Shorewall users - Jan 2012 - shorewall 4.4.27-1.el5 on 2.6.18-238.19.1.el5

Hi, first of all thanks for excelent shorewall sw, which makes my job a little
bit easier. I have a problem with traffic shaping. I would like to shape http
traffic and I''m testing the shaping from local host 192.168.1.10 by
this command "wget
http://ftp.cvut.cz/centos/6.2/isos/x86_64/CentOS-6.2-x86_64-bin-DVD1.iso",
but unfortunately I''m on the full speed of 10/10mbit link. Can you
please have a look to my status.txt where should be a problem. Thank you!

Kind Regards,
Pavel Hladik



------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

On Fri, 2012-01-06 at 15:18 +0100, Pavel Hladík wrote:
> Hi, first of all thanks for excelent shorewall sw, which makes my job a
little bit easier. I have a problem with traffic shaping. I would like to shape
http traffic and I''m testing the shaping from local host 192.168.1.10
by this command "wget
http://ftp.cvut.cz/centos/6.2/isos/x86_64/CentOS-6.2-x86_64-bin-DVD1.iso",
but unfortunately I''m on the full speed of 10/10mbit link. Can you
please have a look to my status.txt where should be a problem. Thank you!
The wget command is used to *download* from a web site. Download traffic
cannot be shaped unless you use an IFB. All you can do is ingress
policing by using the IN-BANDWIDTH column of tcdevices.

Also, you have the following mark rules:

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 MARK       80   --  *      *       0.0.0.0/0
0.0.0.0/0           MARK set 0x1 
79910   67M MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK set 0x2 

Download traffic has PROTO 6 (TCP) and SOURCE PORT 80; you have PROTO
80.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

Thanks for quick response.

I already corrected the tcrules file, but it doesn''t work as well. Wget
command, at my example, connect exactly port 80 on TCP protocol. Why I cannot
shape incoming (downloading) HTTP traffic by HTB from remote server? I was doing
this shaping years ago directly by tc tool, but shorewall is more
"comfy". Shaping HTTP traffic is main purpose why most people want to
shape, FTP is next adept. :)

Is any chance to shape traffic with shorewall like downloading file from web
server for 10sec with full speed of link and than apply shaping rules? It is
very useful.

Pavel

On Jan 6, 2012, at 4:18 PM, Tom Eastep wrote:
> On Fri, 2012-01-06 at 15:18 +0100, Pavel Hladík wrote:
>> Hi, first of all thanks for excelent shorewall sw, which makes my job a
little bit easier. I have a problem with traffic shaping. I would like to shape
http traffic and I''m testing the shaping from local host 192.168.1.10
by this command "wget
http://ftp.cvut.cz/centos/6.2/isos/x86_64/CentOS-6.2-x86_64-bin-DVD1.iso",
but unfortunately I''m on the full speed of 10/10mbit link. Can you
please have a look to my status.txt where should be a problem. Thank you!
> 
> The wget command is used to *download* from a web site. Download traffic
> cannot be shaped unless you use an IFB. All you can do is ingress
> policing by using the IN-BANDWIDTH column of tcdevices.
> 
> Also, you have the following mark rules:
> 
> Chain tcfor (1 references)
> pkts bytes target     prot opt in     out     source
> destination         
>    0     0 MARK       80   --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK set 0x1 
> 79910   67M MARK       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK set 0x2 
> 
> Download traffic has PROTO 6 (TCP) and SOURCE PORT 80; you have PROTO
> 80.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
> 
>
------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual 
> desktops for less than the cost of PCs and save 60% on VDI infrastructure 
> costs. Try it free!
http://p.sf.net/sfu/Citrix-VDIinabox_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a
complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox