Hi, I''ve been using shorewall for quite some time for simple firewalling in a host with one interface to internet and 3 to different internal networks. The internet port is connected to my provider switch and I get symmetrical 2mbps service from them. I have installed an asterisk box /besides/ the firewall, that is, connected to the same switch as the external interface of my firewall (with a different IP address, obviously). I''d like to prevent our internal hosts to hog the internet link and warrant about 250kbps to the asterisk host (give or take a few kbps). I don''t think I can take much of shorewall''s traffic shaping since the asterisk host is outside the reach of the firewall. However, I don''t mind underusing the link a bit. So my plain need would be to limit all traffic coming in from or going out to eth0 (the internet leg of the firewall) limited to 1.75mbps. If I understand some of what is in http://www.shorewall.net/simple_traffic_shaping.html and http://www.shorewall.net/manpages/shorewall-tcinterfaces.html it is easy to somehow limit INCOMING traffic (simply enabling "TC_ENABLED=Simple" in shorewall.conf and using a linke like "eth0 external 1750kbit" in tcintefaces. That would solve 75% of my requirement (since I usually, but not always) have more incoming than outgoing traffic. I just upgraded from 4.2.2 to 4.4.11.1 in order to be able to use simple traffic shaping. Anyway, I''d like to know if what I did is somehow reasonable and if there''s also a way to limit outgoing bandwidth. I have a kind of plan b but I don''t like it very much. Chances are that high outgoing traffic originates in either eth3 or, less likely, eth1. I might do the same trick on eth3, but that would limit also internal eth3/eth2 traffic from 100mbps to 1.7mbps... Any help would be appreciated. -- Mariano Absatz - El Baby www.clueless.com.ar ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/7/10 6:42 AM, Mariano Absatz wrote:> Anyway, I''d like to know if what I did is somehow reasonable and if > there''s also a way to limit outgoing bandwidth.Not with simple traffic shaping. Here''s the problem. Simple traffic shaping breaks the traffic into three priority classes and then uses 3 SFQ qdiscs to ensure fairness within each class. When there is outbound congestion, the high priority class gets priority over the second highest and so on. The way that Linux traffic shaping works, we would have to limit the overall traffic bandwidth *before* breaking it into classes. While that would work as far as bandwidth-limiting goes, it would break the prioritization since the three priority classes would never see any congestion (the limiting would ensure that). If we were to limit *after* breaking the traffic into classes, we would need three separate limits -- one for each class. But using complex traffic shaping, it is easy to do what you want. a) Specify the limit you want in the OUT-BANDWIDTH column for your outgoing interface. b) Define a single default class that can use all of that limit. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On Sat, Aug 7, 2010 at 11:39, Tom Eastep <teastep@shorewall.net> wrote:> But using complex traffic shaping, it is easy to do what you want. > > a) Specify the limit you want in the OUT-BANDWIDTH column for your > outgoing interface. > > b) Define a single default class that can use all of that limit. >So... if I put back in *shorewall.conf *the: *TC_ENABLED=Internal* line and put into *tcdevices*: *1:eth0 1750kbit 1750kbit* and into *tcclasses*: * eth0 - FULL FULL 3 default* that would be enough? -- Mariano Absatz - El Baby www.clueless.com.ar ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/8/10 6:23 AM, Mariano Absatz wrote:> On Sat, Aug 7, 2010 at 11:39, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: >> But using complex traffic shaping, it is easy to do what you want. >> >> a) Specify the limit you want in the OUT-BANDWIDTH column for your >> outgoing interface. >> >> b) Define a single default class that can use all of that limit. >> > So... if I put back in *shorewall.conf *the: > > *TC_ENABLED=Internal* > > line and put into *tcdevices*: > > *1:eth0 1750kbit 1750kbit* > > and into *tcclasses*: > * > eth0 - FULL FULL 3 default* > > that would be enough?a) Don''t capitalize ''full''. This is Unix -- everything is case-sensitive. b) I would put full/2 in the RATE column, just to be safe. Since there is only one class, there is no need to guarantee any more. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On Sun, Aug 8, 2010 at 11:29, Tom Eastep <teastep@shorewall.net> wrote:> On 8/8/10 6:23 AM, Mariano Absatz wrote: > > On Sat, Aug 7, 2010 at 11:39, Tom Eastep <teastep@shorewall.net > > <mailto:teastep@shorewall.net>> wrote: > >> But using complex traffic shaping, it is easy to do what you want. > >> > >> a) Specify the limit you want in the OUT-BANDWIDTH column for your > >> outgoing interface. > >> > >> b) Define a single default class that can use all of that limit. > >> > > So... if I put back in *shorewall.conf *the: > > > > *TC_ENABLED=Internal* > > > > line and put into *tcdevices*: > > > > *1:eth0 1750kbit 1750kbit* > > > > and into *tcclasses*: > > * > > eth0 - FULL FULL 3 default* > > > > that would be enough? > > a) Don''t capitalize ''full''. This is Unix -- everything is > case-sensitive. > b) I would put full/2 in the RATE column, just to be safe. Since there > is only one class, there is no need to guarantee any more. > > Excellent... I don''t know where I got the upper-case ''FULL'' from. Thanx alot for your help, Tom. -- Mariano Absatz - El Baby www.clueless.com.ar ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On Sun, Aug 8, 2010 at 11:29, Tom Eastep <teastep@shorewall.net> wrote:> On 8/8/10 6:23 AM, Mariano Absatz wrote: >> On Sat, Aug 7, 2010 at 11:39, Tom Eastep <teastep@shorewall.net >> <mailto:teastep@shorewall.net>> wrote: >>> But using complex traffic shaping, it is easy to do what you want. >>> >>> a) Specify the limit you want in the OUT-BANDWIDTH column for your >>> outgoing interface. >>> >>> b) Define a single default class that can use all of that limit. >>> >> So... if I put back in *shorewall.conf *the: >> >> *TC_ENABLED=Internal* >> >> line and put into *tcdevices*: >> >> *1:eth0 1750kbit 1750kbit* >> >> and into *tcclasses*: >> * >> eth0 - FULL FULL 3 default* >> >> that would be enough? > > a) Don''t capitalize ''full''. This is Unix -- everything is > case-sensitive. > b) I would put full/2 in the RATE column, just to be safe. Since there > is only one class, there is no need to guarantee any more.Well, apparently using "-" for the MARK field in tcclasses is an error in this context: ERROR: Missing MARK : /etc/shorewall/tcclasses (line 11) I changed that field to a "1". Do I have to add the tcrules file? I wrote one like this: 1 0.0.0.0/0 0.0.0.0/0 all but shorewall compiles everything with it and without it also. -- Mariano Absatz - El Baby www.clueless.com.ar ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/9/10 5:17 AM, Mariano Absatz wrote:> On Sun, Aug 8, 2010 at 11:29, Tom Eastep <teastep@shorewall.net> wrote: >> On 8/8/10 6:23 AM, Mariano Absatz wrote: >>> On Sat, Aug 7, 2010 at 11:39, Tom Eastep <teastep@shorewall.net >>> <mailto:teastep@shorewall.net>> wrote: >>>> But using complex traffic shaping, it is easy to do what you want. >>>> >>>> a) Specify the limit you want in the OUT-BANDWIDTH column for your >>>> outgoing interface. >>>> >>>> b) Define a single default class that can use all of that limit. >>>> >>> So... if I put back in *shorewall.conf *the: >>> >>> *TC_ENABLED=Internal* >>> >>> line and put into *tcdevices*: >>> >>> *1:eth0 1750kbit 1750kbit* >>> >>> and into *tcclasses*: >>> * >>> eth0 - FULL FULL 3 default* >>> >>> that would be enough? >> >> a) Don''t capitalize ''full''. This is Unix -- everything is >> case-sensitive. >> b) I would put full/2 in the RATE column, just to be safe. Since there >> is only one class, there is no need to guarantee any more. > > Well, apparently using "-" for the MARK field in tcclasses is an error > in this context: > ERROR: Missing MARK : /etc/shorewall/tcclasses (line 11) > I changed that field to a "1".You could have also specified the ''classify'' option for the interface.> > Do I have to add the tcrules file? I wrote one like this: > 1 0.0.0.0/0 0.0.0.0/0 allThere is no need to mark any packets if you have specified ''default'' for the class. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev