Hello everyone.
I use shorewall with support for traffic shapping. Im using version 3.2.4.
When I dont have QoS activated in shorewall I can make downloads at
950KBytes/s, but when I have QoS activated (TC_ENABLED=Internal) I can
just make downloads at 750KBytes/s and they are very unstable.
I dont know what I am doing wrong. I have a internet cable connection
with 8Mbits/s   of downstream and 384Kbits/s of upstream.
Here it is a simple configuration files that I am using (they are very
simple because im trying to debug the problem):
tcdevices:
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
eth0            8mbit           384kbit
tcclasses
#INTERFACE  MARK    RATE         CEIL       PRIORITY        OPTIONS
eth0        1       full/9       full          1            default
tcrules:
here i dont have anything.
It seems that when I activate the QoS I loose download speed ant is very
unstable.
Example - With QoS
wget
ftp://xxx.pt/pub/slackware/slackware/slackware-10.2-iso/slackware-10.2-install-d1.iso
--04:17:10--
ftp://ftp.telepac.pt/pub/slackware/slackware/slackware-10.2-iso/slackware-10.2-install-d1.iso
           => `slackware-10.2-install-d1.iso''
Resolving ftp.telepac.pt... 194.65.100.42, 194.65.100.43
Connecting to ftp.telepac.pt|194.65.100.42|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD
/pub/slackware/slackware/slackware-10.2-iso ... done.
==> PASV ... done.    ==> RETR slackware-10.2-install-d1.iso ... done.
Length: 668,659,712 (638M) (unauthoritative)
1% [>     ] 8,119,456 715.99K/s  ETA 15:39
		      ********
As you can see just 715KB/s
Now without QoS(TC_ENABLED=No)
wget
ftp://ftp.telepac.pt/pub/slackware/slackware/slackware-10.2-iso/slackware-10.2-install-d1.iso
--04:19:52--
ftp://ftp.telepac.pt/pub/slackware/slackware/slackware-10.2-iso/slackware-10.2-install-d1.iso
           => `slackware-10.2-install-d1.iso.1''
Resolving ftp.telepac.pt... 194.65.100.43, 194.65.100.42
Connecting to ftp.telepac.pt|194.65.100.43|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD
/pub/slackware/slackware/slackware-10.2-iso ... done.
==> PASV ... done.    ==> RETR slackware-10.2-install-d1.iso ... done.
Length: 668,659,712 (638M) (unauthoritative)
 1% [>          ] 11,179,160   947.50K/s    ETA 11:33
				*******
As you can see 947KB...
Can you help me?
Thank you a lot.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Helder Gaspar Rodrigues wrote:> > As you can see 947KB... > > > > Can you help me?Sounds like you need to increase the IN-BANDWIDTH. In the output of "shorewall show tc", you should see something like the following: qdisc ingress ffff: ---------------- Sent 49358559 bytes 65794 pkts (dropped 0, overlimits 0 requeues 0) When your download speed is restricted, is the "dropped" counter non-zero? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
What I have is: shorewall show tc Shorewall-3.2.4 Traffic Control at xpto - Fri Nov 10 17:45:23 WET 2006 Device eth0: qdisc htb 1: r2q 10 default 11 direct_packets_stat 1 ver 3.17 Sent 20183 bytes 303 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc ingress ffff: ---------------- Sent 92386 bytes 1097 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 11: parent 1:11 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 20127 bytes 302 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 class htb 1:11 parent 1:1 leaf 11: prio 1 quantum 4608 rate 384000bit ceil 384000bit burst 1692b/8 mpu 0b overhead 0b cburst 1692b/8 mpu 0b overhead 0b level 0 Sent 20127 bytes 302 pkt (dropped 0, overlimits 0 requeues 0) rate 3136bit 5pps backlog 0b 0p requeues 0 lended: 302 borrowed: 0 giants: 0 tokens: 34084 ctokens: 34084 class htb 1:1 root rate 384000bit ceil 384000bit burst 1692b/8 mpu 0b overhead 0b cburst 1692b/8 mpu 0b overhead 0b level 7 Sent 20127 bytes 302 pkt (dropped 0, overlimits 0 requeues 0) rate 3216bit 6pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 34084 ctokens: 34084 Device eth1: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 7917727215 bytes 6789598 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 There is any problem in this configuration? Tom Eastep wrote:> Helder Gaspar Rodrigues wrote: > >> As you can see 947KB... >> >> >> >> Can you help me? > > Sounds like you need to increase the IN-BANDWIDTH. > > In the output of "shorewall show tc", you should see something like the following: > > qdisc ingress ffff: ---------------- > Sent 49358559 bytes 65794 pkts (dropped 0, overlimits 0 requeues 0) > > When your download speed is restricted, is the "dropped" counter non-zero? > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Yes that are packet being dropped: qdisc ingress ffff: ---------------- Sent 22676402 bytes 39464 pkt (dropped 244, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 why? thanks Tom Eastep wrote:> Helder Gaspar Rodrigues wrote: > >> As you can see 947KB... >> >> >> >> Can you help me? > > Sounds like you need to increase the IN-BANDWIDTH. > > In the output of "shorewall show tc", you should see something like the following: > > qdisc ingress ffff: ---------------- > Sent 49358559 bytes 65794 pkts (dropped 0, overlimits 0 requeues 0) > > When your download speed is restricted, is the "dropped" counter non-zero? > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Please don''t top-post -- I hate top-posts!!! I read from the top of the page to the bottom, not from the bottom to the top. Helder Gaspar Rodrigues wrote:> What I have is: ><useless output deleted>> There is any problem in this configuration?I can''t tell? You haven''t send any traffic through it (total of 20kb in each direction). You can only determine what traffic shaping is doing by exercising it *then* looking at the output of "shorewall show tc". And before you ask, there is no documentation about how to decode the output of that command. "shorewall show tc" is just this sequence of commands: tc -s -d qdisc show dev $device tc -s -d class show dev $device for each device in /etc/shorewall/tcdevices. But on input, the only thing that could slow your downloads is dropped packets in the ingress qdisc. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Helder Gaspar Rodrigues wrote:> Yes that are packet being dropped: > qdisc ingress ffff: ---------------- > Sent 22676402 bytes 39464 pkt (dropped 244, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > why?The ingress qdisc is very imprecise. That is why the Shorewall traffic shaping instructions tell you to tune your IN-BADNWIDTH. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Im sorry about that. I will not repeat again. Well I incread step by step the IN-BANDWITH value. When I raise this value the number of dropped packets decreases. When I assign 15Mbit I only have 1 packet dropped. When I assign 20Mbit I dont have any. Soo if I assign 20Mbit, even I only have a 8Mbit downstream, there is any problem with that? Thanks Tom Eastep wrote:> Please don''t top-post -- I hate top-posts!!! I read from the top of the page to > the bottom, not from the bottom to the top. > > Helder Gaspar Rodrigues wrote: >> What I have is: >> > > <useless output deleted> > >> There is any problem in this configuration? > > I can''t tell? You haven''t send any traffic through it (total of 20kb in each > direction). You can only determine what traffic shaping is doing by exercising > it *then* looking at the output of "shorewall show tc". And before you ask, > there is no documentation about how to decode the output of that command. > "shorewall show tc" is just this sequence of commands: > > tc -s -d qdisc show dev $device > tc -s -d class show dev $device > > for each device in /etc/shorewall/tcdevices. > > But on input, the only thing that could slow your downloads is dropped packets > in the ingress qdisc. > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, Nov 10, 2006 at 10:11:04AM -0800, Tom Eastep wrote:> Helder Gaspar Rodrigues wrote: > > Yes that are packet being dropped: > > qdisc ingress ffff: ---------------- > > Sent 22676402 bytes 39464 pkt (dropped 244, overlimits 0 requeues 0) > > rate 0bit 0pps backlog 0b 0p requeues 0 > > > > why? > > The ingress qdisc is very imprecise. That is why the Shorewall traffic shaping > instructions tell you to tune your IN-BADNWIDTH.That reminds me of a related question - tcdevices (and the html documentation) says this: # If you don''t want any traffic to be dropped set this # to a value faster than your interface. But why can''t I tell shorewall just to not bother creating an ingress qdisc at all? Ingress policing is pretty useless unless you''re trying to work around router braindamage at the other end (which I''m not). ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Andrew Suffield wrote:> On Fri, Nov 10, 2006 at 10:11:04AM -0800, Tom Eastep wrote: >> Helder Gaspar Rodrigues wrote: >>> Yes that are packet being dropped: >>> qdisc ingress ffff: ---------------- >>> Sent 22676402 bytes 39464 pkt (dropped 244, overlimits 0 requeues 0) >>> rate 0bit 0pps backlog 0b 0p requeues 0 >>> >>> why? >> The ingress qdisc is very imprecise. That is why the Shorewall traffic shaping >> instructions tell you to tune your IN-BADNWIDTH. > > That reminds me of a related question - tcdevices (and the html > documentation) says this: > > # If you don''t want any traffic to be dropped set this > # to a value faster than your interface. > > But why can''t I tell shorewall just to not bother creating an ingress > qdisc at all?Patches (and updated documentation) cheerfully accepted. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Helder Gaspar Rodrigues wrote:> Im sorry about that. I will not repeat again.You just did!> > Well I incread step by step the IN-BANDWITH value. > > When I raise this value the number of dropped packets decreases. > > When I assign 15Mbit I only have 1 packet dropped. When I assign 20Mbit > I dont have any. > > > Soo if I assign 20Mbit, even I only have a 8Mbit downstream, there is > any problem with that?As Andrew Suffield just quoted from the documentation: # If you don''t want any traffic to be dropped set this # to a value faster than your interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Helder Gaspar Rodrigues wrote: >> Im sorry about that. I will not repeat again. > > You just did! > >> Well I incread step by step the IN-BANDWITH value. >> >> When I raise this value the number of dropped packets decreases. >> >> When I assign 15Mbit I only have 1 packet dropped. When I assign 20Mbit >> I dont have any. >> >> >> Soo if I assign 20Mbit, even I only have a 8Mbit downstream, there is >> any problem with that? > > As Andrew Suffield just quoted from the documentation: > > # If you don''t want any traffic to be dropped set this > # to a value faster than your interface. >I should point out, however, that configuring traffic shaping can be a juggling act between maximizing download speed and improving interactive response time. You may have to compromise in one or both of these areas. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Helder Gaspar Rodrigues wrote:>Im sorry about that. I will not repeat again.But does so in the very same message !>Well I incread step by step the IN-BANDWITH value. > >When I raise this value the number of dropped packets decreases. > >When I assign 15Mbit I only have 1 packet dropped. When I assign 20Mbit >I dont have any. > > >Soo if I assign 20Mbit, even I only have a 8Mbit downstream, there is >any problem with that?No, it just means that there will be no ingress policing - that may or may not be what you want. The reason for ingress policing is to keep the total throughput very slightly lower than the link will handle to prevent the upstream buffer filling and creating latency. The ONLY way it can do that is to drop packets so that the TCP stacks on each end of the connection(s) will detect congestion and back-off. As the documentation says (you HAVE read the Linux Advanced Routing Howto haven''t you ?) it is very crude but does work. If you are not concerned with latency on your connection while downloading then you probably shouldn''t be using traffic control at all. If you are, then it''s well worth tuning your traffic rates to make it effective. At work our link utilisation has recently gone up to the point where our VoIP was suffering, and web hosting was suffering from the effects of large mailshots. Adding tc has solved both problems, and just took a little tuning to get our actual link speeds. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2006-10-11 at 10:07 -0800, Tom Eastep wrote:> > But on input, the only thing that could slow your downloads is dropped packets > in the ingress qdisc.Ahh. Don''t forget about ACK starvation on the uplink though. Hopefully the QOS configuration is sufficient to put ACKs in the highest priority band. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> On Fri, 2006-10-11 at 10:07 -0800, Tom Eastep wrote: >> But on input, the only thing that could slow your downloads is dropped packets >> in the ingress qdisc. > > Ahh. Don''t forget about ACK starvation on the uplink though. Hopefully > the QOS configuration is sufficient to put ACKs in the highest priority > band.The "default" WonderShaper-replacement configuration certainly is. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2006-10-11 at 11:40 -0800, Tom Eastep wrote:> Brian J. Murrell wrote: > > On Fri, 2006-10-11 at 10:07 -0800, Tom Eastep wrote: > >> But on input, the only thing that could slow your downloads is dropped packets > >> in the ingress qdisc. > > > > Ahh. Don''t forget about ACK starvation on the uplink though. Hopefully > > the QOS configuration is sufficient to put ACKs in the highest priority > > band. > > The "default" WonderShaper-replacement configuration certainly is.Tom, I have to preface by saying I have only a faint memory of the tc stuff in shorewall since it''s useless to me on Mandriva since they decided to ship 2007.0 without the pp2p module. :-( But I wonder if this sort of thing, putting acks in the highest priority band for example is something shorewall can/should do for the user and should be the default behaviour in absence of some kind of positive action on the user to make it not so? I''d think it''s the behaviour that most (qos ignorant at least) users would want. b. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> > I have to preface by saying I have only a faint memory of the tc stuff > in shorewall since it''s useless to me on Mandriva since they decided to > ship 2007.0 without the pp2p module. :-( > > But I wonder if this sort of thing, putting acks in the highest priority > band for example is something shorewall can/should do for the user and > should be the default behaviour in absence of some kind of positive > action on the user to make it not so? I''d think it''s the behaviour that > most (qos ignorant at least) users would want.Brian, What is really required is for someone to have a flash of insight about traffic shaping like I did about packet filtering when I first envisioned the zone-policy-rule model. I''ve had no such revelation when it comes to traffic shaping and until I or someone else can come up with a clean and simple abstraction for modeling the TC problem space, I really don''t see much value in tinkering with the current code. That current code was inherited from another project and it doesn''t raise the level of abstraction above what people can find in the LARTC Howto. And the class model that HTB and similar qdiscs implement is just too complex (although HTB is a major improvement over CBQ when it comes to complexity). I often wish that I hadn''t integrated TC into Shorewall at all because it is a major support headache. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On 11/10/06, Brian J. Murrell <brian@interlinx.bc.ca> wrote:> But I wonder if this sort of thing, putting acks in the highest priority > band for example is something shorewall can/should do for the user and > should be the default behaviour in absence of some kind of positive > action on the user to make it not so? I''d think it''s the behaviour that > most (qos ignorant at least) users would want.Although I know Tom is not looking to do an overhaul of the tc system for some time, when and if that happens, I''d like to say that I am for this type of change. I have not yet started using the traffic shaping features, but when I setup Shorewall, I went ahead and configured it simply with very high values for the interfaces, so that it is effectively enabled but not configured to actually do anything. This is so when I want to enable the feature (which is probably soon, to help the VOIP service at home), I can easily go back and make the necessary configuration changes and hopefully it will work. Maybe this was a good way to go about it, and maybe it wasn''t; only time will tell. However, since I am new to all but the utmost basics of traffic shaping, any types of "helper configurations" like Brian is talking about would be welcome, I think. Anyway, thanks for a great product, Shorewall has been running error-free for months now and is so quick and easy to use when I want to make some small change or other to the setup. Kevin -- In Vino Veritas http://astroturfgarden.com ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642