Shorewall users - Mar 2009 - Is this TC configuration correct

Hi!

I am quite new to shorewall - worked a lot with isa 2004 -,

but while I found it easy to config, still i have a question:



My FW config is following:

eth0 fix ip 40/40mbs Internet

eth1 fix ip 100Mbps DMZ (192.168.100.0/24) (we host websites)

eth2 fix ip 100Mbps Local net with dhcp (192.168.101.0/24)

eth3 fix ip 100Mbps sales net with dhcp (lot less allowed than local
net) (192.168.102.0/24)

I got this config to work already.



My question begins here:

I was asked to limit the bandwidth of the users on Local and Sales
have towards and from

the Internet to 1mbps/1mbps each. (So that users dont eat the bandwidth)





Browsing the website i found the following solution:

make classes for each ip and make rules for them




(i did the tables with TAB-s, just i couldn't get it to work with my
webmail)



1. Set TC_ENABLED to Internal in shorewall.conf

2. make a tcdevices file looking like this:

#INTERFACE       IN-BANDWITH            OUT-BANDWIDTH
eth0                     40mbps                     40mbps
eth2                     100mbps                   100mbps

3. make a tcclasses file looking like this

#INTERFACE         MARK           RATE             CEIL
PRIORITY           OPTIONS
eth0                      1                   full
full             1                        default
eth2                      1                   full
full             1                        default
eth0                      2                   100kbps          1mbps       2
eth2                      2                   100kbps          1mbps       2
eth0                      3                   100kbps          1mbps       2
eth2                      3                   100kbps          1mbps       2
eth0                      4                   100kbps          1mbps       2
eth2                      4                   100kbps          1mbps       2
...

4. make a tcrules file looking like this

#MARK                SOURCE                     DESTINATION
PROTIOCOL           PORT(s)

2:F                       192.168.101.11            eth0
          all
2:F                       eth0
192.168.101.11         all
3:F                       192.168.101.12            eth0
          all
3:F                       eth0
192.168.101.12         all
4:F                       192.168.101.13            eth0
          all
4:F                       eth0
192.168.101.13         all
...



Is This configuration correct?

Becouse this means i have to create shedloads of classes!
I can have around 500 Clients in the DHCP ranges,
but in the description of the website, it is mentioned that
256 classes is the max.....


Is there any other way to do this?

thx 4 the help (in advance 8)) )

Laszlo Balogh
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

László Balogh wrote:
> Hi!
> 
> I am quite new to shorewall - worked a lot with isa 2004 -,
> but while I found it easy to config, still i have a question:
> 
> My FW config is following:
> 
> eth0 fix ip 40/40mbs Internet
> eth1 fix ip 100Mbps DMZ (192.168.100.0/24) (we host websites)
> eth2 fix ip 100Mbps Local net with dhcp (192.168.101.0/24
> eth3 fix ip 100Mbps sales net with dhcp (lot less allowed than local
> net) (192.168.102.0/24)
> 
> I got this config to work already.
> 
> My question begins here:
> 
> I was asked to limit the bandwidth of the users on Local and Sales
> have towards and from the Internet to 1mbps/1mbps each. (So that
> users dont eat the bandwidth)
HTB (the queuing discipline used by Shorewall) is ill-suited for
implementing this Draconian policy. It is rather intended to allocate
bandwidth by type of traffic rather than by individual host. SFQ is then
used within each HTB class to ensure fairness.

Limiting each user to 1mbps:

a) Makes all users suffer for the sins of a few
b) Ensures that the internet link will be under-utilized much of the time.
c) Does nothing to help when the system is really busy (more than 40
users downloading large files simultaneously).
> Browsing the website i found the following solution:
> make classes for each ip and make rules for them
>
> (i did the tables with TAB-s, just i couldn''t get it to work with
my webmail)
> 
And I''ve deleted them in my response since my mailer made them totally
unreadable.
> 
> Is This configuration correct?
No. The sum of the RATE column for each interface exceeds the
OUT-BANDWIDTH for the interface. The RATE column specifies what you
GUARANTEE each class, no matter how congested the link is, so the sum of
the numbers in that column cannot exceed the
OUT-BANDWIDTH.
> 
> Becouse this means i have to create shedloads of classes!
> I can have around 500 Clients in the DHCP ranges,
> but in the description of the website, it is mentioned that
> 256 classes is the max.....
Again, HTB in general (and Shorewall''s use of it in particular) is
ill-suited for implementing your policy. But then, your policy is a poor
one IMO.

One additional note about Shorewall traffic shaping. SFQ, by default,
assures fairness within *flows* which correspond closely to TCP
connections. So it is possible for a single user to dominate a
particular class by having many flows. You can use CONNLIMIT in your
policy and rules file to limit the number of outgoing connections that
each local station can have but a better solution would be for Shorewall
to use the *flow* classifier to cause SFQ to ensure fairness between
local systems rather than connections. Unfortunately, we have been
unable to make that classifier work correctly, but hopefully we will
have that feature available soon.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Hello!

> László Balogh wrote:
>> Hi!
>>
>> I am quite new to shorewall - worked a lot with isa 2004 -,
>> but while I found it easy to config, still i have a question:
>>
>> My FW config is following:
>>
>> eth0 fix ip 40/40mbs Internet
>> eth1 fix ip 100Mbps DMZ (192.168.100.0/24) (we host websites)
>> eth2 fix ip 100Mbps Local net with dhcp (192.168.101.0/24
>> eth3 fix ip 100Mbps sales net with dhcp (lot less allowed than local
>> net) (192.168.102.0/24)
>>
>> I got this config to work already.
>>
>> My question begins here:
>>
>> I was asked to limit the bandwidth of the users on Local and Sales
>> have towards and from the Internet to 1mbps/1mbps each. (So that
>> users dont eat the bandwidth)
>
> HTB (the queuing discipline used by Shorewall) is ill-suited for
> implementing this Draconian policy. It is rather intended to allocate
> bandwidth by type of traffic rather than by individual host. SFQ is then
> used within each HTB class to ensure fairness.
>
> Limiting each user to 1mbps:
>
> a) Makes all users suffer for the sins of a few
> b) Ensures that the internet link will be under-utilized much of the time.
> c) Does nothing to help when the system is really busy (more than 40
> users downloading large files simultaneously).
Well, I forgot to mention background information about the company.
We host websites that are used for webmail and client access
and having enough bandwidth for those is the primary thing.
Most of the users don't have anything to do on the internet.
Even if the users go on the net, they shouldn't be able to eat
bandwidth.

Secondary, i have to deal with private used laptops,
and there have been cases on infected hardware eating all the
bandwidth (botnet client), that is why i have to limit each user to a maximum
of bandwidth. (closing all unnecessary ports is not an option, regretfully)
>> Browsing the website i found the following solution:
>> make classes for each ip and make rules for them
>>
>> (i did the tables with TAB-s, just i couldn't get it to work with
my webmail)
>>
> And I've deleted them in my response since my mailer made them totally
> unreadable.
I will ll try to paste them again with one space between each word.

tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
eth0 40mbps 40mbps
eth2 100mbps 100mbps

tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth0 1 full full 1 default
eth2 1 full full 1 default
eth0 2 100kbps 1mbps 2
eth2 2 100kbps 1mbps 2
eth0 3 100kbps 1mbps 2
eth2 3 100kbps 1mbps 2
eth0 4 100kbps 1mbps 2
eth2 4 100kbps 1mbps 2

tcrules
#MARK SOURCE DESTINATION PROTIOCOL PORT(s)
2:F 192.168.101.11 eth0 all
2:F eth0 192.168.101.11 all
3:F 192.168.101.12 eth0 all
3:F eth0 192.168.101.12 all
4:F 192.168.101.13 eth0 all
4:F eth0 192.168.101.13 all
...

>>
>> Is This configuration correct?
>
> No. The sum of the RATE column for each interface exceeds the
> OUT-BANDWIDTH for the interface. The RATE column specifies what you
> GUARANTEE each class, no matter how congested the link is, so the sum of
> the numbers in that column cannot exceed the OUT-BANDWIDTH.
Do you mean that this works, but if more than 40 users use the 1 mbit, then
traffic shaping becomes useless, or do you mean that shorewall won't
even accept it?
We currently have about 20 workers, so i thought later i 'll adjust the
numbers.
>> Becouse this means i have to create shedloads of classes!
>> I can have around 500 Clients in the DHCP ranges,
>> but in the description of the website, it is mentioned that
>> 256 classes is the max.....
>
> Again, HTB in general (and Shorewall's use of it in particular) is
> ill-suited for implementing your policy. But then, your policy is a poor
> one IMO.
Well, it is my first go at it, i didn't expect to master it in one night.
The problem is that shorewall is already implemented. I have to
add this to it as an extra.

If u know any other sw that works beside shorewall and is better suited,
please write and url.
> One additional note about Shorewall traffic shaping. SFQ, by default,
> assures fairness within *flows* which correspond closely to TCP
> connections. So it is possible for a single user to dominate a
> particular class by having many flows. You can use CONNLIMIT in your
> policy and rules file to limit the number of outgoing connections that
> each local station can have but a better solution would be for Shorewall
> to use the *flow* classifier to cause SFQ to ensure fairness between
> local systems rather than connections. Unfortunately, we have been
> unable to make that classifier work correctly, but hopefully we will
> have that feature available soon.
(TT_TT) My boss wouldn't be able to digest that he can only have x
pieces of net connections, plus we have software that opens a lot of
connections to the net (while not eating much bandwidth.).

> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
Thx 4 your answer

Laszlo Balogh

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

László Balogh wrote:
> Well, I forgot to mention background information about the company.
> We host websites that are used for webmail and client access
> and having enough bandwidth for those is the primary thing.
> Most of the users don''t have anything to do on the internet.
> Even if the users go on the net, they shouldn''t be able to eat
> bandwidth.
> 
> Secondary, i have to deal with private used laptops,
> and there have been cases on infected hardware eating all the
> bandwidth (botnet client), that is why i have to limit each user to a
maximum
> of bandwidth. (closing all unnecessary ports is not an option, regretfully)
Then Shorewall''s traffic shaping does not offer you a workable
solution.
> 
>>> Browsing the website i found the following solution:
>>> make classes for each ip and make rules for them
>>>
>>> (i did the tables with TAB-s, just i couldn''t get it to
work with my webmail)
>>>
>> And I''ve deleted them in my response since my mailer made them
totally
>> unreadable.
> 
> I will ll try to paste them again with one space between each word.
> 
> tcdevices
> #INTERFACE IN-BANDWITH OUT-BANDWIDTH
> eth0 40mbps 40mbps
> eth2 100mbps 100mbps
> 
> tcclasses
> #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
> eth0 1 full full 1 default
> eth2 1 full full 1 default
> eth0 2 100kbps 1mbps 2
> eth2 2 100kbps 1mbps 2
> eth0 3 100kbps 1mbps 2
> eth2 3 100kbps 1mbps 2
> eth0 4 100kbps 1mbps 2
> eth2 4 100kbps 1mbps 2
> 
> tcrules
> #MARK SOURCE DESTINATION PROTIOCOL PORT(s)
> 2:F 192.168.101.11 eth0 all
> 2:F eth0 192.168.101.11 all
> 3:F 192.168.101.12 eth0 all
> 3:F eth0 192.168.101.12 all
> 4:F 192.168.101.13 eth0 all
> 4:F eth0 192.168.101.13 all
> ...
> 
> 
>>> Is This configuration correct?
>> No. The sum of the RATE column for each interface exceeds the
>> OUT-BANDWIDTH for the interface. The RATE column specifies what you
>> GUARANTEE each class, no matter how congested the link is, so the sum
of
>> the numbers in that column cannot exceed the OUT-BANDWIDTH.
> 
> Do you mean that this works, but if more than 40 users use the 1 mbit, then
> traffic shaping becomes useless, or do you mean that shorewall
won''t
> even accept it?
No -- I mean this won''t work at all. You are guaranteeing ALL OF THE
BANDWIDTH to the default class (''full'' in the RATE column). So
there is
none left over for the other classes. When HTB is configured like this,
it just plain doesn''t work.
> 
> If u know any other sw that works beside shorewall and is better suited,
> please write and url.
I know of no good solution on Linux that scales to 100s of internal systems.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Hello again!

Well, I forgot to mention background information about the company.
We host websites that are used for webmail and client access
and having enough bandwidth for those is the primary thing.
Most of the users don''t have anything to do on the internet.
Even if the users go on the net, they shouldn''t be able to eat
bandwidth.

Secondary, i have to deal with private used laptops,
and there have been cases on infected hardware eating all the
bandwidth (botnet client), that is why i have to limit each user to a maximum
of bandwidth. (closing all unnecessary ports is not an option, regretfully)

Then Shorewall''s traffic shaping does not offer you a workable
solution.

Ok, I think I get what you are suggesting.  But if  I make  one class
per subnet (for eaxmple sales),

then it would work, not? (Saying I don''t care about how the bandwidth
gets divided in a subnet)

Browsing the website i found the following solution:
make classes for each ip and make rules for them

(i did the tables with TAB-s, just i couldn''t get it to work with my
webmail)

And I''ve deleted them in my response since my mailer made them totally
unreadable.

I will ll try to paste them again with one space between each word.

tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
eth0 40mbps 40mbps
eth2 100mbps 100mbps

Ok, I updated the tcclasses table

tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth0 1 10mbps full 1 default
eth2 1 10mbps full 1 default
eth0 2 100kbps 1mbps 2
eth2 2 100kbps 1mbps 2
eth0 3 100kbps 1mbps 2
eth2 3 100kbps 1mbps 2
eth0 4 100kbps 1mbps 2
eth2 4 100kbps 1mbps 2

tcrules
#MARK SOURCE DESTINATION PROTIOCOL PORT(s)
2:F 192.168.101.11 eth0 all
2:F eth0 192.168.101.11 all
3:F 192.168.101.12 eth0 all
3:F eth0 192.168.101.12 all
4:F 192.168.101.13 eth0 all
4:F eth0 192.168.101.13 all
...

Is This configuration correct?

No. The sum of the RATE column for each interface exceeds the
OUT-BANDWIDTH for the interface. The RATE column specifies what you
GUARANTEE each class, no matter how congested the link is, so the sum of
the numbers in that column cannot exceed the OUT-BANDWIDTH.

Do you mean that this works, but if more than 40 users use the 1 mbit, then
traffic shaping becomes useless, or do you mean that shorewall won''t
even accept it?

No -- I mean this won''t work at all. You are guaranteeing ALL OF THE
BANDWIDTH to the default class (''full'' in the RATE column). So
there is
none left over for the other classes. When HTB is configured like this,
it just plain doesn''t work.

So if I keep the bandwidth of all the classes under 40Mbps(in my case)

then it would work. 

If u know any other sw that works beside shorewall and is better suited,
please write and url.

I know of no good solution on Linux that scales to 100s of internal systems.

-Tom

I am thinking about keeping about 30 classes for tha local net, 

(dhcp is configured to serve these adresses first and we have

like 15-20 many clients today)

and one class for the sales net.

The rates would be:

30*100kbps=~ 3mbps for local net

10mbps for deafult

1mbps for sales

and i am still under 40mbps.

rule 1 for default

rule 2-31 for local

rule 32 for sales net

tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
eth0 40mbps 40mbps
eth2 100mbps 100mbps

tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth0 1 10mbps full 1 default
eth2 1 10mbps full 1 default
eth0 2 100kbps 1mbps 2
eth2 2 100kbps 1mbps 2
eth0 3 100kbps 1mbps 2
eth2 3 100kbps 1mbps 2
eth0 4 100kbps 1mbps 2
eth2 4 100kbps 1mbps 2
...
eth0 31 100kbps 1mbps 2
eth2 31 100kbps 1mbps 2
eth0 32 1mbps 5mbps 3
eth0 32 1mbps 5mbps 3

tcrules
#MARK SOURCE DESTINATION PROTIOCOL PORT(s)
2:F 192.168.101.11 eth0 all
2:F eth0 192.168.101.11 all
3:F 192.168.101.12 eth0 all
3:F eth0 192.168.101.12 all
4:F 192.168.101.13 eth0 all
4:F eth0 192.168.101.13 all
... 
31:F 192.168.101.40 eth0 all
31:F eth0 192.168.101.40 all
32:F 192.168.102.0/24 eth0 all
32:F eth0 192.168.102.0/24 all

So do I get it right this time?

Laszlo Balogh

P.S.: sorry for my thickheadedness, 
and thank you for your patience

--===============7960839951841045184=Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

------------------------------------------------------------------------------

--===============7960839951841045184=Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Balogh László wrote:
> Ok, I think I get what you are suggesting.  But if  I make  one class
> per subnet (for eaxmple sales),
> then it would work, not? (Saying I don''t care about how the
bandwidth
> gets divided in a subnet)
> 
That will work.
> So if I keep the bandwidth of all the classes under 40Mbps(in my case)
> then it would work.
The sum of the RATEs for eth0 must be less than or equal to 40Mpbs.
> I am thinking about keeping about 30 classes for tha local net,
> (dhcp is configured to serve these adresses first and we have
> like 15-20 many clients today)
> and one class for the sales net.
> 
> The rates would be:
> 30*100kbps=~ 3mbps for local net
> 10mbps for deafult
> 1mbps for sales
> 
> and i am still under 40mbps.
>
> rule 1 for default
> rule 2-31 for local
> rule 32 for sales net
rule 1 - RESTORE connection mark
rule 2 - CONTINUE if mark is non-zero
rule 3 - for default
rule 4-33 - for local
rule 34 for sales net
rule 35 SAVE
> 
> tcdevices
> #INTERFACE IN-BANDWITH OUT-BANDWIDTH
> eth0 40mbps 40mbps
> eth2 100mbps 100mbps
> 
> tcclasses
> #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
> eth0 1 10mbps full 1 default
> eth2 1 10mbps full 1 default
> eth0 2 100kbps 1mbps 2
> eth2 2 100kbps 1mbps 2
> eth0 3 100kbps 1mbps 2
> eth2 3 100kbps 1mbps 2
> eth0 4 100kbps 1mbps 2
> eth2 4 100kbps 1mbps 2
> ...
> eth0 31 100kbps 1mbps 2
> eth2 31 100kbps 1mbps 2
> eth0 32 1mbps 5mbps 3
> eth0 32 1mbps 5mbps 3
> 
> tcrules
> #MARK SOURCE DESTINATION PROTIOCOL PORT(s)
> 2:F 192.168.101.11 eth0 all
> 2:F eth0 192.168.101.11 all
> 3:F 192.168.101.12 eth0 all
> 3:F eth0 192.168.101.12 all
> 4:F 192.168.101.13 eth0 all
> 4:F eth0 192.168.101.13 all
> ... 
> 31:F 192.168.101.40 eth0 all
> 31:F eth0 192.168.101.40 all
> 32:F 192.168.102.0/24 eth0 all
> 32:F eth0 192.168.102.0/24 all
> 
See my suggestion above.
>  
> So do I get it right this time?
> 
Getting close.

-Tom
-- 
Tom Eastep    \ The ultimate result of shielding men from the effects of
Shoreline,     \ folly is to fill the world with fools.
Washington, USA \                                     -- Herbert Spencer
------------------------------------------------------------------------
http://www.shorewall.net



------------------------------------------------------------------------------

Hello again!

I looked up the

Packet Marking using /etc/shorewall/tcrules

section on the website, to understand the

RESTORE CONTINUE SAVE part that you
mentioned , so i try to correct my tcrules config.
> rule 1 - RESTORE connection mark
> rule 2 - CONTINUE if mark is non-zero
> rule 3 - for default
> rule 4-33 - for local
> rule 34 for sales net
> rule 35 SAVE
>
> >
> > tcdevices
> > #INTERFACE IN-BANDWITH OUT-BANDWIDTH
> > eth0 40mbps 40mbps
> > eth2 100mbps 100mbps
> >
> > tcclasses
> > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
> > eth0 1 10mbps full 1 default
> > eth2 1 10mbps full 1 default
> > eth0 2 100kbps 1mbps 2
> > eth2 2 100kbps 1mbps 2
> > eth0 3 100kbps 1mbps 2
> > eth2 3 100kbps 1mbps 2
> > eth0 4 100kbps 1mbps 2
> > eth2 4 100kbps 1mbps 2
> > ...
> > eth0 31 100kbps 1mbps 2
> > eth2 31 100kbps 1mbps 2
> > eth0 32 1mbps 5mbps 3
> > eth0 32 1mbps 5mbps 3
> >
> > tcrules
> > #MARK SOURCE DESTINATION PROTIOCOL PORT(s)
> > 2:F 192.168.101.11 eth0 all
> > 2:F eth0 192.168.101.11 all
> > 3:F 192.168.101.12 eth0 all
> > 3:F eth0 192.168.101.12 all
> > 4:F 192.168.101.13 eth0 all
> > 4:F eth0 192.168.101.13 all
> > ...
> > 31:F 192.168.101.40 eth0 all
> > 31:F eth0 192.168.101.40 all
> > 32:F 192.168.102.0/24 eth0 all
> > 32:F eth0 192.168.102.0/24 all
> >

So I corrected it to the following:

#MARK    SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
  TEST    LENGTH  TOS
#
RESTORE 0.0.0.0/0 0.0.0.0/0 all
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
2:F 192.168.101.11 eth0 all
2:F eth0 192.168.101.11 all
3:F 192.168.101.12 eth0 all
3:F eth0 192.168.101.12 all
4:F 192.168.101.13 eth0 all
4:F eth0 192.168.101.13 all
...
31:F 192.168.101.40 eth0 all
31:F eth0 192.168.101.40 all
32:F 192.168.102.0/24 eth0 all
32:F eth0 192.168.102.0/24 all
SAVE 0.0.0.0/0 0.0.0.0/0 all

Although... I don''t know if I surely understand what I have done
here....
Does it mean that the first rule (restore)resets the mark to zero so that the
bandwidth management rules can process it, and the last rule (SAVE) hardwires
this mark into the remaining packets of the connection, so that those packets
don''t get processed by the by the bandwidth control rules anymore,
couse of the second (continue) rule?

Or is it that the rest of the packets get their mark reseted to zero every time
they arrive on the $FW? Why use Save then?

I hope I am getting closer.

Laszlo Balogh

------------------------------------------------------------------------------

László Balogh wrote:
> 
> So I corrected it to the following:
> 
> #MARK    SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
>   TEST    LENGTH  TOS
> #
> RESTORE 0.0.0.0/0 0.0.0.0/0 all
RESTORE:F 0.0.0.0/0 0.0.0.0/0 # RESTORE ANY MARK PREVIOUSLY SAVED BELOW
                              # IF THERE WAS SUCH A MARK, IT IS NOW
                              # THE PACKET''S MARK
> CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 # IF THE PACKET IS NOW MARKED,

                                          # DON''T RUN THE CHAIN OF
                                          # RULES AGAIN
> 2:F 192.168.101.11 eth0 all
> 2:F eth0 192.168.101.11 all
> 3:F 192.168.101.12 eth0 all
> 3:F eth0 192.168.101.12 all
> 4:F 192.168.101.13 eth0 all
> 4:F eth0 192.168.101.13 all
> ...
> 31:F 192.168.101.40 eth0 all
> 31:F eth0 192.168.101.40 all
> 32:F 192.168.102.0/24 eth0 all
> 32:F eth0 192.168.102.0/24 all
> SAVE 0.0.0.0/0 0.0.0.0/0 all
SAVE:F 0.0.0.0/0 0.0.0.0/0     # SAVE THE MARK WE MADE ON THIS PACKET IN

                               # IN THE CONNECTION SO THAT WE DON''T
HAVE
                               # TO PASS *EVERY PACKET IN THE
                               # CONNECTION* THROUGH THE SAME SET OF 64
                               # RULES!!!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Tom Eastep wrote:
> 
> CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 # IF THE PACKET IS NOW MARKED,
>                                           # DON''T RUN THE CHAIN OF
>                                           # RULES AGAIN
CONTINUE s/b CONTINUE:F

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Hello!

About the TC configuration.

I had some debugging to do,
the tc files didn''t accept mbps and kbps
bandwidths. kbit works.

I run it on ubuntu 8.04, and my version
number is:
4.0.12


Laszlo Balogh

Tom Eastep írta:
> Tom Eastep wrote:
>   
>> CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 # IF THE PACKET IS NOW
MARKED,
>>                                           # DON''T RUN THE
CHAIN OF
>>                                           # RULES AGAIN
>>     
>
> CONTINUE s/b CONTINUE:F
>
> -Tom
>   
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

Balogh László wrote:
> Hello!
> 
> About the TC configuration.
> 
> I had some debugging to do,
> the tc files didn''t accept mbps and kbps
> bandwidths. kbit works.
> 
> I run it on ubuntu 8.04, and my version
> number is:
> 4.0.12
Shorewall-shell or Shorewall-perl?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

Shorewall-shell 4.0.12

The debian package

Laszlo Balogh

Tom Eastep írta:

Balogh László wrote:

Hello!

About the TC configuration.

I had some debugging to do,
the tc files didn''t accept mbps and kbps
bandwidths. kbit works.

I run it on ubuntu 8.04, and my version
number is:
4.0.12

Shorewall-shell or Shorewall-perl?

-Tom

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p