Hello Shorewall users, I have some questions I am hoping someone can answer. I have searched around the archives but so far I have been unable to find answers. I am trying to configure traffic shaping on my router/firewall box running Shorewall 3.0.5/kernel 2.4.31 and have run into some problems/questions. My basic set up is: 1500/256kbit ADSL (PPPoE/ppp0) -> Shorewall box (eth1/192.168.1.254) -> Network (including a VoIP/SIP gateway on 192.168.1.1) Firstly, does anyone have a link/website which can explain what is meant by this (in relation to Shorewall would be great): "This value may be optionally followed by ":" and either "F" or "P" to designate that the marking will occur in the FORWARD or PREROUTING chains respectively." I have a (very) rough understanding of how IPTables works, but dont understand how this affects the different rules I am trying to set up, and which of the options to use. I basically want to give the VoIP ATA top priority over over everything else on the LAN (mark 1), give SSH/ICMP/ACK packets the next priority (mark 2), default traffic is mark 3, and then P2P on mark 4 (I have set all my P2P programs to only use 6881-6889). There was mention of VoIP in the TCCLASSES file, but not in the TCRULES file. TCDEVICES: #INTERFACE IN-BANDWITH OUT-BANDWIDTH ppp0 1200kbit 205kbit TCCLASSES: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 100kbit 180kbit 1 ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay ppp0 3 full/4 full 3 default ppp0 4 full/8 full*8/10 4 TCRULES: #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1 192.168.1.1 0.0.0.0/0 all 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 2 192.168.1.0/24 0.0.0.0/0 tcp 22 4 192.168.1.0/24 0.0.0.0/0 udp 6881:6889 4 192.168.1.0/24 0.0.0.0/0 udp - 6881:6889 4 192.168.1.0/24 0.0.0.0/0 tcp 6881:6889 4 192.168.1.0/24 0.0.0.0/0 tcp - 6881:6889 4 192.168.1.0/24 0.0.0.0/0 tcp 20:21 4 192.168.1.0/24 0.0.0.0/0 tcp - 20:21 Any help appreciated. ps. Tom: thank you for making this easier ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hello Shorewall users, I have some questions I am hoping someone can answer. I have searched around the archives but so far I have been unable to find answers. I am trying to configure traffic shaping on my router/firewall box running Shorewall 3.0.5/kernel 2.4.31 and have run into some problems/questions. My basic set up is: 1500/256kbit ADSL (PPPoE/ppp0) -> Shorewall box (eth1/192.168.1.254) -> Network (including a VoIP/SIP gateway on 192.168.1.1) Firstly, does anyone have a link/website which can explain what is meant by this (in relation to Shorewall would be great): "This value may be optionally followed by ":" and either "F" or "P" to designate that the marking will occur in the FORWARD or PREROUTING chains respectively." I have a (very) rough understanding of how IPTables works, but dont understand how this affects the different rules I am trying to set up, and which of the options to use. I basically want to give the VoIP ATA top priority over over everything else on the LAN (mark 1), give SSH/ICMP/ACK packets the next priority (mark 2), default traffic is mark 3, and then P2P on mark 4 (I have set all my P2P programs to only use 6881-6889). There was mention of VoIP in the TCCLASSES file, but not in the TCRULES file. TCDEVICES: #INTERFACE IN-BANDWITH OUT-BANDWIDTH ppp0 1200kbit 205kbit TCCLASSES: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 100kbit 180kbit 1 ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay ppp0 3 full/4 full 3 default ppp0 4 full/8 full*8/10 4 TCRULES: #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1 192.168.1.1 0.0.0.0/0 all 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 2 192.168.1.0/24 0.0.0.0/0 tcp 22 4 192.168.1.0/24 0.0.0.0/0 udp 6881:6889 4 192.168.1.0/24 0.0.0.0/0 udp - 6881:6889 4 192.168.1.0/24 0.0.0.0/0 tcp 6881:6889 4 192.168.1.0/24 0.0.0.0/0 tcp - 6881:6889 4 192.168.1.0/24 0.0.0.0/0 tcp 20:21 4 192.168.1.0/24 0.0.0.0/0 tcp - 20:21 Any help appreciated. ps. Tom: thank you for making this easier ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Thursday 09 March 2006 13:30, Somatian wrote:> Hello Shorewall users, > > I have some questions I am hoping someone can answer. I have searched > around the archives but so far I have been unable to find answers. I > am trying to configure traffic shaping on my router/firewall box > running Shorewall 3.0.5/kernel 2.4.31 and have run into some > problems/questions. > > My basic set up is: 1500/256kbit ADSL (PPPoE/ppp0) -> Shorewall box > (eth1/192.168.1.254) -> Network (including a VoIP/SIP gateway on > 192.168.1.1) > > Firstly, does anyone have a link/website which can explain what is > meant by this (in relation to Shorewall would be great): > "This value may be optionally followed by ":" and either "F" or "P" to > designate that the marking will occur in the FORWARD or PREROUTING > chains respectively."There are a number of articles on the Shorewall website that deal with that: a) http://www1.shorewall.net/Shorewall_and_Routing.html b) http://www1.shorewall.net/NetfilterOverview.html c) http://www1.shorewall.net/PacketHandling.html Unless you are marking traffic that is subject to one-to-one NAT or DNAT, it doesn''t make any difference whether you use P or F. P is primarily used for policy routing .> > I have a (very) rough understanding of how IPTables works, but dont > understand how this affects the different rules I am trying to set up, > and which of the options to use. I basically want to give the VoIP ATA > top priority over over everything else on the LAN (mark 1),Then why are you limiting it to 180kbit?> give > SSH/ICMP/ACK packets the next priority (mark 2), default traffic is > mark 3, and then P2P on mark 4 (I have set all my P2P programs to only > use 6881-6889). There was mention of VoIP in the TCCLASSES file, but > not in the TCRULES file.Nonsense -- the 3.0.5 tcrules file has an elaborate example involving ipp2p.> > TCDEVICES: > #INTERFACE IN-BANDWITH OUT-BANDWIDTH > ppp0 1200kbit 205kbit > > TCCLASSES: > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > ppp0 1 100kbit 180kbit 1 > ppp0 2 full/4 full 2 > tcp-ack,tos-minimize-delay > ppp0 3 full/4 full 3 default > ppp0 4 full/8 full*8/10 4 > > TCRULES: > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER > TEST # PORT(S) > 1 192.168.1.1 0.0.0.0/0 all > 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 2 192.168.1.0/24 0.0.0.0/0 tcp 22 > 4 192.168.1.0/24 0.0.0.0/0 udp 6881:6889 > 4 192.168.1.0/24 0.0.0.0/0 udp - 6881:6889 > 4 192.168.1.0/24 0.0.0.0/0 tcp 6881:6889 > 4 192.168.1.0/24 0.0.0.0/0 tcp - 6881:6889 > 4 192.168.1.0/24 0.0.0.0/0 tcp 20:21 > 4 192.168.1.0/24 0.0.0.0/0 tcp - 20:21 > > Any help appreciated.The FTP rules that you have only work for active mode -- other than that and my question above, your setup look reasonable. But then again, I''m not an expert in traffic shaping.> > ps. Tom: thank you for making this easier >Wasn''t I -- Arne Bernin implemented Shorewall Traffic Shaping support. -Tom PS -- please don''t resend your post if you don''t get a response immediately -- it won''t get your question answered any faster; I personally reward such impatience by waiting a while longer to answer the post. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I do apologise Tom. I only resent it because it hadnt been sent to the list yet, and I thought it may have been due to being sent in HTML format from gmail. Thanks for the response. On 3/10/06, Tom Eastep <teastep@shorewall.net> wrote:> On Thursday 09 March 2006 13:30, Somatian wrote: > > Hello Shorewall users, > > > > I have some questions I am hoping someone can answer. I have searched > > around the archives but so far I have been unable to find answers. I > > am trying to configure traffic shaping on my router/firewall box > > running Shorewall 3.0.5/kernel 2.4.31 and have run into some > > problems/questions. > > > > My basic set up is: 1500/256kbit ADSL (PPPoE/ppp0) -> Shorewall box > > (eth1/192.168.1.254) -> Network (including a VoIP/SIP gateway on > > 192.168.1.1) > > > > Firstly, does anyone have a link/website which can explain what is > > meant by this (in relation to Shorewall would be great): > > "This value may be optionally followed by ":" and either "F" or "P" to > > designate that the marking will occur in the FORWARD or PREROUTING > > chains respectively." > > There are a number of articles on the Shorewall website that deal with that: > > a) http://www1.shorewall.net/Shorewall_and_Routing.html > b) http://www1.shorewall.net/NetfilterOverview.html > c) http://www1.shorewall.net/PacketHandling.html > > Unless you are marking traffic that is subject to one-to-one NAT or DNAT, it > doesn''t make any difference whether you use P or F. P is primarily used for > policy routing . > > > > > I have a (very) rough understanding of how IPTables works, but dont > > understand how this affects the different rules I am trying to set up, > > and which of the options to use. I basically want to give the VoIP ATA > > top priority over over everything else on the LAN (mark 1), > > Then why are you limiting it to 180kbit? > > > give > > SSH/ICMP/ACK packets the next priority (mark 2), default traffic is > > mark 3, and then P2P on mark 4 (I have set all my P2P programs to only > > use 6881-6889). There was mention of VoIP in the TCCLASSES file, but > > not in the TCRULES file. > > Nonsense -- the 3.0.5 tcrules file has an elaborate example involving ipp2p. > > > > > TCDEVICES: > > #INTERFACE IN-BANDWITH OUT-BANDWIDTH > > ppp0 1200kbit 205kbit > > > > TCCLASSES: > > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > > ppp0 1 100kbit 180kbit 1 > > ppp0 2 full/4 full 2 > > tcp-ack,tos-minimize-delay > > ppp0 3 full/4 full 3 default > > ppp0 4 full/8 full*8/10 4 > > > > TCRULES: > > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER > > TEST # PORT(S) > > 1 192.168.1.1 0.0.0.0/0 all > > 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request > > 2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > > 2 192.168.1.0/24 0.0.0.0/0 tcp 22 > > 4 192.168.1.0/24 0.0.0.0/0 udp 6881:6889 > > 4 192.168.1.0/24 0.0.0.0/0 udp - 6881:6889 > > 4 192.168.1.0/24 0.0.0.0/0 tcp 6881:6889 > > 4 192.168.1.0/24 0.0.0.0/0 tcp - 6881:6889 > > 4 192.168.1.0/24 0.0.0.0/0 tcp 20:21 > > 4 192.168.1.0/24 0.0.0.0/0 tcp - 20:21 > > > > Any help appreciated. > > The FTP rules that you have only work for active mode -- other than that and > my question above, your setup look reasonable. But then again, I''m not an > expert in traffic shaping. > > > > > ps. Tom: thank you for making this easier > > > > Wasn''t I -- Arne Bernin implemented Shorewall Traffic Shaping support. > > -Tom > PS -- please don''t resend your post if you don''t get a response immediately -- > it won''t get your question answered any faster; I personally reward such > impatience by waiting a while longer to answer the post. > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642