on described network configuration I want to configure my host 192.168.1.253 to have full bandwidth when the adsl is idle but I want to priorize UDP packets using port 33445. I need to traffic to port 25/110/80 to get less priorization for the network 192.168.1.0 How I have to configure the files tcclasses, tcdevices and tcrules? Ps. Excuse my bad English. Thanks Wilson ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Monday 24 October 2005 18:17, Wilson A. Galafassi Jr. wrote:> > I have tried a lot of configurations for traffic shapping but they don''t > work for me. > > Based on described network configuration I want to configure my host > 192.168.1.253 to have full bandwidth when the adsl is idle but I want to > priorize UDP packets using port 33445. > I need to traffic to port 25/110/80 to get less priorization for the > network 192.168.1.0 > > How I have to configure the files tcclasses, tcdevices and tcrules? >I''m sorry -- the rules for this list don''t allow you to describe your problem and ask us to configure your firewall for you. This is your firewall/gateway -- if what you have tried doesn''t work the way that you expect then: a) Show us your configuration (see http://www.shorewall.net/3.0/support.htm). b) Describe what you want to accomplish (in detail). c) Tell us what didn''t work (in detail -- don''t just tell us that ''it didn''t work''). Free software is NOT FREE -- What you don''t pay in money, you pay by having to actually do something and hopefully learn something. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom. Here is my configuration: tcrules: 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:P 192.168.1.253 0.0.0.0/0 tcp 80 tcclasses: eth1 1 100kbit 500kbit 1 tcp-ack,tos-minimize-delay eth1 2 50kbit 300kbit 2 eth1 3 150kbit 200kbit 3 default tcdevides: eth1 608kbit 320kbit I want to limit download to 192.168.1.253 (loc) to 500bkit but don''t working. Very thanks for your help. Wilson -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: segunda-feira, 24 de outubro de 2005 23:56 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] traffic shapping On Monday 24 October 2005 18:17, Wilson A. Galafassi Jr. wrote:> > I have tried a lot of configurations for traffic shapping but they don''t > work for me. > > Based on described network configuration I want to configure my host > 192.168.1.253 to have full bandwidth when the adsl is idle but I want to > priorize UDP packets using port 33445. > I need to traffic to port 25/110/80 to get less priorization for the > network 192.168.1.0 > > How I have to configure the files tcclasses, tcdevices and tcrules? >I''m sorry -- the rules for this list don''t allow you to describe your problem and ask us to configure your firewall for you. This is your firewall/gateway -- if what you have tried doesn''t work the way that you expect then: a) Show us your configuration (see http://www.shorewall.net/3.0/support.htm). b) Describe what you want to accomplish (in detail). c) Tell us what didn''t work (in detail -- don''t just tell us that ''it didn''t work''). Free software is NOT FREE -- What you don''t pay in money, you pay by having to actually do something and hopefully learn something. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Wilson wrote on 25/10/2005 10:34:29:> Thanks Tom. > > Here is my configuration: > > tcrules: > 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 1:P 192.168.1.253 0.0.0.0/0 tcp 80 > > tcclasses: > eth1 1 100kbit 500kbit 1 > tcp-ack,tos-minimize-delay > eth1 2 50kbit 300kbit 2 > eth1 3 150kbit 200kbit 3 default > > tcdevides: > eth1 608kbit 320kbit > > I want to limit download to 192.168.1.253 (loc) to 500bkit but don''t > working. > > Very thanks for your help. >Wilson - is the web traffic proxied? - do you want to limit every http traffic or just large downloads? - how do you think this particular traffic (large downloads on port 80) is going to be identified? - which are your zones/interfaces? - is eth1 your external or internal interface? - why don''t you provide us with the information we are asking you from the beginning? - why do you think we should guess about the facts? -- cheers
On Tuesday 25 October 2005 05:34, Wilson A. Galafassi Jr. wrote:> > I want to limit download to 192.168.1.253 (loc) to 500bkit but don''t > working. >From http://www.shorewall.net/3.0/traffic_shaping.htm: "*You can only shape outgoing traffic*. The reason for this is simple, the packets were already received by your network card before you can decide what to do with them. So the only choice would be to drop them which normally makes no sense (since you received the packet already, it went through the possible bottleneck (the incoming connection). The next possible bottleneck might come if the packet leaves on another interface, so this will be the place where queuing might occur. So, defining queues for incoming packages is not very useful, you just want to have it forwarded to the outgoing interface as fast as possible". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sorry, but English is not easy for me. - is the web traffic proxied? No. Is routed in the shorewall box, no proxies. - do you want to limit every http traffic or just large downloads? I want to limit every http traffic. - how do you think this particular traffic (large downloads on port 80) is going to be identified? - which are your zones/interfaces? My zone are: loc - etho - 192.168.1.254 net - eth1 - 10.1.1.254 - is eth1 your external or internal interface? eth1 is my external interface - why don''t you provide us with the information we are asking you from the beginning? Sorry man. - why do you think we should guess about the facts? Sorry again. If you can help me very thanks for all. Wilson ________________________________________ From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Eduardo Ferreira Sent: terça-feira, 25 de outubro de 2005 10:45 To: shorewall-users@lists.sourceforge.net Subject: RE: [Shorewall-users] traffic shapping Wilson wrote on 25/10/2005 10:34:29:> Thanks Tom. > > Here is my configuration: > > tcrules: > 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 1:P 192.168.1.253 0.0.0.0/0 tcp 80 > > tcclasses: > eth1 1 100kbit 500kbit 1 > tcp-ack,tos-minimize-delay > eth1 2 50kbit 300kbit 2 > eth1 3 150kbit 200kbit 3 default > > tcdevides: > eth1 608kbit 320kbit > > I want to limit download to 192.168.1.253 (loc) to 500bkit but don''t > working. > > Very thanks for your help. >Wilson - is the web traffic proxied? - do you want to limit every http traffic or just large downloads? - how do you think this particular traffic (large downloads on port 80) is going to be identified? - which are your zones/interfaces? - is eth1 your external or internal interface? - why don''t you provide us with the information we are asking you from the beginning? - why do you think we should guess about the facts? -- cheers ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
You have sent this to wrong person. Tom Eastep wrote:>On Tuesday 25 October 2005 05:34, Wilson A. Galafassi Jr. wrote: > > > >>I want to limit download to 192.168.1.253 (loc) to 500bkit but don''t >>working. >> >> >> > >From http://www.shorewall.net/3.0/traffic_shaping.htm: > >"*You can only shape outgoing traffic*. The reason for this is simple, the >packets were already received by your network card before you can decide what >to do with them. So the only choice would be to drop them which normally >makes no sense (since you received the packet already, it went through the >possible bottleneck (the incoming connection). The next possible bottleneck >might come if the packet leaves on another interface, so this will be the >place where queuing might occur. So, defining queues for incoming packages is >not very useful, you just want to have it forwarded to the outgoing interface >as fast as possible". > >-Tom > >------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Tuesday 25 October 2005 07:41, John Rufino wrote:> You have sent this to wrong person. >John -- if you received my post then I can only assume that you are subscribed to the Shorewall User''s mailing list or that someone who is subscribed is forwarding list posts to you. I assure you that I did not send the post directly to you but rather to the list. If you feel that you received the post in error, check the SMTP headers to see how the post was routed to you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key