Hello, i have the following comfiguration on my PC eth0-->VPN (ipsec)--> outside world I set up firewall and it is running. The problem i have is with traffic shaping - it doesn''t work, i probably missed something. In attached file there is output of "shorewall dump". my eth0 address is dhcp (129.206.167.207) and vpnlink (vpn device) has ip 129.206.196.77 Im trying to shape port 9176 and it doesn''t work. Any ideas? Cheers Slavo __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Slavik Hnatic wrote:> Hello, > > i have the following comfiguration on my PC > > eth0-->VPN (ipsec)--> outside world > > I set up firewall and it is running. > > The problem i have is with traffic shaping - it > doesn''t work, i probably missed something. > > In attached file there is output of "shorewall dump". > > my eth0 address is dhcp (129.206.167.207) > and vpnlink (vpn device) has ip 129.206.196.77 > > Im trying to shape port 9176 and it doesn''t work. > Any ideas? >You are doing your traffic shaping on eth0 -- you need to be shaping on vpnlink. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thanks for a fast response, i changed the device in tcdevices and tcclasses from eth0 to vpnlink. still doesnt work. attached new output of "shorewall dump". cheers slavo --- Tom Eastep <teastep@shorewall.net> wrote:> Slavik Hnatic wrote: > > Hello, > > > > i have the following comfiguration on my PC > > > > eth0-->VPN (ipsec)--> outside world > > > > I set up firewall and it is running. > > > > The problem i have is with traffic shaping - it > > doesn''t work, i probably missed something. > > > > In attached file there is output of "shorewall > dump". > > > > my eth0 address is dhcp (129.206.167.207) > > and vpnlink (vpn device) has ip 129.206.196.77 > > > > Im trying to shape port 9176 and it doesn''t work. > > Any ideas? > > > > You are doing your traffic shaping on eth0 -- you > need to be shaping on vpnlink. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > >-------------------------------------------------------------------------> Using Tomcat but need to do more? Need to support > web services, security? > Get stuff done quickly with pre-integrated > technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 > based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Slavik Hnatic wrote:> Thanks for a fast response, > > i changed the device in tcdevices and tcclasses from > eth0 to vpnlink. > > still doesnt work. > > attached new output of "shorewall dump". >In your tcrules file, you must specify $FW in the SOURCE column -- please see the description of that column in the documentation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
still doesnt work i attached new output of "shorewall dump" and just to be sure my tcrules file is this now #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) #dc++ 3 $FW 0.0.0.0/0 tcp - 9176 3 $FW 0.0.0.0/0 udp - 9176 cheers slavo --- Tom Eastep <teastep@shorewall.net> wrote:> Slavik Hnatic wrote: > > Thanks for a fast response, > > > > i changed the device in tcdevices and tcclasses > from > > eth0 to vpnlink. > > > > still doesnt work. > > > > attached new output of "shorewall dump". > > > > In your tcrules file, you must specify $FW in the > SOURCE column -- > please see the description of that column in the > documentation. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > >-------------------------------------------------------------------------> Using Tomcat but need to do more? Need to support > web services, security? > Get stuff done quickly with pre-integrated > technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 > based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Slavik Hnatic wrote:> still doesnt work > > i attached new output of "shorewall dump" > > and just to be sure my tcrules file is this now > > #MARK SOURCE DEST PROTO > PORT(S) CLIENT USER TEST > # > PORT(S) > #dc++ > 3 $FW 0.0.0.0/0 tcp - 9176 > 3 $FW 0.0.0.0/0 udp - 9176 >I don''t know what to tell you. The rules are correct but no traffic was marked. Chain tcout (1 references) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:9176 MARK set 0x3 0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:9176 MARK set 0x3 I note that at the time you took the dump, there was no incoming connection to port 9176. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
thanks anyway, if i''ll find a solution i''ll post it cheers slavo --- Tom Eastep <teastep@shorewall.net> wrote:> Slavik Hnatic wrote: > > still doesnt work > > > > i attached new output of "shorewall dump" > > > > and just to be sure my tcrules file is this now > > > > #MARK SOURCE DEST PROTO > > PORT(S) CLIENT USER TEST > > # > > > PORT(S) > > #dc++ > > 3 $FW 0.0.0.0/0 tcp - 9176 > > 3 $FW 0.0.0.0/0 udp - 9176 > > > > I don''t know what to tell you. The rules are correct > but no traffic was > marked. > > Chain tcout (1 references) > pkts bytes target prot opt in out > source > destination > 0 0 MARK tcp -- * * > 0.0.0.0/0 > 0.0.0.0/0 tcp spt:9176 MARK set 0x3 > 0 0 MARK udp -- * * > 0.0.0.0/0 > 0.0.0.0/0 udp spt:9176 MARK set 0x3 > > I note that at the time you took the dump, there was > no incoming > connection to port 9176. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > >-------------------------------------------------------------------------> Using Tomcat but need to do more? Need to support > web services, security? > Get stuff done quickly with pre-integrated > technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 > based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642