Hello, all. I am led to understand that I might be able to post a dump of my Shorewall configuration and ask for some assistance regarding a QoS problem I''ve been having. I do hope I''m posting in the right place and not violating any rules of etiquette; if I am, please let me know. :) The task at hand: differentiate between SSH packets and SCP packets using Shorewall 3.0.7. I''m aware that both use the same protocol and port and this is where the difficulty comes in. All of my other QoS info is being handled by prioritizing certain ports on certain machines. Those things which are deemed important (HTTP, SMTP, DNS, etc.) should be passed to tcclass 3; everything else should go to tcclass 5. Excepting my special rules for my VoIP phone (tcclass 1) and ACK packets (tcclass 2), this is an accurate representation of how things are working right now. My tcclasses file, for reference: eth0 1 100kbit 200kbit 1 eth0 2 full/4 full 2 tcp-ack eth0 3 full/2 full 3 eth0 4 50kbit 100kbit 4 eth0 5 full/10 full*8/10 5 default,tos-maximize-throughput It all works great except for the "tos-maximize-throughput" option. I want packets with the Maximize Throughput TOS bit set to be routed to tcclass 5 regardless of all other rules. That way, SCP (which has Maximize Throughput set) will be lumped in with low priority batch transfers while SSH (which does not) will be treated with dignity and respect. I eventually hope to pass SCP to tcclass 4 so that it is treated as slightly more important than things like FTP downloads but still doesn''t interfere with interactive connections. I''ve used wireshark to examine the incoming packets. SCP packets are definitely TOS-flagged properly, as are the SSH packets. However, when I use "watch tc -s qdisc" and perform an SCP transfer, it is very apparent that the SCP packets have been sent to tcclass 3. The only reason I can imagine this is happening is the set of rules I''m using to prioritize SSH: 3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 However, the tcclasses documentation specifically says that packets which match the TOS options on a tcclass are sent to that class regardless of the mark on the packet. So I''m proceeding with the assumption that that isn''t what''s happening. Looking at the end of my Shorewall dump, I see this: Traffic Filters Device eth0: filter parent 1: protocol ip pref 10 u32 filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:12 match 00060000/00ff0000 at 8 match 05000000/0f00ffc0 at 0 match 00100000/00ff0000 at 32 filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:15 match 00080000/00080000 at 0 I''m not exactly a tc expert but that looks to me like that''s the part of the configuration which will distinguish between Maximize Throughput and otherwise for me. However, I''m quite sure that it''s not working right; a friend of mine fetched a CD image from my machine using SCP earlier and it purely crippled my connection. I''ve been hammering away at this since with no success at all. Attached, you''ll find my gzipped Shorewall dump (with the established connections section snipped out for brevity). The firewall is a Debian Etch machine (i686) running the stock Debian 2.6.17 kernel. I am prepared to compile a custom kernel if necessary, but I didn''t see anything under the stock kernel config''s netfilter section that wasn''t at least compiled as a module. I will, of course, provide any other information which might illuminate the issue here. Thanks for reading! Any advice or suggestions are greatly appreciated. Shorewall has thus far done a fantastic job of replacing my old custom firewall script; this is pretty much the last hurdle I have to jump. Thanks again, Zachary Palmer ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hello all,
I found an article how to build ipp2p filtering. Modified tcrules file and
after restarting shorewall got:
Compiling /etc/shorewall/ecn...
Compiling Traffic Control Rules...
ERROR: Your kernel and/or iptables does not have IPP2P match support.
Rule: "1:F - - ipp2p ipp2p "
/sbin/shorewall: line 774: 5592 Terminated $SHOREWALL_SHELL
${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart
Seems that kernel doesn''t have support for ipp2p, but then I run
iptables -m ipp2p --help
i get
IPP2P v0.7.2 options:
--ipp2p Grab all known p2p packets
--ipp2p-data Identify all known p2p download commands (obsolete)
--edk [TCP&UDP] All known eDonkey/eMule/Overnet packets
--dc [TCP] All known Direct Connect packets
--kazaa [TCP&UDP] All known KaZaA packets
--gnu [TCP&UDP] All known Gnutella packets
--bit [TCP&UDP] All known BitTorrent packets
--apple [TCP] All known AppleJuice packets (beta - just a
few tests until now)
--winmx [TCP] All known WinMX (beta - need feedback)
--soul [TCP] All known SoulSeek (beta - need feedback!)
--ares [TCP] All known Ares - use with DROP only (beta -
need feedback!)
--edk-data [TCP] eDonkey/eMule/Overnet download commands
(obsolete)
--dc-data [TCP] Direct Connect download command (obsolete)
--kazaa-data [TCP] KaZaA download command (obsolete)
--gnu-data [TCP] Gnutella download command (obsolete)
What is wrong?
Liutauras
------------------------------
Infosaitas
+370 650 82554
www.infosaitas.lt
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Couple of suggestions, a) Can you change the order of default and tos-maximize-throughput? b) If that doesn''t work, separate classes for default and tos-maximize-throughput? c) Can you try with a tcrule for this? Using the TOS field. This requires an upgrade to 3.2.0 though. If none of these work, post a copy of your tcrules here. Prasanna. On 10/11/06, Zachary Palmer <zep01@bahj.com> wrote:> Hello, all. I am led to understand that I might be able to post a dump > of my Shorewall configuration and ask for some assistance regarding a > QoS problem I''ve been having. I do hope I''m posting in the right place > and not violating any rules of etiquette; if I am, please let me know. :) > > The task at hand: differentiate between SSH packets and SCP packets > using Shorewall 3.0.7. I''m aware that both use the same protocol and > port and this is where the difficulty comes in. All of my other QoS > info is being handled by prioritizing certain ports on certain > machines. Those things which are deemed important (HTTP, SMTP, DNS, > etc.) should be passed to tcclass 3; everything else should go to > tcclass 5. Excepting my special rules for my VoIP phone (tcclass 1) and > ACK packets (tcclass 2), this is an accurate representation of how > things are working right now. My tcclasses file, for reference: > > eth0 1 100kbit 200kbit 1 > eth0 2 full/4 full 2 > tcp-ack > eth0 3 full/2 full 3 > eth0 4 50kbit 100kbit 4 > eth0 5 full/10 full*8/10 5 > default,tos-maximize-throughput > > It all works great except for the "tos-maximize-throughput" option. I > want packets with the Maximize Throughput TOS bit set to be routed to > tcclass 5 regardless of all other rules. That way, SCP (which has > Maximize Throughput set) will be lumped in with low priority batch > transfers while SSH (which does not) will be treated with dignity and > respect. I eventually hope to pass SCP to tcclass 4 so that it is > treated as slightly more important than things like FTP downloads but > still doesn''t interfere with interactive connections. > > I''ve used wireshark to examine the incoming packets. SCP packets are > definitely TOS-flagged properly, as are the SSH packets. However, when > I use "watch tc -s qdisc" and perform an SCP transfer, it is very > apparent that the SCP packets have been sent to tcclass 3. The only > reason I can imagine this is happening is the set of rules I''m using to > prioritize SSH: > > 3 0.0.0.0/0 0.0.0.0/0 tcp 22 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 > > However, the tcclasses documentation specifically says that packets > which match the TOS options on a tcclass are sent to that class > regardless of the mark on the packet. So I''m proceeding with the > assumption that that isn''t what''s happening. > > Looking at the end of my Shorewall dump, I see this: > > Traffic Filters > > Device eth0: > filter parent 1: protocol ip pref 10 u32 > filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht > 800 bkt 0 flowid 1:12 > match 00060000/00ff0000 at 8 > match 05000000/0f00ffc0 at 0 > match 00100000/00ff0000 at 32 > filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht > 800 bkt 0 flowid 1:15 > match 00080000/00080000 at 0 > > I''m not exactly a tc expert but that looks to me like that''s the part of > the configuration which will distinguish between Maximize Throughput and > otherwise for me. However, I''m quite sure that it''s not working right; > a friend of mine fetched a CD image from my machine using SCP earlier > and it purely crippled my connection. I''ve been hammering away at this > since with no success at all. > > Attached, you''ll find my gzipped Shorewall dump (with the established > connections section snipped out for brevity). The firewall is a Debian > Etch machine (i686) running the stock Debian 2.6.17 kernel. I am > prepared to compile a custom kernel if necessary, but I didn''t see > anything under the stock kernel config''s netfilter section that wasn''t > at least compiled as a module. I will, of course, provide any other > information which might illuminate the issue here. > > Thanks for reading! Any advice or suggestions are greatly appreciated. > Shorewall has thus far done a fantastic job of replacing my old custom > firewall script; this is pretty much the last hurdle I have to jump. > > Thanks again, > > Zachary Palmer > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Prasanna, Thanks for the reply. :) I would upgrade to Shorewall 3.2.x but, for some reason, there is no Debian package newer than 3.0.7 (even in unstable). I wouldn''t know how to create a package for myself and I don''t think the Shorewall source comes Debian-package-ready... and I''d like to keep to the package system if possible because it makes accounting for those programs which are installed much easier. However, I did try your first two suggestions. Unfortunately, I had no luck with them. For (a), I reversed the order of "default" and "tos-maximize-throughput" to no avail. For (b), I moved "tos-maximize-throughput" to tcclass 4 in my tcclasses file (as previously shown) and it had no effect. When I performed the SCP transfer, nothing showed up under tcclass 4. My tcrules file is as follows: # ************ Maximize priority of VoIP traffic ******************************************* 1 192.168.0.248 # ************ Prioritize pings with low payload ******************************************* 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply # ************ Prioritize services ********************************************************* # DNS 3 0.0.0.0/0 0.0.0.0/0 tcp 53 3 0.0.0.0/0 0.0.0.0/0 tcp - 53 3 0.0.0.0/0 0.0.0.0/0 udp 53 3 0.0.0.0/0 0.0.0.0/0 udp - 53 # HTTP 3 0.0.0.0/0 0.0.0.0/0 tcp 80 3 0.0.0.0/0 0.0.0.0/0 tcp - 80 # SMTP/POP3 3 0.0.0.0/0 0.0.0.0/0 tcp 25 3 0.0.0.0/0 0.0.0.0/0 tcp - 25 3 0.0.0.0/0 0.0.0.0/0 tcp 110 3 0.0.0.0/0 0.0.0.0/0 tcp - 110 # SSH 3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 # VNC 3 0.0.0.0/0 0.0.0.0/0 tcp 5500 3 0.0.0.0/0 0.0.0.0/0 tcp - 5500 3 0.0.0.0/0 0.0.0.0/0 tcp 5900 3 0.0.0.0/0 0.0.0.0/0 tcp - 5900 # ************ Prioritize various applications which requrie interactivity ***************** # AIM 3 0.0.0.0/0 0.0.0.0/0 tcp 5190 # Battle for Wesnoth 3 0.0.0.0/0 0.0.0.0/0 tcp 14998:15000 3 0.0.0.0/0 0.0.0.0/0 tcp - 14998:15000 # CounterStrike 3 0.0.0.0/0 0.0.0.0/0 udp 1200 3 0.0.0.0/0 0.0.0.0/0 udp - 1200 3 0.0.0.0/0 0.0.0.0/0 udp 27000:27015 3 0.0.0.0/0 0.0.0.0/0 udp - 27000:27015 3 0.0.0.0/0 0.0.0.0/0 tcp 27030:27039 3 0.0.0.0/0 0.0.0.0/0 tcp - 27030:27039 # Diablo II 3 0.0.0.0/0 0.0.0.0/0 tcp 4000 3 0.0.0.0/0 0.0.0.0/0 tcp - 4000 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 3 0.0.0.0/0 0.0.0.0/0 udp 6112 3 0.0.0.0/0 0.0.0.0/0 udp - 6112 # Diablo II - ChaosEmpire 3 0.0.0.0/0 0.0.0.0/0 tcp 4001 3 0.0.0.0/0 0.0.0.0/0 tcp - 4001 # Scorched3D 3 0.0.0.0/0 0.0.0.0/0 tcp 27270 3 0.0.0.0/0 0.0.0.0/0 tcp - 27270 # Sea3D 3 0.0.0.0/0 0.0.0.0/0 tcp 7176 3 0.0.0.0/0 0.0.0.0/0 tcp - 7176 # World of Warcraft 3 0.0.0.0/0 0.0.0.0/0 tcp 3724 3 0.0.0.0/0 0.0.0.0/0 tcp - 3724 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 # Yahoo! Games 3 0.0.0.0/0 0.0.0.0/0 tcp 11999 3 0.0.0.0/0 0.0.0.0/0 tcp - 11999 Thanks for your help and your time. :) Cheers, Zach Prasanna Krishnamoorthy wrote:> Couple of suggestions, > > a) Can you change the order of default and tos-maximize-throughput? > b) If that doesn''t work, separate classes for default and > tos-maximize-throughput? > c) Can you try with a tcrule for this? Using the TOS field. This > requires an upgrade to 3.2.0 though. > > If none of these work, post a copy of your tcrules here. > > Prasanna. > > On 10/11/06, Zachary Palmer <zep01@bahj.com> wrote: > >> Hello, all. I am led to understand that I might be able to post a dump >> of my Shorewall configuration and ask for some assistance regarding a >> QoS problem I''ve been having. I do hope I''m posting in the right place >> and not violating any rules of etiquette; if I am, please let me know. :) >> >> The task at hand: differentiate between SSH packets and SCP packets >> using Shorewall 3.0.7. I''m aware that both use the same protocol and >> port and this is where the difficulty comes in. All of my other QoS >> info is being handled by prioritizing certain ports on certain >> machines. Those things which are deemed important (HTTP, SMTP, DNS, >> etc.) should be passed to tcclass 3; everything else should go to >> tcclass 5. Excepting my special rules for my VoIP phone (tcclass 1) and >> ACK packets (tcclass 2), this is an accurate representation of how >> things are working right now. My tcclasses file, for reference: >> >> eth0 1 100kbit 200kbit 1 >> eth0 2 full/4 full 2 >> tcp-ack >> eth0 3 full/2 full 3 >> eth0 4 50kbit 100kbit 4 >> eth0 5 full/10 full*8/10 5 >> default,tos-maximize-throughput >> >> It all works great except for the "tos-maximize-throughput" option. I >> want packets with the Maximize Throughput TOS bit set to be routed to >> tcclass 5 regardless of all other rules. That way, SCP (which has >> Maximize Throughput set) will be lumped in with low priority batch >> transfers while SSH (which does not) will be treated with dignity and >> respect. I eventually hope to pass SCP to tcclass 4 so that it is >> treated as slightly more important than things like FTP downloads but >> still doesn''t interfere with interactive connections. >> >> I''ve used wireshark to examine the incoming packets. SCP packets are >> definitely TOS-flagged properly, as are the SSH packets. However, when >> I use "watch tc -s qdisc" and perform an SCP transfer, it is very >> apparent that the SCP packets have been sent to tcclass 3. The only >> reason I can imagine this is happening is the set of rules I''m using to >> prioritize SSH: >> >> 3 0.0.0.0/0 0.0.0.0/0 tcp 22 >> 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 >> >> However, the tcclasses documentation specifically says that packets >> which match the TOS options on a tcclass are sent to that class >> regardless of the mark on the packet. So I''m proceeding with the >> assumption that that isn''t what''s happening. >> >> Looking at the end of my Shorewall dump, I see this: >> >> Traffic Filters >> >> Device eth0: >> filter parent 1: protocol ip pref 10 u32 >> filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 >> filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht >> 800 bkt 0 flowid 1:12 >> match 00060000/00ff0000 at 8 >> match 05000000/0f00ffc0 at 0 >> match 00100000/00ff0000 at 32 >> filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht >> 800 bkt 0 flowid 1:15 >> match 00080000/00080000 at 0 >> >> I''m not exactly a tc expert but that looks to me like that''s the part of >> the configuration which will distinguish between Maximize Throughput and >> otherwise for me. However, I''m quite sure that it''s not working right; >> a friend of mine fetched a CD image from my machine using SCP earlier >> and it purely crippled my connection. I''ve been hammering away at this >> since with no success at all. >> >> Attached, you''ll find my gzipped Shorewall dump (with the established >> connections section snipped out for brevity). The firewall is a Debian >> Etch machine (i686) running the stock Debian 2.6.17 kernel. I am >> prepared to compile a custom kernel if necessary, but I didn''t see >> anything under the stock kernel config''s netfilter section that wasn''t >> at least compiled as a module. I will, of course, provide any other >> information which might illuminate the issue here. >> >> Thanks for reading! Any advice or suggestions are greatly appreciated. >> Shorewall has thus far done a fantastic job of replacing my old custom >> firewall script; this is pretty much the last hurdle I have to jump. >> >> Thanks again, >> >> Zachary Palmer >> >> >> ------------------------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >> >> > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Finale: Prasanna was kind enough to send me a Debian package for Shorewall 3.2.2 since there does not currently exist any official Debian Shorewall package beyond 3.0.7-1. I have uploaded the package to my webspace at http://bahj.com/flotsam/shorewall_3.2.2-1_all.deb in case anyone else needs a copy of it. Using 3.2, I was able to get the kind of behavior I wanted using these rules: 3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 4 0.0.0.0/0 0.0.0.0/0 tcp 22 - - - - 8 4 0.0.0.0/0 0.0.0.0/0 tcp - 22 - - - 8 Cheers! Zach> Prasanna, > > Thanks for the reply. :) I would upgrade to Shorewall 3.2.x but, for > some reason, there is no Debian package newer than 3.0.7 (even in > unstable). I wouldn''t know how to create a package for myself and I > don''t think the Shorewall source comes Debian-package-ready... and I''d > like to keep to the package system if possible because it makes > accounting for those programs which are installed much easier. > > However, I did try your first two suggestions. Unfortunately, I had no > luck with them. For (a), I reversed the order of "default" and > "tos-maximize-throughput" to no avail. For (b), I moved > "tos-maximize-throughput" to tcclass 4 in my tcclasses file (as > previously shown) and it had no effect. When I performed the SCP > transfer, nothing showed up under tcclass 4. > > My tcrules file is as follows: > > > # ************ Maximize priority of VoIP traffic > ******************************************* > 1 192.168.0.248 > > # ************ Prioritize pings with low payload > ******************************************* > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > > # ************ Prioritize services > ********************************************************* > > # DNS > 3 0.0.0.0/0 0.0.0.0/0 tcp 53 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 53 > 3 0.0.0.0/0 0.0.0.0/0 udp 53 > 3 0.0.0.0/0 0.0.0.0/0 udp - 53 > > # HTTP > 3 0.0.0.0/0 0.0.0.0/0 tcp 80 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 80 > > # SMTP/POP3 > 3 0.0.0.0/0 0.0.0.0/0 tcp 25 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 25 > 3 0.0.0.0/0 0.0.0.0/0 tcp 110 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 110 > > # SSH > 3 0.0.0.0/0 0.0.0.0/0 tcp 22 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 > > # VNC > 3 0.0.0.0/0 0.0.0.0/0 tcp 5500 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 5500 > 3 0.0.0.0/0 0.0.0.0/0 tcp 5900 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 5900 > > # ************ Prioritize various applications which requrie > interactivity ***************** > > # AIM > 3 0.0.0.0/0 0.0.0.0/0 tcp 5190 > > # Battle for Wesnoth > 3 0.0.0.0/0 0.0.0.0/0 tcp 14998:15000 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 14998:15000 > > # CounterStrike > 3 0.0.0.0/0 0.0.0.0/0 udp 1200 > 3 0.0.0.0/0 0.0.0.0/0 udp - 1200 > 3 0.0.0.0/0 0.0.0.0/0 udp 27000:27015 > 3 0.0.0.0/0 0.0.0.0/0 udp - 27000:27015 > 3 0.0.0.0/0 0.0.0.0/0 tcp 27030:27039 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 27030:27039 > > # Diablo II > 3 0.0.0.0/0 0.0.0.0/0 tcp 4000 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 4000 > 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 > 3 0.0.0.0/0 0.0.0.0/0 udp 6112 > 3 0.0.0.0/0 0.0.0.0/0 udp - 6112 > > # Diablo II - ChaosEmpire > 3 0.0.0.0/0 0.0.0.0/0 tcp 4001 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 4001 > > # Scorched3D > 3 0.0.0.0/0 0.0.0.0/0 tcp 27270 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 27270 > > # Sea3D > 3 0.0.0.0/0 0.0.0.0/0 tcp 7176 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 7176 > > # World of Warcraft > 3 0.0.0.0/0 0.0.0.0/0 tcp 3724 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 3724 > 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 > > # Yahoo! Games > 3 0.0.0.0/0 0.0.0.0/0 tcp 11999 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 11999 > > > Thanks for your help and your time. :) > > Cheers, > > Zach > > > Prasanna Krishnamoorthy wrote: > >> Couple of suggestions, >> >> a) Can you change the order of default and tos-maximize-throughput? >> b) If that doesn''t work, separate classes for default and >> tos-maximize-throughput? >> c) Can you try with a tcrule for this? Using the TOS field. This >> requires an upgrade to 3.2.0 though. >> >> If none of these work, post a copy of your tcrules here. >> >> Prasanna. >> >> On 10/11/06, Zachary Palmer <zep01@bahj.com> wrote: >> >> >>> Hello, all. I am led to understand that I might be able to post a dump >>> of my Shorewall configuration and ask for some assistance regarding a >>> QoS problem I''ve been having. I do hope I''m posting in the right place >>> and not violating any rules of etiquette; if I am, please let me know. :) >>> >>> The task at hand: differentiate between SSH packets and SCP packets >>> using Shorewall 3.0.7. I''m aware that both use the same protocol and >>> port and this is where the difficulty comes in. All of my other QoS >>> info is being handled by prioritizing certain ports on certain >>> machines. Those things which are deemed important (HTTP, SMTP, DNS, >>> etc.) should be passed to tcclass 3; everything else should go to >>> tcclass 5. Excepting my special rules for my VoIP phone (tcclass 1) and >>> ACK packets (tcclass 2), this is an accurate representation of how >>> things are working right now. My tcclasses file, for reference: >>> >>> eth0 1 100kbit 200kbit 1 >>> eth0 2 full/4 full 2 >>> tcp-ack >>> eth0 3 full/2 full 3 >>> eth0 4 50kbit 100kbit 4 >>> eth0 5 full/10 full*8/10 5 >>> default,tos-maximize-throughput >>> >>> It all works great except for the "tos-maximize-throughput" option. I >>> want packets with the Maximize Throughput TOS bit set to be routed to >>> tcclass 5 regardless of all other rules. That way, SCP (which has >>> Maximize Throughput set) will be lumped in with low priority batch >>> transfers while SSH (which does not) will be treated with dignity and >>> respect. I eventually hope to pass SCP to tcclass 4 so that it is >>> treated as slightly more important than things like FTP downloads but >>> still doesn''t interfere with interactive connections. >>> >>> I''ve used wireshark to examine the incoming packets. SCP packets are >>> definitely TOS-flagged properly, as are the SSH packets. However, when >>> I use "watch tc -s qdisc" and perform an SCP transfer, it is very >>> apparent that the SCP packets have been sent to tcclass 3. The only >>> reason I can imagine this is happening is the set of rules I''m using to >>> prioritize SSH: >>> >>> 3 0.0.0.0/0 0.0.0.0/0 tcp 22 >>> 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 >>> >>> However, the tcclasses documentation specifically says that packets >>> which match the TOS options on a tcclass are sent to that class >>> regardless of the mark on the packet. So I''m proceeding with the >>> assumption that that isn''t what''s happening. >>> >>> Looking at the end of my Shorewall dump, I see this: >>> >>> Traffic Filters >>> >>> Device eth0: >>> filter parent 1: protocol ip pref 10 u32 >>> filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 >>> filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht >>> 800 bkt 0 flowid 1:12 >>> match 00060000/00ff0000 at 8 >>> match 05000000/0f00ffc0 at 0 >>> match 00100000/00ff0000 at 32 >>> filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht >>> 800 bkt 0 flowid 1:15 >>> match 00080000/00080000 at 0 >>> >>> I''m not exactly a tc expert but that looks to me like that''s the part of >>> the configuration which will distinguish between Maximize Throughput and >>> otherwise for me. However, I''m quite sure that it''s not working right; >>> a friend of mine fetched a CD image from my machine using SCP earlier >>> and it purely crippled my connection. I''ve been hammering away at this >>> since with no success at all. >>> >>> Attached, you''ll find my gzipped Shorewall dump (with the established >>> connections section snipped out for brevity). The firewall is a Debian >>> Etch machine (i686) running the stock Debian 2.6.17 kernel. I am >>> prepared to compile a custom kernel if necessary, but I didn''t see >>> anything under the stock kernel config''s netfilter section that wasn''t >>> at least compiled as a module. I will, of course, provide any other >>> information which might illuminate the issue here. >>> >>> Thanks for reading! Any advice or suggestions are greatly appreciated. >>> Shorewall has thus far done a fantastic job of replacing my old custom >>> firewall script; this is pretty much the last hurdle I have to jump. >>> >>> Thanks again, >>> >>> Zachary Palmer >>> >>> >>> ------------------------------------------------------------------------- >>> Using Tomcat but need to do more? Need to support web services, security? >>> Get stuff done quickly with pre-integrated technology to make your job easier >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >>> >>> >>> >> ------------------------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Liutauras Adomaitis wrote:> What is wrong?Your iptables has IPP2P support -- your kernel doesn''t. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi, I'm also having the same problem. The ipp2p module is loaded correctly into the kernel: root@gw1:/etc/shorewall# lsmod | grep ipp2p ipt_ipp2p 9088 0 And like the former post, iptables report support for ipp2p. I had problems to make ipp2p support into iptables 1.3.6 so I downgraded to 1.3.5. And now iptables recognices the match but "shorewall show capabilities" keeps on saying: IPP2P Match: Not available I was using ubuntu with shorewall 3.2.4 .deb package and decided to try with 3.2.5 tarball. But I'm still having the same problem. Could be a problem related to 2.6.18 kernel? I don't know what else can I try. Thanks in advance. El mié, 11-10-2006 a las 07:39 -0700, Tom Eastep escribió:> Liutauras Adomaitis wrote: > > > What is wrong? > > Your iptables has IPP2P support -- your kernel doesn't. > > -Tom > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Vicente Ferrando wrote:> Hi, > > I''m also having the same problem. The ipp2p module is loaded correctly > into the kernel: > root@gw1:/etc/shorewall# lsmod | grep ipp2p > ipt_ipp2p 9088 0 > > And like the former post, iptables report support for ipp2p. I had > problems to make ipp2p support into iptables 1.3.6 so I downgraded to > 1.3.5. And now iptables recognices the match but "shorewall show > capabilities" keeps on saying: IPP2P Match: Not available > > I was using ubuntu with shorewall 3.2.4 .deb package and decided to try > with 3.2.5 tarball. But I''m still having the same problem. > > Could be a problem related to 2.6.18 kernel? > > I don''t know what else can I try. >What is the result of this sequence of commands: ipset -N fooX1234 iphash iptables -N fooX1234 iptables -A fooX1234 -m set --set fooX1234 src -j ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Vicente Ferrando wrote: >> Hi, >> >> I''m also having the same problem. The ipp2p module is loaded correctly >> into the kernel: >> root@gw1:/etc/shorewall# lsmod | grep ipp2p >> ipt_ipp2p 9088 0 >> >> And like the former post, iptables report support for ipp2p. I had >> problems to make ipp2p support into iptables 1.3.6 so I downgraded to >> 1.3.5. And now iptables recognices the match but "shorewall show >> capabilities" keeps on saying: IPP2P Match: Not available >> >> I was using ubuntu with shorewall 3.2.4 .deb package and decided to try >> with 3.2.5 tarball. But I''m still having the same problem. >> >> Could be a problem related to 2.6.18 kernel? >> >> I don''t know what else can I try. >> > > What is the result of this sequence of commands: > > ipset -N fooX1234 iphash > iptables -N fooX1234 > iptables -A fooX1234 -m set --set fooX1234 src -j ACCEPT >Sorry -- wrong set of commands (I''ve been working on an ipsets problem this morning). Try these: iptables -N fooX1234 iptables -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
This is the result: iptables: Unknown error 18446744073709551615 I was worried about what the relation was with your previous comands :-O I'll try with shorewall 3.2.6 now. Thanks El sáb, 18-11-2006 a las 09:12 -0800, Tom Eastep escribió:> Tom Eastep wrote: > > Vicente Ferrando wrote: > >> Hi, > >> > >> I'm also having the same problem. The ipp2p module is loaded correctly > >> into the kernel: > >> root@gw1:/etc/shorewall# lsmod | grep ipp2p > >> ipt_ipp2p 9088 0 > >> > >> And like the former post, iptables report support for ipp2p. I had > >> problems to make ipp2p support into iptables 1.3.6 so I downgraded to > >> 1.3.5. And now iptables recognices the match but "shorewall show > >> capabilities" keeps on saying: IPP2P Match: Not available > >> > >> I was using ubuntu with shorewall 3.2.4 .deb package and decided to try > >> with 3.2.5 tarball. But I'm still having the same problem. > >> > >> Could be a problem related to 2.6.18 kernel? > >> > >> I don't know what else can I try. > >> > > > > What is the result of this sequence of commands: > > > > ipset -N fooX1234 iphash > > iptables -N fooX1234 > > iptables -A fooX1234 -m set --set fooX1234 src -j ACCEPT > > > > Sorry -- wrong set of commands (I've been working on an ipsets problem this > morning). Try these: > > iptables -N fooX1234 > iptables -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT > > -Tom > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Vicente Ferrando wrote:> This is the result: > iptables: Unknown error 18446744073709551615 > > I was worried about what the relation was with your previous > comands :-O > > I''ll try with shorewall 3.2.6 now.It''s not going to help. Your iptables/kernel is broken. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
So, I'll better use my time to compile a new kernel. Thanks Tom. El sáb, 18-11-2006 a las 13:25 -0800, Tom Eastep escribió:> Vicente Ferrando wrote: > > This is the result: > > iptables: Unknown error 18446744073709551615 > > > > I was worried about what the relation was with your previous > > comands :-O > > > > I'll try with shorewall 3.2.6 now. > > It's not going to help. Your iptables/kernel is broken. > > -Tom > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Vicente Ferrando wrote:> So, I''ll better use my time to compile a new kernel.I would spend some time browsing the archives of the Netfilter list. It may be that ipp2p in 2.6.18 is just plain broken. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV