I''m having troubles with my outbound VOIP connection. I''m convinced that I don''t have QOS/traffic shaping configured properly in my shorewall linux firewall, which serves as my Asterisk VOIP server and Internet router/gateway. I don''t have a separate router box. I''ve been using VOIP for about a year now, but just recently realized that I need to setup QOS and traffic shaping through my firewall. People consistently tell me that my VOIP outbound service sucks. I have googled and googled and googled, but no definitive answer to my questions. I''m running Asterisk PBX software using the IAX protocol on port 4569 to my VOIP provider. linux# uname -a Linux linux 2.6.18.1 #2 SMP Sat Oct 28 20:14:02 EDT 2006 i686 i686 i386 GNU/Linux Do I have shorewall configured properly to prioritize VOIP traffic? I have attached the status.txt.gz from shorewall dump. What I believe are the relevant file entries are: I''m not sure if I need the tos entries, I found these suggestions at voip-info.org /etc/shorewall/tos: all all udp 4569 - 16 all all udp 5060 - 16 all all tcp - ssh 16 all all tcp ssh - 16 all all tcp - ftp 16 all all tcp ftp - 16 all all tcp ftp-data - 8 all all tcp - ftp-data 8 # /etc/shorewall/tcdevices: eth0 6000kbit 500kbit tcclasses: eth0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc,tos=0x48/0xfc eth0 2 full/4 full 2 tcp-ack,tos-minimize-delay eth0 3 full/4 full 3 default eth0 4 full/8 full*8/10 4 # /etc/shorewall/tcrules: 1 0.0.0.0/0 0.0.0.0/0 udp 4569 1 0.0.0.0/0 0.0.0.0/0 tcp 4569 1 0.0.0.0/0 0.0.0.0/0 udp 5060 1 0.0.0.0/0 0.0.0.0/0 tcp 5060 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 3 0.0.0.0/0 0.0.0.0/0 tcp 20 3 0.0.0.0/0 0.0.0.0/0 tcp 21 3 0.0.0.0/0 0.0.0.0/0 tcp 22 4 0.0.0.0/0 0.0.0.0./0 all - - - !0 # These changes appear better, but certainly not MA BELL quality yet. I think it should be better still. Thanks, Jim ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, I can only point out one gotcha that I also ran into: On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote:> I''m having troubles with my outbound VOIP connection. I''m convinced > that I don''t have QOS/traffic shaping configured properly in my > shorewall linux firewall, which serves as my Asterisk VOIP server and > Internet router/gateway. I don''t have a separate router box. I''ve been > > ... [cut] ... > > /etc/shorewall/tcrules: > 1 0.0.0.0/0 0.0.0.0/0 udp 4569 > 1 0.0.0.0/0 0.0.0.0/0 tcp 4569 > 1 0.0.0.0/0 0.0.0.0/0 udp 5060 > 1 0.0.0.0/0 0.0.0.0/0 tcp 5060 > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 3 0.0.0.0/0 0.0.0.0/0 tcp 20 > 3 0.0.0.0/0 0.0.0.0/0 tcp 21 > 3 0.0.0.0/0 0.0.0.0/0 tcp 22 > 4 0.0.0.0/0 0.0.0.0./0 all - - - !0Since the traffic originates on the firewall, you need to specify $FW as the source in tcrules, or it won''t mark the traffic. Hope that helps! ~David ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
David, Like this ? 1 $FW 0.0.0.0/0 udp 4569 1 $FW 0.0.0.0/0 tcp 4569 1 $FW 0.0.0.0/0 udp 5060 1 $FW 0.0.0.0/0 tcp 5060 2 $FW 0.0.0.0/0 icmp echo-request 2 $FW 0.0.0.0/0 icmp echo-reply 3 $FW 0.0.0.0/0 tcp 20 3 $FW 0.0.0.0/0 tcp 21 3 $FW 0.0.0.0/0 tcp 22 4 $FW 0.0.0.0./0 all - - - !0 Jim David Mohr wrote:> Hi, > I can only point out one gotcha that I also ran into: > > On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote: > >> I''m having troubles with my outbound VOIP connection. I''m convinced >> that I don''t have QOS/traffic shaping configured properly in my >> shorewall linux firewall, which serves as my Asterisk VOIP server and >> Internet router/gateway. I don''t have a separate router box. I''ve been >> >> ... [cut] ... >> >> /etc/shorewall/tcrules: >> 1 0.0.0.0/0 0.0.0.0/0 udp 4569 >> 1 0.0.0.0/0 0.0.0.0/0 tcp 4569 >> 1 0.0.0.0/0 0.0.0.0/0 udp 5060 >> 1 0.0.0.0/0 0.0.0.0/0 tcp 5060 >> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request >> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply >> 3 0.0.0.0/0 0.0.0.0/0 tcp 20 >> 3 0.0.0.0/0 0.0.0.0/0 tcp 21 >> 3 0.0.0.0/0 0.0.0.0/0 tcp 22 >> 4 0.0.0.0/0 0.0.0.0./0 all - - - !0 >> > > Since the traffic originates on the firewall, you need to specify $FW > as the source in tcrules, or it won''t mark the traffic. > > Hope that helps! > > ~David > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >Lk ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote:> David, > > Like this ? > > 1 $FW 0.0.0.0/0 udp 4569 > 1 $FW 0.0.0.0/0 tcp 4569 > 1 $FW 0.0.0.0/0 udp 5060 > 1 $FW 0.0.0.0/0 tcp 5060 > 2 $FW 0.0.0.0/0 icmp echo-request > 2 $FW 0.0.0.0/0 icmp echo-reply > 3 $FW 0.0.0.0/0 tcp 20 > 3 $FW 0.0.0.0/0 tcp 21 > 3 $FW 0.0.0.0/0 tcp 22 > 4 $FW 0.0.0.0./0 all - - - !0Yes, and of course that''s also documented in shorewall''s traffic shaping page.> Jim > > David Mohr wrote: > > Hi, > > I can only point out one gotcha that I also ran into: > > > > On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote: > > > >> I''m having troubles with my outbound VOIP connection. I''m convinced > >> that I don''t have QOS/traffic shaping configured properly in my > >> shorewall linux firewall, which serves as my Asterisk VOIP server and > >> Internet router/gateway. I don''t have a separate router box. I''ve been > >> > >> ... [cut] ... > >> > >> /etc/shorewall/tcrules: > >> 1 0.0.0.0/0 0.0.0.0/0 udp 4569 > >> 1 0.0.0.0/0 0.0.0.0/0 tcp 4569 > >> 1 0.0.0.0/0 0.0.0.0/0 udp 5060 > >> 1 0.0.0.0/0 0.0.0.0/0 tcp 5060 > >> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request > >> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > >> 3 0.0.0.0/0 0.0.0.0/0 tcp 20 > >> 3 0.0.0.0/0 0.0.0.0/0 tcp 21 > >> 3 0.0.0.0/0 0.0.0.0/0 tcp 22 > >> 4 0.0.0.0/0 0.0.0.0./0 all - - - !0 > >> > > > > Since the traffic originates on the firewall, you need to specify $FW > > as the source in tcrules, or it won''t mark the traffic. > > > > Hope that helps! > > > > ~David------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
David,
Thanks for the help.
"shorewall show mangle" gives me below. Is this what you would expect
with $FW as the source?
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4569 MARK set 0x1
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4569 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 MARK set 0x1
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5060 MARK set 0x1
0 0 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8 MARK set 0x2
0 0 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0 MARK set 0x2
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 MARK set 0x3
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 MARK set 0x3
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 MARK set 0x3
0 0 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0/0xffff MARK set 0x4
Jim
David Mohr wrote:> On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote:
>> David,
>>
>> Like this ?
>>
>> 1 $FW 0.0.0.0/0 udp 4569
>> 1 $FW 0.0.0.0/0 tcp 4569
>> 1 $FW 0.0.0.0/0 udp 5060
>> 1 $FW 0.0.0.0/0 tcp 5060
>> 2 $FW 0.0.0.0/0 icmp echo-request
>> 2 $FW 0.0.0.0/0 icmp echo-reply
>> 3 $FW 0.0.0.0/0 tcp 20
>> 3 $FW 0.0.0.0/0 tcp 21
>> 3 $FW 0.0.0.0/0 tcp 22
>> 4 $FW 0.0.0.0./0 all - - - !0
>
> Yes, and of course that''s also documented in shorewall''s
traffic shaping page.
>
>> Jim
>>
>> David Mohr wrote:
>>> Hi,
>>> I can only point out one gotcha that I also ran into:
>>>
>>> On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote:
>>>
>>>> I''m having troubles with my outbound VOIP connection.
I''m convinced
>>>> that I don''t have QOS/traffic shaping configured
properly in my
>>>> shorewall linux firewall, which serves as my Asterisk VOIP
server and
>>>> Internet router/gateway. I don''t have a separate
router box. I''ve been
>>>>
>>>> ... [cut] ...
>>>>
>>>> /etc/shorewall/tcrules:
>>>> 1 0.0.0.0/0 0.0.0.0/0 udp 4569
>>>> 1 0.0.0.0/0 0.0.0.0/0 tcp 4569
>>>> 1 0.0.0.0/0 0.0.0.0/0 udp 5060
>>>> 1 0.0.0.0/0 0.0.0.0/0 tcp 5060
>>>> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request
>>>> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
>>>> 3 0.0.0.0/0 0.0.0.0/0 tcp 20
>>>> 3 0.0.0.0/0 0.0.0.0/0 tcp 21
>>>> 3 0.0.0.0/0 0.0.0.0/0 tcp 22
>>>> 4 0.0.0.0/0 0.0.0.0./0 all - -
- !0
>>>>
>>> Since the traffic originates on the firewall, you need to specify
$FW
>>> as the source in tcrules, or it won''t mark the traffic.
>>>
>>> Hope that helps!
>>>
>>> ~David
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
David,
When I do shorewall show ipmangle, I see that packets are getting marked
with "1", however, should I expect a non zero pkt number in the
CLASSIFY
section?
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
456 100K MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4569 MARK set 0x1
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4569 MARK set 0x1
15 8202 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 MARK set 0x1
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5060 MARK set 0x1
27 2268 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8 MARK set 0x2
12 912 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0 MARK set 0x2
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 MARK set 0x3
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 MARK set 0x3
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 MARK set 0x3
510 112K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0/0xffff MARK set 0x4
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13
466 106K CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
C
David Mohr wrote:> On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote:
>> David,
>>
>> Like this ?
>>
>> 1 $FW 0.0.0.0/0 udp 4569
>> 1 $FW 0.0.0.0/0 tcp 4569
>> 1 $FW 0.0.0.0/0 udp 5060
>> 1 $FW 0.0.0.0/0 tcp 5060
>> 2 $FW 0.0.0.0/0 icmp echo-request
>> 2 $FW 0.0.0.0/0 icmp echo-reply
>> 3 $FW 0.0.0.0/0 tcp 20
>> 3 $FW 0.0.0.0/0 tcp 21
>> 3 $FW 0.0.0.0/0 tcp 22
>> 4 $FW 0.0.0.0./0 all - - - !0
>
> Yes, and of course that''s also documented in shorewall''s
traffic shaping page.
>
>> Jim
>>
>> David Mohr wrote:
>>> Hi,
>>> I can only point out one gotcha that I also ran into:
>>>
>>> On 1/19/07, Jim Duda <jim@duda.tzo.com> wrote:
>>>
>>>> I''m having troubles with my outbound VOIP connection.
I''m convinced
>>>> that I don''t have QOS/traffic shaping configured
properly in my
>>>> shorewall linux firewall, which serves as my Asterisk VOIP
server and
>>>> Internet router/gateway. I don''t have a separate
router box. I''ve been
>>>>
>>>> ... [cut] ...
>>>>
>>>> /etc/shorewall/tcrules:
>>>> 1 0.0.0.0/0 0.0.0.0/0 udp 4569
>>>> 1 0.0.0.0/0 0.0.0.0/0 tcp 4569
>>>> 1 0.0.0.0/0 0.0.0.0/0 udp 5060
>>>> 1 0.0.0.0/0 0.0.0.0/0 tcp 5060
>>>> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request
>>>> 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
>>>> 3 0.0.0.0/0 0.0.0.0/0 tcp 20
>>>> 3 0.0.0.0/0 0.0.0.0/0 tcp 21
>>>> 3 0.0.0.0/0 0.0.0.0/0 tcp 22
>>>> 4 0.0.0.0/0 0.0.0.0./0 all - -
- !0
>>>>
>>> Since the traffic originates on the firewall, you need to specify
$FW
>>> as the source in tcrules, or it won''t mark the traffic.
>>>
>>> Hope that helps!
>>>
>>> ~David
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jim Duda wrote:> David, > > When I do shorewall show ipmangle, I see that packets are getting marked > with "1", however, should I expect a non zero pkt number in the CLASSIFY > section? > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 456 100K MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:4569 MARK set 0x1 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:4569 MARK set 0x1 > 15 8202 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:5060 MARK set 0x1 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:5060 MARK set 0x1 > 27 2268 MARK icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 8 MARK set 0x2 > 12 912 MARK icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 0 MARK set 0x2 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:20 MARK set 0x3 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 MARK set 0x3 > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 MARK set 0x3 > 510 112K MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xffff MARK set 0x4The last rule is nonsensical. It says that if you have set the mark to any non-zero value (1-3) then set it to 4!!!! So all of your outgoing packets have either mark=0 or mark=4. That''s what your CLASSIFY rules are telling you also. I think you wanted ''0'' in the MATCH column rather than ''!0''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom,
Yes indeed, I figured that out last night. I changed my configuration
as follows (after reading more docs):
tcrules:
1 $FW 0.0.0.0/0 udp 4569
1 $FW 0.0.0.0/0 tcp 4569
1 $FW 0.0.0.0/0 udp 5060
1 $FW 0.0.0.0/0 tcp 5060
2 0.0.0.0/0 0.0.0.0/0 icmp echo-request
2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
3 0.0.0.0/0 0.0.0.0/0 tcp 20
3 0.0.0.0/0 0.0.0.0/0 tcp 21
3 0.0.0.0/0 0.0.0.0/0 tcp 22
Which results in a shorewall show mangle:
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
4431 1015K MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4569 MARK set 0x1
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4569 MARK set 0x1
115 65437 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 MARK set 0x1
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5060 MARK set 0x1
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
4531 1073K CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
2159 180K MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8 MARK set 0x2
565 47460 MARK icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0 MARK set 0x2
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 MARK set 0x3
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 MARK set 0x3
410 16768 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 MARK set 0x3
l
Does this look more reasonable?
I have attached an update status.txt
Thanks for the help.
Jim
Tom Eastep wrote:> Jim Duda wrote:
>> David,
>>
>> When I do shorewall show ipmangle, I see that packets are getting
marked
>> with "1", however, should I expect a non zero pkt number in
the CLASSIFY
>> section?
>>
>> Chain tcout (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 456 100K MARK udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:4569 MARK set 0x1
>> 0 0 MARK tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:4569 MARK set 0x1
>> 15 8202 MARK udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 udp dpt:5060 MARK set 0x1
>> 0 0 MARK tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:5060 MARK set 0x1
>> 27 2268 MARK icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 icmp type 8 MARK set 0x2
>> 12 912 MARK icmp -- * * 0.0.0.0/0
>> 0.0.0.0/0 icmp type 0 MARK set 0x2
>> 0 0 MARK tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:20 MARK set 0x3
>> 0 0 MARK tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:21 MARK set 0x3
>> 0 0 MARK tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:22 MARK set 0x3
>> 510 112K MARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match !0x0/0xffff MARK set 0x4
>
> The last rule is nonsensical. It says that if you have set the mark to any
> non-zero value (1-3) then set it to 4!!!! So all of your outgoing packets
> have either mark=0 or mark=4. That''s what your CLASSIFY rules are
telling
> you also.
>
> I think you wanted ''0'' in the MATCH column rather than
''!0''.
>
> -Tom
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jim Duda wrote:> Tom, > > Yes indeed, I figured that out last night. I changed my configuration > as follows (after reading more docs): > > tcrules: > 1 $FW 0.0.0.0/0 udp 4569 > 1 $FW 0.0.0.0/0 tcp 4569 > 1 $FW 0.0.0.0/0 udp 5060 > 1 $FW 0.0.0.0/0 tcp 5060 > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > 3 0.0.0.0/0 0.0.0.0/0 tcp 20I suspect that the above rule isn''t doing what you expect. FTP servers bind to *local* port 20 when they are creating an active-mode connection back to the client. So the only time that there is significant TCP traffic with destination port 20 is when an active-mode client is *uploading* to an FTP server. So unless you have active mode clients behind your firewall that do a significant amount of uploading, the rule will only match ACK packets from active-mode clients who are downloading. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV