Hi anyone have a sample of shorewall configuration for add a TC/QoS on IAX2 traffic ? Thanks for your help ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wednesday 24 January 2007 11:56, Noc Phibee wrote:> Hi > > anyone have a sample of shorewall configuration for add a TC/QoS > on IAX2 traffic ?Yup. Very simple. in /etc/shorewall/tcrules: 1 - - udp 4569 HTH, Alex ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Actually, i have put: (it''s a Sdsl 2Mbits/2Mbits) tcdevices eth0 2100kbit 2100kbit tcclasses eth0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc eth0 2 full/4 full 2 tcp-ack,tos-minimize-delay eth0 3 full/4 full 3 default eth0 4 full/8 full*8/10 4 tcrules 1 0.0.0.0/0 0.0.0.0/0 udp 4569 - - - - 16 Alexander Wilms a écrit :> On Wednesday 24 January 2007 11:56, Noc Phibee wrote: > >> Hi >> >> anyone have a sample of shorewall configuration for add a TC/QoS >> on IAX2 traffic ? >> > Yup. Very simple. > in /etc/shorewall/tcrules: > > 1 - - udp 4569 > > > HTH, > Alex > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
So doesn''t it work? What shows "shorewall show mangle" ? On Wednesday 24 January 2007 13:02, Noc Phibee wrote:> Actually, i have put: > > (it''s a Sdsl 2Mbits/2Mbits) > > tcdevices > eth0 2100kbit 2100kbit > > tcclasses > eth0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc > eth0 2 full/4 full 2 tcp-ack,tos-minimize-delay > eth0 3 full/4 full 3 default > eth0 4 full/8 full*8/10 4 > > tcrules > 1 0.0.0.0/0 0.0.0.0/0 udp 4569 - - > - - 16 > > Alexander Wilms a écrit : > > On Wednesday 24 January 2007 11:56, Noc Phibee wrote: > >> Hi > >> > >> anyone have a sample of shorewall configuration for add a TC/QoS > >> on IAX2 traffic ? > > > > Yup. Very simple. > > in /etc/shorewall/tcrules: > > > > 1 - - udp 4569 > > > > > > HTH, > > Alex > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > > your opinions on IT & business topics through brief surveys - and earn > > cash > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > your opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, i don''t know ;=) i have added this rules after have write Shorewall-3.2.1 Mangle Table at gw.reep.ophelys.org - mer jan 24 13:55:59 CET 2007 Counters reset lun jan 15 13:53:39 CET 2007 Chain PREROUTING (policy ACCEPT 13M packets, 6695M bytes) pkts bytes target prot opt in out source destination 13M 6695M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 5507K packets, 1846M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 7848K packets, 4849M bytes) pkts bytes target prot opt in out source destination 7848K 4849M tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 7434K packets, 2454M bytes) pkts bytes target prot opt in out source destination 5658K 1761M tcout all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 13M packets, 6592M bytes) pkts bytes target prot opt in out source destination 13M 6592M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination Chain tcpost (1 references) pkts bytes target prot opt in out source destination Chain tcpre (1 references) pkts bytes target prot opt in out source destination If i understand, if i don''t use Asterisk, i can use 100% of the bandwitch and when a call are started on the 4569 UDP, i get 100Kbs of reserved bandwitch it''s good ? Alexander Wilms a écrit :> So doesn''t it work? What shows "shorewall show mangle" ? > > On Wednesday 24 January 2007 13:02, Noc Phibee wrote: > >> Actually, i have put: >> >> (it''s a Sdsl 2Mbits/2Mbits) >> >> tcdevices >> eth0 2100kbit 2100kbit >> >> tcclasses >> eth0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc >> eth0 2 full/4 full 2 tcp-ack,tos-minimize-delay >> eth0 3 full/4 full 3 default >> eth0 4 full/8 full*8/10 4 >> >> tcrules >> 1 0.0.0.0/0 0.0.0.0/0 udp 4569 - - >> - - 16 >> >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ok, what I don''t understand is: the tc* Chains are all empty!? Did you enable tc in shorewall.conf? TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes On Wednesday 24 January 2007 13:58, Noc Phibee wrote:> Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpre (1 references) > pkts bytes target prot opt in out source > destination > > > > If i understand, if i don''t use Asterisk, i can use 100% of the bandwitch > and when a call are started on the 4569 UDP, i get 100Kbs of reserved > bandwitchAFAIK, yes.> it''s good ?Mhh, not really. As said above, your tc* Chains don''t show any packet marking...e.g. like this: Chain tcfor (1 references) pkts bytes target prot opt in out source <snip> 1922K 122M MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4569 MARK set 0x1 </snip> ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
in my shorewall.conf, i have: TC_ENABLED=Internal CLEAR_TC=Yes i don''t have a TC_EXPERT ino shorewall.conf only: MARK_IN_FORWARD_CHAIN=No Alexander Wilms a écrit :> Ok, what I don''t understand is: the tc* Chains are all empty!? > Did you enable tc in shorewall.conf? > TC_ENABLED=Internal > TC_EXPERT=No > CLEAR_TC=Yes > > On Wednesday 24 January 2007 13:58, Noc Phibee wrote: > >> Chain tcfor (1 references) >> pkts bytes target prot opt in out source >> destination >> >> Chain tcout (1 references) >> pkts bytes target prot opt in out source >> destination >> >> Chain tcpost (1 references) >> pkts bytes target prot opt in out source >> destination >> >> Chain tcpre (1 references) >> pkts bytes target prot opt in out source >> destination >> >> >> >> If i understand, if i don''t use Asterisk, i can use 100% of the bandwitch >> and when a call are started on the 4569 UDP, i get 100Kbs of reserved >> bandwitch >> > AFAIK, yes. > > >> it''s good ? >> > Mhh, not really. As said above, your tc* Chains don''t show any packet > marking...e.g. like this: > > Chain tcfor (1 references) > pkts bytes target prot opt in out source > <snip> > 1922K 122M MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 > multiport dports 4569 MARK set 0x1 > </snip> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
ok, i have put a stop and start and now i have:
Shorewall-3.2.1 Mangle Table at gw.reep.ophelys.org - mer jan 24
14:30:15 CET 2007
Counters reset mer jan 24 14:29:07 CET 2007
Chain PREROUTING (policy ACCEPT 4779 packets, 3049K bytes)
pkts bytes target prot opt in out source
destination
4615 2845K tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 2814 packets, 1928K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 1965 packets, 1121K bytes)
pkts bytes target prot opt in out source
destination
1963 1121K tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7458K packets, 2463M bytes)
pkts bytes target prot opt in out source
destination
3338 2601K tcout all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 5350 packets, 3724K bytes)
pkts bytes target prot opt in out source
destination
5249 3716K tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
3 120 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1
[root@gw tmp]#
Noc Phibee a écrit :> in my shorewall.conf, i have:
>
> TC_ENABLED=Internal
> CLEAR_TC=Yes
>
> i don''t have a TC_EXPERT ino shorewall.conf
>
> only:
> MARK_IN_FORWARD_CHAIN=No
>
>
>
> Alexander Wilms a écrit :
>
>> Ok, what I don''t understand is: the tc* Chains are all empty!?
>> Did you enable tc in shorewall.conf?
>> TC_ENABLED=Internal
>> TC_EXPERT=No
>> CLEAR_TC=Yes
>>
>> On Wednesday 24 January 2007 13:58, Noc Phibee wrote:
>>
>>
>>> Chain tcfor (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>> Chain tcout (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>> Chain tcpost (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>> Chain tcpre (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>>
>>>
>>>
>>> If i understand, if i don''t use Asterisk, i can use 100%
of the bandwitch
>>> and when a call are started on the 4569 UDP, i get 100Kbs of
reserved
>>> bandwitch
>>>
>>>
>> AFAIK, yes.
>>
>>
>>
>>> it''s good ?
>>>
>>>
>> Mhh, not really. As said above, your tc* Chains don''t show any
packet
>> marking...e.g. like this:
>>
>> Chain tcfor (1 references)
>> pkts bytes target prot opt in out source
>> <snip>
>> 1922K 122M MARK udp -- * * 0.0.0.0/0
0.0.0.0/0
>> multiport dports 4569 MARK set 0x1
>> </snip>
>>
>>
>>
-------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net''s Techsay panel and you''ll get
the chance to share your
>> opinions on IT & business topics through brief surveys - and earn
cash
>>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>>
>>
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wednesday 24 January 2007 14:31, Noc Phibee wrote:> ok, i have put a stop and start and now i have:Ya, this is the answer for the missing chains.> Chain tcpre (1 references) > pkts bytes target prot opt in out source > destination > 3 120 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1 > [root@gw tmp]#And this looks better (3 packets/120 bytes marked), but...> Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11...none classified. Wild guess, Try it with MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf, restart cause some IAX traffic do a shorewall show mangle again and show me the output of tcpost Chain. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ok thanks, with the modification:
Shorewall-3.2.1 Mangle Table at gw.reep.ophelys.org - mer jan 24
15:04:54 CET 2007
Counters reset mer jan 24 15:04:29 CET 2007
Chain PREROUTING (policy ACCEPT 234 packets, 26374 bytes)
pkts bytes target prot opt in out source
destination
208 23519 tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 154 packets, 17340 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 79 packets, 8958 bytes)
pkts bytes target prot opt in out source
destination
78 8107 tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7492K packets, 2470M bytes)
pkts bytes target prot opt in out source
destination
131 17299 tcout all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 238 packets, 28694 bytes)
pkts bytes target prot opt in out source
destination
205 25214 tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
Alexander Wilms a écrit :> On Wednesday 24 January 2007 14:31, Noc Phibee wrote:
>
>> ok, i have put a stop and start and now i have:
>>
> Ya, this is the answer for the missing chains.
>
>
>
>> Chain tcpre (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 3 120 MARK udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1
>> [root@gw tmp]#
>>
> And this looks better (3 packets/120 bytes marked), but...
>
>
>> Chain tcpost (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 CLASSIFY all -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
>>
>
> ...none classified.
>
> Wild guess,
>
> Try it with MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf,
> restart cause some IAX traffic do a shorewall show mangle again and show me
> the output of tcpost Chain.
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wednesday 24 January 2007 15:05, Noc Phibee wrote:> Ok thanks, with the modification:Looks good, but no traffic counted. Better stop asterisk, wait 5 minutes, start it, use iax. then post same again (only tcfor and tcpost is needed)> Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1 > > > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11 > 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12 > 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13 > 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
No big change ;=)
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
i don''t know if it''s important, but the asterisk server are on
the same
serveur of shorewall
Alexander Wilms a écrit :> On Wednesday 24 January 2007 15:05, Noc Phibee wrote:
>
>> Ok thanks, with the modification:
>>
> Looks good, but no traffic counted.
> Better stop asterisk, wait 5 minutes, start it, use iax.
> then post same again (only tcfor and tcpost is needed)
>
>
>> Chain tcfor (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 MARK udp -- * * 0.0.0.0/0
>> 0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1
>>
>>
>> Chain tcpost (1 references)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 CLASSIFY all -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
>> 0 0 CLASSIFY all -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
>> 0 0 CLASSIFY all -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13
>> 0 0 CLASSIFY all -- * eth0 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
>>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Noc Phibee wrote:> i don''t know if it''s important, but the asterisk server are on the same > serveur of shorewallFrom the comments at the top of /etc/shorewall/tcrules: # For example, all packets # for connections masqueraded to eth0 from other # interfaces can be matched in a single rule with # several alternative SOURCE criteria. However, a # connection whose packets gets to eth0 in a # different way, e.g., direct from the firewall # itself, needs a different rule. # # Accordingly, use $FW in its own separate rule for # packets originating on the firewall. In such a rule, # the MARK column may NOT specify either ":P" or ":F" # because marking for firewall-originated packets # always occurs in the OUTPUT chain. # In other words, you need $FW in the SOURCE column for rules governing traffic that originates on the firewall itself. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wednesday 24 January 2007 18:50, Tom Eastep wrote:> Noc Phibee wrote: > > i don''t know if it''s important, but the asterisk server are on the same > > serveur of shorewallbingo...> > From the comments at the top of /etc/shorewall/tcrules: > > # For example, all packets > # for connections masqueraded to eth0 from other > # interfaces can be matched in a single rule with > # several alternative SOURCE criteria. However, a > # connection whose packets gets to eth0 in a > # different way, e.g., direct from the firewall > # itself, needs a different rule. > # > # Accordingly, use $FW in its own separate rule for > # packets originating on the firewall. In such a > rule, # the MARK column may NOT specify either ":P" > or ":F" # because marking for firewall-originated > packets # always occurs in the OUTPUT chain. > # > > In other words, you need $FW in the SOURCE column for rules governing > traffic that originates on the firewall itself....bongo :-)> > -Tom------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ok ;=)
now:
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
1329 159K MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
1329 159K CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
i put on tcrules:
1 $FW 0.0.0.0/0 udp 4569 - - -
- 16
Alexander Wilms a écrit :> On Wednesday 24 January 2007 18:50, Tom Eastep wrote:
>
>> Noc Phibee wrote:
>>
>>> i don''t know if it''s important, but the asterisk
server are on the same
>>> serveur of shorewall
>>>
>
> bingo...
>
>
>> From the comments at the top of /etc/shorewall/tcrules:
>>
>> # For example, all packets
>> # for connections masqueraded to eth0 from other
>> # interfaces can be matched in a single rule with
>> # several alternative SOURCE criteria. However, a
>> # connection whose packets gets to eth0 in a
>> # different way, e.g., direct from the firewall
>> # itself, needs a different rule.
>> #
>> # Accordingly, use $FW in its own separate rule
for
>> # packets originating on the firewall. In such a
>> rule, # the MARK column may NOT specify either
":P"
>> or ":F" # because marking for
firewall-originated
>> packets # always occurs in the OUTPUT chain.
>> #
>>
>> In other words, you need $FW in the SOURCE column for rules governing
>> traffic that originates on the firewall itself.
>>
> ...bongo :-)
>
>
>> -Tom
>>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thursday 25 January 2007 06:10, Noc Phibee wrote:> Ok ;=) > > now: > > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > 1329 159K MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 TOS match 0x10 udp dpt:4569 MARK set 0x1good> > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 1329 159K CLASSIFY all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11and yes, packets get classified. This is how it should look. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV