Shorewall users - Nov 2013 - Help with Shorewall Traffic Shaping

Hi,

i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface
firewall, one wan and the another lan.

the firewall is doing masquerading for the lan, i am trying to setup some
QoS policies however finding it difficult to work.

Also i need some advise and better explanation, according to the LARTC docs
qos policies used be applied to the interface connection to the network,
(AKA LAN Interface?). i see that from the examples from shorewall man pages
that you use the WAN interface. which is better and why?

here is my current config, when specifying ports sport 80 or 443 traffic
not going to the specified class however removing the ports and just
specifying any traffic it works...i''ve also tried swaping about SPORT
and
DPORT..



WAN=eth1
LAN=eth0

/etc/shorewall/shorewall.conf

MARK_IN_FORWARD_CHAIN=yes

/etc/shorewall/tcdevices

###############################################################################
#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
#INTERFACE                                                      INTERFACES
eth0            7mbps           7mbps

/etc/shorewall/tcclasses

###############################################################################
#INTERFACE:CLASS        MARK    RATE:           CEIL    PRIORITY
 OPTIONS
#                               DMAX:UMAX
eth0                    2       120kbps         130kbps 1
eth0                    10      50kbps          55kbps  10
 default


/etc/shorewall/tcrules

##########################################################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE  USER
 TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
#                                               PORT(S) PORT(S)
2       0.0.0.0/0       0.0.0.0/0       tcp     21
2       0.0.0.0/0       0.0.0.0/0       tcp     80,443



Shorewall 4.5.21.3 Traffic Control at localhost.localdomain - Sun Nov 10
09:35:39 SAST 2013

Chain PREROUTING (policy ACCEPT 7058 packets, 4799K bytes)
 pkts bytes target     prot opt in     out     source
destination
 7058 4799K tcpre      all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain INPUT (policy ACCEPT 992 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source
destination
  992  105K tcin       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy ACCEPT 6066 packets, 4694K bytes)
 pkts bytes target     prot opt in     out     source
destination
 6066 4694K MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK and 0xffffff00
 6066 4694K tcfor      all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 415 packets, 114K bytes)
 pkts bytes target     prot opt in     out     source
destination
  415  114K tcout      all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 6481 packets, 4808K bytes)
 pkts bytes target     prot opt in     out     source
destination
 6481 4808K tcpost     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source
destination
   31  1496 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:21 MARK set 0x2
 1663 99141 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           multiport dports 80,443 MARK set 0x2

Chain tcin (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source
destination

Device eth0:
qdisc htb 1: root refcnt 2 r2q 280 default 110 direct_packets_stat 0 ver
3.17
 Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 6844 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 2: parent 1:12 limit 127p quantum 1500b flows 127/1024 perturb
10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 3: parent 1:110 limit 127p quantum 1500b flows 127/1024 perturb
10sec
 Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc ingress ffff: parent ffff:fff1 ----------------
 Sent 156423 bytes 2598 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

class htb 1:110 parent 1:1 leaf 3: prio 7 quantum 1500 rate 400000bit ceil
440000bit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead
0b level 0
 Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0)
 rate 430520bit 38pps backlog 0b 0p requeues 0
 lended: 3156 borrowed: 307 giants: 0
 tokens: 477500 ctokens: 434078

class htb 1:1 root rate 56000Kbit ceil 56000Kbit burst 1589b/8 mpu 0b
overhead 0b cburst 1589b/8 mpu 0b overhead 0b level 7
 Sent 4538948 bytes 3463 pkt (dropped 0, overlimits 0 requeues 0)
 rate 436024bit 38pps backlog 0b 0p requeues 0
 lended: 307 borrowed: 0 giants: 0
 tokens: 3406 ctokens: 3406

class htb 1:12 parent 1:1 leaf 2: prio 1 quantum 1500 rate 960000bit ceil
1040Kbit burst 1599b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b
level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 208328 ctokens: 192296


Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1
1 1 1 1
 Sent 12772642 bytes 159778 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0


------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Hi,

anyone that can maybe assist?

Thanks


On Sun, Nov 10, 2013 at 9:39 AM, JC Putter <jcputter@gmail.com> wrote:
> Hi,
>
> i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface
> firewall, one wan and the another lan.
>
> the firewall is doing masquerading for the lan, i am trying to setup some
> QoS policies however finding it difficult to work.
>
> Also i need some advise and better explanation, according to the LARTC
> docs qos policies used be applied to the interface connection to the
> network, (AKA LAN Interface?). i see that from the examples from shorewall
> man pages that you use the WAN interface. which is better and why?
>
> here is my current config, when specifying ports sport 80 or 443 traffic
> not going to the specified class however removing the ports and just
> specifying any traffic it works...i''ve also tried swaping about
SPORT and
> DPORT..
>
>
>
> WAN=eth1
> LAN=eth0
>
> /etc/shorewall/shorewall.conf
>
> MARK_IN_FORWARD_CHAIN=yes
>
> /etc/shorewall/tcdevices
>
>
>
###############################################################################
> #NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
> #INTERFACE                                                      INTERFACES
> eth0            7mbps           7mbps
>
> /etc/shorewall/tcclasses
>
>
>
###############################################################################
> #INTERFACE:CLASS        MARK    RATE:           CEIL    PRIORITY
>  OPTIONS
> #                               DMAX:UMAX
> eth0                    2       120kbps         130kbps 1
> eth0                    10      50kbps          55kbps  10
>  default
>
>
> /etc/shorewall/tcrules
>
>
>
##########################################################################################################################################
> #ACTION SOURCE          DEST            PROTO   DEST    SOURCE  USER
>  TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
> #                                               PORT(S) PORT(S)
> 2       0.0.0.0/0       0.0.0.0/0       tcp     21
> 2       0.0.0.0/0       0.0.0.0/0       tcp     80,443
>
>
>
> Shorewall 4.5.21.3 Traffic Control at localhost.localdomain - Sun Nov 10
> 09:35:39 SAST 2013
>
> Chain PREROUTING (policy ACCEPT 7058 packets, 4799K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  7058 4799K tcpre      all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain INPUT (policy ACCEPT 992 packets, 105K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   992  105K tcin       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT 6066 packets, 4694K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  6066 4694K MARK       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK and 0xffffff00
>  6066 4694K tcfor      all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 415 packets, 114K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   415  114K tcout      all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT 6481 packets, 4808K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  6481 4808K tcpost     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain tcfor (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>    31  1496 MARK       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:21 MARK set 0x2
>  1663 99141 MARK       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           multiport dports 80,443 MARK set 0x2
>
> Chain tcin (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain tcout (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain tcpost (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain tcpre (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Device eth0:
> qdisc htb 1: root refcnt 2 r2q 280 default 110 direct_packets_stat 0 ver
> 3.17
>  Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 6844 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc sfq 2: parent 1:12 limit 127p quantum 1500b flows 127/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc sfq 3: parent 1:110 limit 127p quantum 1500b flows 127/1024 perturb
> 10sec
>  Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc ingress ffff: parent ffff:fff1 ----------------
>  Sent 156423 bytes 2598 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>
> class htb 1:110 parent 1:1 leaf 3: prio 7 quantum 1500 rate 400000bit ceil
> 440000bit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead
> 0b level 0
>  Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0)
>  rate 430520bit 38pps backlog 0b 0p requeues 0
>  lended: 3156 borrowed: 307 giants: 0
>  tokens: 477500 ctokens: 434078
>
> class htb 1:1 root rate 56000Kbit ceil 56000Kbit burst 1589b/8 mpu 0b
> overhead 0b cburst 1589b/8 mpu 0b overhead 0b level 7
>  Sent 4538948 bytes 3463 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 436024bit 38pps backlog 0b 0p requeues 0
>  lended: 307 borrowed: 0 giants: 0
>  tokens: 3406 ctokens: 3406
>
> class htb 1:12 parent 1:1 leaf 2: prio 1 quantum 1500 rate 960000bit ceil
> 1040Kbit burst 1599b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b
> level 0
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>  lended: 0 borrowed: 0 giants: 0
>  tokens: 208328 ctokens: 192296
>
>
> Device eth1:
> qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1
> 1 1 1 1
>  Sent 12772642 bytes 159778 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>
>

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

On 11/11/2013 4:57 AM, JC Putter wrote:
> Hi,
> 
> anyone that can maybe assist?
> 
> Thanks
> 
> 
> On Sun, Nov 10, 2013 at 9:39 AM, JC Putter <jcputter@gmail.com
> <mailto:jcputter@gmail.com>> wrote:
> 
>     Hi,
> 
>     i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface
>     firewall, one wan and the another lan.
> 
>     the firewall is doing masquerading for the lan, i am trying to setup
>     some QoS policies however finding it difficult to work.
> 
>     Also i need some advise and better explanation, according to the
>     LARTC docs qos policies used be applied to the interface connection
>     to the network, (AKA LAN Interface?). i see that from the examples
>     from shorewall man pages that you use the WAN interface. which is
>     better and why?
Neither is ''better''. One is for shaping outgoing traffic (WAN
interface)
and one os for shaping incoming traffic (LAN interface).
> 
>     here is my current config, when specifying ports sport 80 or 443
>     traffic not going to the specified class however removing the ports
>     and just specifying any traffic it works...i''ve also tried
swaping
>     about SPORT and DPORT..
> 
>      
I refuse to look at the iptables output. The miserable gmail interface
tries to make an embedded link out of everything that looks like an IP
address, rendering the resulting text unreadable. If you wish to post
such output, please do so as an attachment; thanks.

But I do note a couple of things:

a) You are marking TCP packets with destination port 21. Those are
control connection packets destined for an FTP server in your local
network (remember that you are marking on the FORWARD chain so only
forwarded packets will be marked). I seriously doubt that is what you
want. I think you rather want ''ftp'' in the HELPER column.

b) Similarly you are marking TCP packets with destination port 80 and
443. Those would be directed at a web server in your local LEN, while I
suspect that you really want response packets destined for web clients
in the local LAN. So you want ''-'' in the DEST PORT(S) column
and 80,443
in the SOURCE PORT(S) column.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Tom,

Thank you for you reply. Please accept my apologies for the email format.

Here is my config now,  i have MARK_IN_FORWARD_CHAIN=No


LAN=eth0
WAN=eth2

so traffic now goes to the default class which is good however seems
like my marking isn''t working because as shown in tcrules,
i''ve mark
those packets but they dont end up in the respected class.

Thanks in advance


tcrules

http://pastebin.com/12Y9s8sJ

tcclasses

http://pastebin.com/8wvQWAYF

tcdevices

http://pastebin.com/ysnsJsdj


shorewall show tc

http://pastebin.com/tG01D76D

On Mon, Nov 11, 2013 at 6:11 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> On 11/11/2013 4:57 AM, JC Putter wrote:
>> Hi,
>>
>> anyone that can maybe assist?
>>
>> Thanks
>>
>>
>> On Sun, Nov 10, 2013 at 9:39 AM, JC Putter <jcputter@gmail.com
>> <mailto:jcputter@gmail.com>> wrote:
>>
>>     Hi,
>>
>>     i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface
>>     firewall, one wan and the another lan.
>>
>>     the firewall is doing masquerading for the lan, i am trying to
setup
>>     some QoS policies however finding it difficult to work.
>>
>>     Also i need some advise and better explanation, according to the
>>     LARTC docs qos policies used be applied to the interface connection
>>     to the network, (AKA LAN Interface?). i see that from the examples
>>     from shorewall man pages that you use the WAN interface. which is
>>     better and why?
>
> Neither is ''better''. One is for shaping outgoing traffic
(WAN interface)
> and one os for shaping incoming traffic (LAN interface).
>>
>>     here is my current config, when specifying ports sport 80 or 443
>>     traffic not going to the specified class however removing the ports
>>     and just specifying any traffic it works...i''ve also tried
swaping
>>     about SPORT and DPORT..
>>
>>
>
> I refuse to look at the iptables output. The miserable gmail interface
> tries to make an embedded link out of everything that looks like an IP
> address, rendering the resulting text unreadable. If you wish to post
> such output, please do so as an attachment; thanks.
>
> But I do note a couple of things:
>
> a) You are marking TCP packets with destination port 21. Those are
> control connection packets destined for an FTP server in your local
> network (remember that you are marking on the FORWARD chain so only
> forwarded packets will be marked). I seriously doubt that is what you
> want. I think you rather want ''ftp'' in the HELPER column.
>
> b) Similarly you are marking TCP packets with destination port 80 and
> 443. Those would be directed at a web server in your local LEN, while I
> suspect that you really want response packets destined for web clients
> in the local LAN. So you want ''-'' in the DEST PORT(S)
column and 80,443
> in the SOURCE PORT(S) column.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models.
Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and
register
>
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

On 11/12/2013 7:47 AM, JC Putter wrote:
> Tom,
> 
> Thank you for you reply. Please accept my apologies for the email format.
> 
> Here is my config now,  i have MARK_IN_FORWARD_CHAIN=No
> 
> 
> LAN=eth0
> WAN=eth2
> 
> so traffic now goes to the default class which is good however seems
> like my marking isn''t working because as shown in tcrules,
i''ve mark
> those packets but they dont end up in the respected class.
> 
> Thanks in advance
Do you have CLEAR_IN_FORWARD_CHAIN=Yes? If so, your marks are getting
cleared now that you have set MARK_IN_FORWARD_CHAIN=No.

If that isn''t the problem, please forward the output of
''shorewall dump''
collected as described at http://www.shorewall.net/support.htm#Guidelines.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

attached the shorewall dump.

MARK_IN_FORWARD_CHAIN=No

many thanks


On Tue, Nov 12, 2013 at 6:07 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On 11/12/2013 7:47 AM, JC Putter wrote:
> > Tom,
> >
> > Thank you for you reply. Please accept my apologies for the email
format.
> >
> > Here is my config now,  i have MARK_IN_FORWARD_CHAIN=No
> >
> >
> > LAN=eth0
> > WAN=eth2
> >
> > so traffic now goes to the default class which is good however seems
> > like my marking isn''t working because as shown in tcrules,
i''ve mark
> > those packets but they dont end up in the respected class.
> >
> > Thanks in advance
>
> Do you have CLEAR_IN_FORWARD_CHAIN=Yes? If so, your marks are getting
> cleared now that you have set MARK_IN_FORWARD_CHAIN=No.
>
> If that isn''t the problem, please forward the output of
''shorewall dump''
> collected as described at http://www.shorewall.net/support.htm#Guidelines.
>
> Thanks,
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models.
> Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and
> register
>
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>


------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

On 11/12/2013 8:24 AM, JC Putter wrote:
> attached the shorewall dump.
> 
> MARK_IN_FORWARD_CHAIN=No
> 
As I explained in the last email, it is *never* going to work with
MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must change the
setting of one or the other or you must do your marking in the FORWARD
or POSTROUTING chains using a :F or :P suffix.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Tom,

Thank you very much! got it working, after re-reading shorewall.conf man

FORWARD_CLEAR_MARK was not set (which if i understand the man
correctly it defaults to YES?) after changing it to No, it seems to
work now!


On Tue, Nov 12, 2013 at 7:10 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> On 11/12/2013 8:24 AM, JC Putter wrote:
>> attached the shorewall dump.
>>
>> MARK_IN_FORWARD_CHAIN=No
>>
>
> As I explained in the last email, it is *never* going to work with
> MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must change the
> setting of one or the other or you must do your marking in the FORWARD
> or POSTROUTING chains using a :F or :P suffix.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models.
Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and
register
>
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Tom or anyone

Last question.

i have a tcrule to limit ftp as well now and i am using the ftp helper
however i am not seeing any hits on the rule.

any ideas why? 80 and 443 work 100% now..

see attached

On Tue, Nov 12, 2013 at 7:58 PM, JC Putter <jcputter@gmail.com>
wrote:
> Tom,
>
> Thank you very much! got it working, after re-reading shorewall.conf man
>
> FORWARD_CLEAR_MARK was not set (which if i understand the man
> correctly it defaults to YES?) after changing it to No, it seems to
> work now!
>
>
> On Tue, Nov 12, 2013 at 7:10 PM, Tom Eastep <teastep@shorewall.net>
wrote:
>> On 11/12/2013 8:24 AM, JC Putter wrote:
>>> attached the shorewall dump.
>>>
>>> MARK_IN_FORWARD_CHAIN=No
>>>
>>
>> As I explained in the last email, it is *never* going to work with
>> MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must change
the
>> setting of one or the other or you must do your marking in the FORWARD
>> or POSTROUTING chains using a :F or :P suffix.
>>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
------------------------------------------------------------------------------
>> November Webinars for C, C++, Fortran Developers
>> Accelerate application performance with scalable programming models.
Explore
>> techniques for threading, error checking, porting, and tuning. Get the
most
>> from the latest Intel processors and coprocessors. See abstracts and
register
>>
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

thanks answered my on question by just using the ftp helper no src or
dst port. now ftp traffic gets marked.



On Wed, Nov 13, 2013 at 1:19 AM, JC Putter <jcputter@gmail.com>
wrote:
> Tom or anyone
>
> Last question.
>
> i have a tcrule to limit ftp as well now and i am using the ftp helper
> however i am not seeing any hits on the rule.
>
> any ideas why? 80 and 443 work 100% now..
>
> see attached
>
> On Tue, Nov 12, 2013 at 7:58 PM, JC Putter <jcputter@gmail.com>
wrote:
>> Tom,
>>
>> Thank you very much! got it working, after re-reading shorewall.conf
man
>>
>> FORWARD_CLEAR_MARK was not set (which if i understand the man
>> correctly it defaults to YES?) after changing it to No, it seems to
>> work now!
>>
>>
>> On Tue, Nov 12, 2013 at 7:10 PM, Tom Eastep
<teastep@shorewall.net> wrote:
>>> On 11/12/2013 8:24 AM, JC Putter wrote:
>>>> attached the shorewall dump.
>>>>
>>>> MARK_IN_FORWARD_CHAIN=No
>>>>
>>>
>>> As I explained in the last email, it is *never* going to work with
>>> MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must
change the
>>> setting of one or the other or you must do your marking in the
FORWARD
>>> or POSTROUTING chains using a :F or :P suffix.
>>>
>>> -Tom
>>> --
>>> Tom Eastep        \ When I die, I want to go like my Grandfather
who
>>> Shoreline,         \ died peacefully in his sleep. Not screaming
like
>>> Washington, USA     \ all of the passengers in his car
>>> http://shorewall.net
\________________________________________________
>>>
>>>
>>>
------------------------------------------------------------------------------
>>> November Webinars for C, C++, Fortran Developers
>>> Accelerate application performance with scalable programming
models. Explore
>>> techniques for threading, error checking, porting, and tuning. Get
the most
>>> from the latest Intel processors and coprocessors. See abstracts
and register
>>>
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> Shorewall-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk