Need to do a better job of controlling incoming traffic for voip and ifb looks like what I need. Currently have Shorewall-perl 4.0.5 will my current configs continue to work? Particularly paranoid when upgrading a running firewall :-) Running ipsec. will the ifb device packets still be ipsec? Using native 2.6 kernel ipsec if it matters. Any problems I need to look out for? Thanks John -- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
You should better try with a test environment before going in production, and this with any major software update. This is my suggestion "John McMonagle" <johnm@advocap.org> a écrit :> Need to do a better job of controlling incoming traffic for voip and ifb > looks like what I need. > > Currently have Shorewall-perl 4.0.5 will my current configs continue to > work? > Particularly paranoid when upgrading a running firewall :-) > > Running ipsec. will the ifb device packets still be ipsec? > Using native 2.6 kernel ipsec if it matters. > > Any problems I need to look out for? > > Thanks > > John > -- > > John McMonagle > IT Manager > Advocap Inc. > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >---------------------------------------------------------------- Messages de confidentialité Ce courriel (de même que les fichiers joints) est strictement réservé à l'usage de la personne ou de l'entité à qui il est adressé et peut contenir de l'information privilégiée et confidentielle. Toute divulgation, distribution ou copie de ce courriel est strictement prohibée. Si vous avez reçu ce courriel par erreur, veuillez nous en aviser sur-le-champ, détruire toutes les copies et le supprimer de votre système informatique. Merci. Confidentiality Notice This communication (including any files transmitted with it) is intended solely for the person or entity to whom it is addressed, and may contain confidential or privileged information. The disclosure, distribution or copying of this message is strictly forbidden. Should you have received this communication in error, kindly contact the sender promptly, destroy any copies and delete this message from your computer system. Thank you.. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Pascal Poudrier wrote:> You should better try with a test environment before going in > production, and this with any major software update. > >Especially when upgrading to pre-release software. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Was just looking through the documentation and didn''t notice that it is the development version :-( Suppose I should look at the old method. There are a few things that do not make sense to me in the example at: http://www.shorewall.net/traffic_shaping.htm#Downloads Why is there a download limit for ppp in tcdevices? I would think you would want the outgoing rules on eth0 to do the delays and dropping? In tcclasses have eth0 1 100kbit 500kbit 1 tcp-ack eth0 2 3mbit 6mbit 2 eth0 3 3mbit 6mbit 3 eth0 4 94mbit full default #for local traffic I seen no rule would put in a mark of 4? Assuming the incoming limit is 6mb Sum of Rate of mark 1,2 and 3 if slightly over 6mb. Sum of ceiling of mark 1,2 and 3 if slightly over way 6mb. I assume the traffic shaping logic is going to assume 100mb is available so it will borrow from rule with mark 4 as needed. So could try to allow up to 12.5mb in from a 6mb connection. Or is there something that is keeping the total of mark 1, 2 and 3 rules from exceeding 6mb? Thanks John Tom Eastep wrote:> Pascal Poudrier wrote: >> You should better try with a test environment before going in >> production, and this with any major software update. >> >> > > Especially when upgrading to pre-release software. > > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
John McMonagle wrote:> Was just looking through the documentation and didn''t notice that it is > the development version :-( > > Suppose I should look at the old method. There are a few things that > do not make sense to me in the example at: > http://www.shorewall.net/traffic_shaping.htm#Downloads > > Why is there a download limit for ppp in tcdevices? > I would think you would want the outgoing rules on eth0 to do the delays > and dropping?As clearly stated at the outset, this example extends the earlier example. The ppp0 stuff is simply copied from that earlier example.> > In tcclasses have > > eth0 1 100kbit 500kbit 1 tcp-ack > eth0 2 3mbit 6mbit 2 > eth0 3 3mbit 6mbit 3 > eth0 4 94mbit full default #for local traffic > > I seen no rule would put in a mark of 4?It''s the default -- it doesn''t need a mark.> Assuming the incoming limit is 6mb > Sum of Rate of mark 1,2 and 3 if slightly over 6mb.The point if this example is to try to guarantee each of classes 2 and 3 at least half of the available bandwidth AND THAT''S ALL. If you want to do something different from that, then you will clearly need different class definitions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> John McMonagle wrote: > In tcclasses have >> >> eth0 1 100kbit 500kbit 1 >> tcp-ack >> eth0 2 3mbit 6mbit 2 >> eth0 3 3mbit 6mbit 3 >> eth0 4 94mbit full default #for >> local traffic >> >> I seen no rule would put in a mark of 4? > > It''s the default -- it doesn''t need a mark. > >> Assuming the incoming limit is 6mb >> Sum of Rate of mark 1,2 and 3 if slightly over 6mb. > > The point if this example is to try to guarantee each of classes 2 and 3 > at least half of the available bandwidth AND THAT''S ALL. If you want to > do something different from that, then you will clearly need different > class definitions. > > -Tom >Tom Thanks for the quick reply. Is it possible to do the class definitions to keep the total inbound rate under a limit without setting the outbound rate of eth0 to the inbound rate of ppp0 and still allow borrowing between ques. If ifb is a better solution is 4.2.0-RC1 in pretty good state? It would take more work but if it''s a better solution I''d rather do that. John ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
John McMonagle wrote:> Thanks for the quick reply. > > Is it possible to do the class definitions to keep the total inbound > rate under a limit without setting the outbound rate of eth0 to the > inbound rate of ppp0 and still allow borrowing between ques.Not really -- Shorewall doesn''t support definition of nested classes which is what is required to do that.> > If ifb is a better solution is 4.2.0-RC1 in pretty good state?I think so -- I''ve had *no* problem reports (other than manpage issues) against either Beta3 or RC1.> It would take more work but if it''s a better solution I''d rather do that.If it wouldn''t have been a better solution, I wouldn''t have expended the effort to implement it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Have Shorewall 4.2 rc3 running with ifb and looks good so far. voip is running much better. Want to make sure I really have it right so have a few questions. Running ipsec. Will the ifb device packets still be ipsec? Using native 2.6 kernel ipsec if it matters. I suspect they will be in ipsec so I''ll have to set tos. in http://www.shorewall.net/traffic_shaping.htm#IFB |/etc/shorewall/init|: qt modprobe ifb numifbs=1 qt ip link set dev ifb0 up What is qt? in |/etc/shorewall/tcclasses|: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS 1:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay 1:120 - 2*full/10 6*full/10 2 default 1:130 - 2*full/10 6*full/10 3 2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay 2:120 - 2*full/10 6*full/10 2 default 2:130 - 2*full/10 6*full/10 3 |Do the class numbers such as 110 have any particular significance? Any documentation for this? | |Is there any way to tell what queue or class a particular packet is being put in? | |Thanks | |John | ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
John McMonagle wrote:> Have Shorewall 4.2 rc3 running with ifb and looks good so far. > > voip is running much better. > > Want to make sure I really have it right so have a few questions. > > Running ipsec. Will the ifb device packets still be ipsec? > Using native 2.6 kernel ipsec if it matters. > I suspect they will be in ipsec so I''ll have to set tos.Yes -- packets will still be encapsulated.> > in http://www.shorewall.net/traffic_shaping.htm#IFB > > |/etc/shorewall/init|: > > qt modprobe ifb numifbs=1 > qt ip link set dev ifb0 up > > What is qt?qt is a function in the Shorewall base library (/usr/share/shorewall/lib.base). ''qt'' stands for ''quite'' which means that the function runs a program and sends all output (STDOUT & STDERR) to /dev/null.> > in > > |/etc/shorewall/tcclasses|: > > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > 1:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay > 1:120 - 2*full/10 6*full/10 2 default > 1:130 - 2*full/10 6*full/10 3 > 2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay > 2:120 - 2*full/10 6*full/10 2 default > 2:130 - 2*full/10 6*full/10 3 > > |Do the class numbers such as 110 have any particular significance? > Any documentation for this?They have no significance.> | > > |Is there any way to tell what queue or class a particular packet is > being put in?No. The output of "shorewall show tc" will show packet (and byte) counts only. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> John McMonagle wrote: >> Have Shorewall 4.2 rc3 running with ifb and looks good so far. >> >> voip is running much better. >> >> Want to make sure I really have it right so have a few questions. >> >> Running ipsec. Will the ifb device packets still be ipsec? >> Using native 2.6 kernel ipsec if it matters. >> I suspect they will be in ipsec so I''ll have to set tos. > > Yes -- packets will still be encapsulated. > >> in http://www.shorewall.net/traffic_shaping.htm#IFB >> >> |/etc/shorewall/init|: >> >> qt modprobe ifb numifbs=1 >> qt ip link set dev ifb0 up >> >> What is qt? > > qt is a function in the Shorewall base library > (/usr/share/shorewall/lib.base). ''qt'' stands for ''quite'' which meanss/quite/quiet/ -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> John McMonagle wrote: > >> Have Shorewall 4.2 rc3 running with ifb and looks good so far. >> >> voip is running much better. >> >> Want to make sure I really have it right so have a few questions. >> >> Running ipsec. Will the ifb device packets still be ipsec? >> Using native 2.6 kernel ipsec if it matters. >> I suspect they will be in ipsec so I''ll have to set tos. >> > > Yes -- packets will still be encapsulated. >Did a couple tests. Looks like both the the ipsec and the decoded packets are on ifb device. tcpdump -i ifb0 -n -v 10:08:44.540738 IP (tos 0x0, ttl 50, id 61685, offset 0, flags [none], proto ESP (50), length 120) 24.166.158.227 > 69.128.2.138: ESP(spi=0x4add7161,seq=0x7f7), length 100 10:08:44.540940 IP (tos 0x10, ttl 63, id 52086, offset 0, flags [DF], proto TCP (6), length 52) 192.168.101.5.55983 > 192.168.1.254.22: ., cksum 0xd61e (correct), ack 15393 win 501 < op,nop,timestamp 2957075 132418302> The traffic from 192.168.101.5 is coming in via ipsec. Further with traffic shaping enabled speed via ipsec is about half the speed as direct. With traffic shaping off speeds are about the same. Rather nasty as most traffic goes through ipsec. Any ideas? The only thing I can think of is switch to klips. Probably time to inquire on lartc. John -- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/