Shorewall users - Nov 2007 - Shorewall 3.2.9 (Etch) 2 providers and traffic shaping

Hello everyone, I''m running shorewall 3.2.9 on our company firewall
with
2 providers. They are not balanced: smrt2 is a business dsl line with 8
static ip addresses and is mostly used for our smtp/web server in dmz;
fweb1 is a fast dsl line with a rfc1918 dynamic ip address and is used
for outbound traffic from  the workstations. I''m trying to setup a very
basic traffic shaping solution: I enabled HIGH_ROUTE_MARKS in
shorewall.conf and assigned 256 and 512 to the providers. 
This is my tcclasses:

#INTERFACE      MARK    RATE            CEIL            PRIORiITY
OPTIONS
ethsm2          10      45*full/100     full            1
ack,tos-minimize-delay
ethsm2          20      30*full/100     90*full/100     2
default
ethsm2          30      25*full/100     75*full/100     3

ethfw1          10      45*full/100     full            1
ack,tos-minimize-delay
ethfw1          20      30*full/100     90*full/100     2
default
ethfw1          30      25*full/100     75*full/100     3

and this is tcrules:


#MARK   SOURCE                  DEST            PROTO   PORT(S) CLIENT
USER    TEST

#ROUTING SECTION

#FASTWEB
512    0.0.0.0/0               !$RFC1918
#DEFAULT 

#TELECOM
256     192.168.6.0/24          !$RFC1918
#SYSTEMUP

256     0.0.0.0/0               !$RFC1918       tcp     1723
#VPN PPTP IN USCITA
256     0.0.0.0/0               !$RFC1918       47
#

256     192.168.1.202           !$RFC1918       tcp     -       5500
#VNC LISTENER IN USCITA

256     192.168.108.199         !$RFC1918       tcp     25,53
#SMTP,DNS MAILSERVER IN USCITA
256     192.168.108.199         !$RFC1918       udp     53
#DNS

#SHAPING SECTION

#HIGH PRIO
10:F    0.0.0.0/0       0.0.0.0/0       icmp
#ICMP
10:F    0.0.0.0/0       0.0.0.0/0       tcp     22,53,888,1723
#VPN PPTP,SSH,DNS
10:F    0.0.0.0/0       0.0.0.0/0       tcp     -       22,53,888,1723
#
10:F    0.0.0.0/0       0.0.0.0/0       47
10:F    0.0.0.0/0       0.0.0.0/0       udp     53,1194
#OPENVPN,DNS
10:F    0.0.0.0/0       0.0.0.0/0       udp     -       53,1194
#

#LOW PRIO
30:F    0.0.0.0/0       0.0.0.0/0       tcp     25,4662
#SMTP,EMULE
30:F    0.0.0.0/0       0.0.0.0/0       tcp     -       25,4662
#
30:F    0.0.0.0/0       0.0.0.0/0       udp     4672
#
30:F    0.0.0.0/0       0.0.0.0/0       udp     -       4672
#




#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I use MARK_IN_FORWARD_CHAIN=No
RFC1918=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 
With this configuration traffic shaping works fine but ALL the traffic
goes out through provider 512, like the following rules are not
evaluated; if I comment out the first line, traffic from 192.168.108.199
(dmz) goes always out through the right interface, but all the traffic
not specified in tcrules gets balanced between the two connections.

Config files attached for better reading (I changed public ip addresses)

Thanks in advance

Cristian







-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

I removed completely tcclasses and tcdevices and commented out traffic
shaping in tcrules. I get exactly the same behaviour: first rule catches
all the traffic; if I set HIGH_ROUTE_MARKS=no and use mark numbers <256
in the providers file everything works as expected.

:/

Cristian


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Cristian Mammoli wrote:
> I removed completely tcclasses and tcdevices and commented out traffic
> shaping in tcrules. I get exactly the same behaviour: first rule catches
> all the traffic; if I set HIGH_ROUTE_MARKS=no and use mark numbers <256
> in the providers file everything works as expected.
Please forward the output of "shorewall dump" (as a compressed
attachment).
Capture the dump with the configuration that fails.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Mon, 05 Nov 2007 06:54:22 -0800, Tom Eastep <teastep@shorewall.net>
wrote:
> Please forward the output of "shorewall dump" (as a compressed
> attachment).
> Capture the dump with the configuration that fails.
Here they come

Cristian



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cristian wrote:
> 
> 
> On Mon, 05 Nov 2007 06:54:22 -0800, Tom Eastep
<teastep@shorewall.net>
> wrote:
> 
>> Please forward the output of "shorewall dump" (as a
compressed
>> attachment).
>> Capture the dump with the configuration that fails.
> 
> Here they come
> 
The broken.txt file doesn''t have the default 512 tcrule!

Again -- Please collect the dump with the configuration that doesn''t
work. According to your post:

	...if I comment out the first line, traffic from 192.168.108.199
	(dmz) goes always out through the right interface, but all the 	
	traffic not specified in tcrules gets balanced between the two
	connections.

That is exactly what that configuration should do and that''s what you
sent me (the first line is commented out).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHL2QuO/MAbZfjDLIRAsIbAJ99dbHec4jOlwqdVFbkQjVr14FNcQCgiXfv
rFWecDqMF9RIu/QsonBXLxI=ojZx
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> Cristian wrote:
> 
>> On Mon, 05 Nov 2007 06:54:22 -0800, Tom Eastep
<teastep@shorewall.net>
>> wrote:
> 
>>> Please forward the output of "shorewall dump" (as a
compressed
>>> attachment).
>>> Capture the dump with the configuration that fails.
>> Here they come
> 
> 
> The broken.txt file doesn''t have the default 512 tcrule!
Please disregard -- I should have looked at your tcrules file again
before I looked at the dump. I had mis-remembered what the rule looked like.

Sorry for the noise.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHL2ggO/MAbZfjDLIRAjJFAKCLVQSxr1cLbsEirON/5pY3dDkQQACfccUX
QsBTs7hsXG48/W0WDm4Y5Jg=+QF/
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Cristian wrote:
> 
> 
> On Mon, 05 Nov 2007 06:54:22 -0800, Tom Eastep
<teastep@shorewall.net>
> wrote:
> 
>> Please forward the output of "shorewall dump" (as a
compressed
>> attachment).
>> Capture the dump with the configuration that fails.
> 
> Here they come
>
The only difference that I see in the two is that, because you haven''t
applied the patch which corrects a problem with HIGH_ROUTE_MARKS=No (see
http://www.shorewall.net/shorewall_index.htm#Notice), your working
configuration is operating as if you had set TC_EXPERT=Yes. So, grasping at
straws, you might set TC_EXPERT=Yes in the non-working configuration and see
if that makes any difference.

Jerry: Do you see anything in Cristian''s dumps?

I also suggest that you upgrade Shorewall -- under 3.2, Shorewall does not
reverse the effect of routing changes during ''shorewall
restart'' and
''shorewall stop''. As a consequence, the routing rules for both
the working
and non-working configuration are present in both configurations! Shorewall
3.4 and 4.0 do a much better job in that regard.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/