Hi, i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface firewall, one wan and the another lan. the firewall is doing masquerading for the lan, i am trying to setup some QoS policies however finding it difficult to work. Also i need some advise and better explanation, according to the LARTC docs qos policies used be applied to the interface connection to the network, (AKA LAN Interface?). i see that from the examples from shorewall man pages that you use the WAN interface. which is better and why? here is my current config, when specifying ports sport 80 or 443 traffic not going to the specified class however removing the ports and just specifying any traffic it works...i''ve also tried swaping about SPORT and DPORT.. WAN=eth1 LAN=eth0 /etc/shorewall/shorewall.conf MARK_IN_FORWARD_CHAIN=yes /etc/shorewall/tcdevices ############################################################################### #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED #INTERFACE INTERFACES eth0 7mbps 7mbps /etc/shorewall/tcclasses ############################################################################### #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS # DMAX:UMAX eth0 2 120kbps 130kbps 1 eth0 10 50kbps 55kbps 10 default /etc/shorewall/tcrules ########################################################################################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP # PORT(S) PORT(S) 2 0.0.0.0/0 0.0.0.0/0 tcp 21 2 0.0.0.0/0 0.0.0.0/0 tcp 80,443 Shorewall 4.5.21.3 Traffic Control at localhost.localdomain - Sun Nov 10 09:35:39 SAST 2013 Chain PREROUTING (policy ACCEPT 7058 packets, 4799K bytes) pkts bytes target prot opt in out source destination 7058 4799K tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 992 packets, 105K bytes) pkts bytes target prot opt in out source destination 992 105K tcin all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 6066 packets, 4694K bytes) pkts bytes target prot opt in out source destination 6066 4694K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00 6066 4694K tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 415 packets, 114K bytes) pkts bytes target prot opt in out source destination 415 114K tcout all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 6481 packets, 4808K bytes) pkts bytes target prot opt in out source destination 6481 4808K tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 Chain tcfor (1 references) pkts bytes target prot opt in out source destination 31 1496 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 MARK set 0x2 1663 99141 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 MARK set 0x2 Chain tcin (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination Chain tcpost (1 references) pkts bytes target prot opt in out source destination Chain tcpre (1 references) pkts bytes target prot opt in out source destination Device eth0: qdisc htb 1: root refcnt 2 r2q 280 default 110 direct_packets_stat 0 ver 3.17 Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 6844 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 2: parent 1:12 limit 127p quantum 1500b flows 127/1024 perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 3: parent 1:110 limit 127p quantum 1500b flows 127/1024 perturb 10sec Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc ingress ffff: parent ffff:fff1 ---------------- Sent 156423 bytes 2598 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 class htb 1:110 parent 1:1 leaf 3: prio 7 quantum 1500 rate 400000bit ceil 440000bit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 0 Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0) rate 430520bit 38pps backlog 0b 0p requeues 0 lended: 3156 borrowed: 307 giants: 0 tokens: 477500 ctokens: 434078 class htb 1:1 root rate 56000Kbit ceil 56000Kbit burst 1589b/8 mpu 0b overhead 0b cburst 1589b/8 mpu 0b overhead 0b level 7 Sent 4538948 bytes 3463 pkt (dropped 0, overlimits 0 requeues 0) rate 436024bit 38pps backlog 0b 0p requeues 0 lended: 307 borrowed: 0 giants: 0 tokens: 3406 ctokens: 3406 class htb 1:12 parent 1:1 leaf 2: prio 1 quantum 1500 rate 960000bit ceil 1040Kbit burst 1599b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 208328 ctokens: 192296 Device eth1: qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 12772642 bytes 159778 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Hi, anyone that can maybe assist? Thanks On Sun, Nov 10, 2013 at 9:39 AM, JC Putter <jcputter@gmail.com> wrote:> Hi, > > i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface > firewall, one wan and the another lan. > > the firewall is doing masquerading for the lan, i am trying to setup some > QoS policies however finding it difficult to work. > > Also i need some advise and better explanation, according to the LARTC > docs qos policies used be applied to the interface connection to the > network, (AKA LAN Interface?). i see that from the examples from shorewall > man pages that you use the WAN interface. which is better and why? > > here is my current config, when specifying ports sport 80 or 443 traffic > not going to the specified class however removing the ports and just > specifying any traffic it works...i''ve also tried swaping about SPORT and > DPORT.. > > > > WAN=eth1 > LAN=eth0 > > /etc/shorewall/shorewall.conf > > MARK_IN_FORWARD_CHAIN=yes > > /etc/shorewall/tcdevices > > > ############################################################################### > #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED > #INTERFACE INTERFACES > eth0 7mbps 7mbps > > /etc/shorewall/tcclasses > > > ############################################################################### > #INTERFACE:CLASS MARK RATE: CEIL PRIORITY > OPTIONS > # DMAX:UMAX > eth0 2 120kbps 130kbps 1 > eth0 10 50kbps 55kbps 10 > default > > > /etc/shorewall/tcrules > > > ########################################################################################################################################## > #ACTION SOURCE DEST PROTO DEST SOURCE USER > TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP > # PORT(S) PORT(S) > 2 0.0.0.0/0 0.0.0.0/0 tcp 21 > 2 0.0.0.0/0 0.0.0.0/0 tcp 80,443 > > > > Shorewall 4.5.21.3 Traffic Control at localhost.localdomain - Sun Nov 10 > 09:35:39 SAST 2013 > > Chain PREROUTING (policy ACCEPT 7058 packets, 4799K bytes) > pkts bytes target prot opt in out source > destination > 7058 4799K tcpre all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain INPUT (policy ACCEPT 992 packets, 105K bytes) > pkts bytes target prot opt in out source > destination > 992 105K tcin all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 6066 packets, 4694K bytes) > pkts bytes target prot opt in out source > destination > 6066 4694K MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK and 0xffffff00 > 6066 4694K tcfor all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 415 packets, 114K bytes) > pkts bytes target prot opt in out source > destination > 415 114K tcout all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 6481 packets, 4808K bytes) > pkts bytes target prot opt in out source > destination > 6481 4808K tcpost all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > 31 1496 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:21 MARK set 0x2 > 1663 99141 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 80,443 MARK set 0x2 > > Chain tcin (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcout (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > > Chain tcpre (1 references) > pkts bytes target prot opt in out source > destination > > Device eth0: > qdisc htb 1: root refcnt 2 r2q 280 default 110 direct_packets_stat 0 ver > 3.17 > Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 6844 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 2: parent 1:12 limit 127p quantum 1500b flows 127/1024 perturb > 10sec > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc sfq 3: parent 1:110 limit 127p quantum 1500b flows 127/1024 perturb > 10sec > Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc ingress ffff: parent ffff:fff1 ---------------- > Sent 156423 bytes 2598 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > class htb 1:110 parent 1:1 leaf 3: prio 7 quantum 1500 rate 400000bit ceil > 440000bit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead > 0b level 0 > Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0) > rate 430520bit 38pps backlog 0b 0p requeues 0 > lended: 3156 borrowed: 307 giants: 0 > tokens: 477500 ctokens: 434078 > > class htb 1:1 root rate 56000Kbit ceil 56000Kbit burst 1589b/8 mpu 0b > overhead 0b cburst 1589b/8 mpu 0b overhead 0b level 7 > Sent 4538948 bytes 3463 pkt (dropped 0, overlimits 0 requeues 0) > rate 436024bit 38pps backlog 0b 0p requeues 0 > lended: 307 borrowed: 0 giants: 0 > tokens: 3406 ctokens: 3406 > > class htb 1:12 parent 1:1 leaf 2: prio 1 quantum 1500 rate 960000bit ceil > 1040Kbit burst 1599b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b > level 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 208328 ctokens: 192296 > > > Device eth1: > qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 > 1 1 1 1 > Sent 12772642 bytes 159778 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > >------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
On 11/11/2013 4:57 AM, JC Putter wrote:> Hi, > > anyone that can maybe assist? > > Thanks > > > On Sun, Nov 10, 2013 at 9:39 AM, JC Putter <jcputter@gmail.com > <mailto:jcputter@gmail.com>> wrote: > > Hi, > > i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface > firewall, one wan and the another lan. > > the firewall is doing masquerading for the lan, i am trying to setup > some QoS policies however finding it difficult to work. > > Also i need some advise and better explanation, according to the > LARTC docs qos policies used be applied to the interface connection > to the network, (AKA LAN Interface?). i see that from the examples > from shorewall man pages that you use the WAN interface. which is > better and why?Neither is ''better''. One is for shaping outgoing traffic (WAN interface) and one os for shaping incoming traffic (LAN interface).> > here is my current config, when specifying ports sport 80 or 443 > traffic not going to the specified class however removing the ports > and just specifying any traffic it works...i''ve also tried swaping > about SPORT and DPORT.. > >I refuse to look at the iptables output. The miserable gmail interface tries to make an embedded link out of everything that looks like an IP address, rendering the resulting text unreadable. If you wish to post such output, please do so as an attachment; thanks. But I do note a couple of things: a) You are marking TCP packets with destination port 21. Those are control connection packets destined for an FTP server in your local network (remember that you are marking on the FORWARD chain so only forwarded packets will be marked). I seriously doubt that is what you want. I think you rather want ''ftp'' in the HELPER column. b) Similarly you are marking TCP packets with destination port 80 and 443. Those would be directed at a web server in your local LEN, while I suspect that you really want response packets destined for web clients in the local LAN. So you want ''-'' in the DEST PORT(S) column and 80,443 in the SOURCE PORT(S) column. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Tom, Thank you for you reply. Please accept my apologies for the email format. Here is my config now, i have MARK_IN_FORWARD_CHAIN=No LAN=eth0 WAN=eth2 so traffic now goes to the default class which is good however seems like my marking isn''t working because as shown in tcrules, i''ve mark those packets but they dont end up in the respected class. Thanks in advance tcrules http://pastebin.com/12Y9s8sJ tcclasses http://pastebin.com/8wvQWAYF tcdevices http://pastebin.com/ysnsJsdj shorewall show tc http://pastebin.com/tG01D76D On Mon, Nov 11, 2013 at 6:11 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 11/11/2013 4:57 AM, JC Putter wrote: >> Hi, >> >> anyone that can maybe assist? >> >> Thanks >> >> >> On Sun, Nov 10, 2013 at 9:39 AM, JC Putter <jcputter@gmail.com >> <mailto:jcputter@gmail.com>> wrote: >> >> Hi, >> >> i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface >> firewall, one wan and the another lan. >> >> the firewall is doing masquerading for the lan, i am trying to setup >> some QoS policies however finding it difficult to work. >> >> Also i need some advise and better explanation, according to the >> LARTC docs qos policies used be applied to the interface connection >> to the network, (AKA LAN Interface?). i see that from the examples >> from shorewall man pages that you use the WAN interface. which is >> better and why? > > Neither is ''better''. One is for shaping outgoing traffic (WAN interface) > and one os for shaping incoming traffic (LAN interface). >> >> here is my current config, when specifying ports sport 80 or 443 >> traffic not going to the specified class however removing the ports >> and just specifying any traffic it works...i''ve also tried swaping >> about SPORT and DPORT.. >> >> > > I refuse to look at the iptables output. The miserable gmail interface > tries to make an embedded link out of everything that looks like an IP > address, rendering the resulting text unreadable. If you wish to post > such output, please do so as an attachment; thanks. > > But I do note a couple of things: > > a) You are marking TCP packets with destination port 21. Those are > control connection packets destined for an FTP server in your local > network (remember that you are marking on the FORWARD chain so only > forwarded packets will be marked). I seriously doubt that is what you > want. I think you rather want ''ftp'' in the HELPER column. > > b) Similarly you are marking TCP packets with destination port 80 and > 443. Those would be directed at a web server in your local LEN, while I > suspect that you really want response packets destined for web clients > in the local LAN. So you want ''-'' in the DEST PORT(S) column and 80,443 > in the SOURCE PORT(S) column. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
On 11/12/2013 7:47 AM, JC Putter wrote:> Tom, > > Thank you for you reply. Please accept my apologies for the email format. > > Here is my config now, i have MARK_IN_FORWARD_CHAIN=No > > > LAN=eth0 > WAN=eth2 > > so traffic now goes to the default class which is good however seems > like my marking isn''t working because as shown in tcrules, i''ve mark > those packets but they dont end up in the respected class. > > Thanks in advanceDo you have CLEAR_IN_FORWARD_CHAIN=Yes? If so, your marks are getting cleared now that you have set MARK_IN_FORWARD_CHAIN=No. If that isn''t the problem, please forward the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
attached the shorewall dump. MARK_IN_FORWARD_CHAIN=No many thanks On Tue, Nov 12, 2013 at 6:07 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 11/12/2013 7:47 AM, JC Putter wrote: > > Tom, > > > > Thank you for you reply. Please accept my apologies for the email format. > > > > Here is my config now, i have MARK_IN_FORWARD_CHAIN=No > > > > > > LAN=eth0 > > WAN=eth2 > > > > so traffic now goes to the default class which is good however seems > > like my marking isn''t working because as shown in tcrules, i''ve mark > > those packets but they dont end up in the respected class. > > > > Thanks in advance > > Do you have CLEAR_IN_FORWARD_CHAIN=Yes? If so, your marks are getting > cleared now that you have set MARK_IN_FORWARD_CHAIN=No. > > If that isn''t the problem, please forward the output of ''shorewall dump'' > collected as described at http://www.shorewall.net/support.htm#Guidelines. > > Thanks, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. > Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and > register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
On 11/12/2013 8:24 AM, JC Putter wrote:> attached the shorewall dump. > > MARK_IN_FORWARD_CHAIN=No >As I explained in the last email, it is *never* going to work with MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must change the setting of one or the other or you must do your marking in the FORWARD or POSTROUTING chains using a :F or :P suffix. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Tom, Thank you very much! got it working, after re-reading shorewall.conf man FORWARD_CLEAR_MARK was not set (which if i understand the man correctly it defaults to YES?) after changing it to No, it seems to work now! On Tue, Nov 12, 2013 at 7:10 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 11/12/2013 8:24 AM, JC Putter wrote: >> attached the shorewall dump. >> >> MARK_IN_FORWARD_CHAIN=No >> > > As I explained in the last email, it is *never* going to work with > MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must change the > setting of one or the other or you must do your marking in the FORWARD > or POSTROUTING chains using a :F or :P suffix. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Tom or anyone Last question. i have a tcrule to limit ftp as well now and i am using the ftp helper however i am not seeing any hits on the rule. any ideas why? 80 and 443 work 100% now.. see attached On Tue, Nov 12, 2013 at 7:58 PM, JC Putter <jcputter@gmail.com> wrote:> Tom, > > Thank you very much! got it working, after re-reading shorewall.conf man > > FORWARD_CLEAR_MARK was not set (which if i understand the man > correctly it defaults to YES?) after changing it to No, it seems to > work now! > > > On Tue, Nov 12, 2013 at 7:10 PM, Tom Eastep <teastep@shorewall.net> wrote: >> On 11/12/2013 8:24 AM, JC Putter wrote: >>> attached the shorewall dump. >>> >>> MARK_IN_FORWARD_CHAIN=No >>> >> >> As I explained in the last email, it is *never* going to work with >> MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must change the >> setting of one or the other or you must do your marking in the FORWARD >> or POSTROUTING chains using a :F or :P suffix. >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> >> ------------------------------------------------------------------------------ >> November Webinars for C, C++, Fortran Developers >> Accelerate application performance with scalable programming models. Explore >> techniques for threading, error checking, porting, and tuning. Get the most >> from the latest Intel processors and coprocessors. See abstracts and register >> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
thanks answered my on question by just using the ftp helper no src or dst port. now ftp traffic gets marked. On Wed, Nov 13, 2013 at 1:19 AM, JC Putter <jcputter@gmail.com> wrote:> Tom or anyone > > Last question. > > i have a tcrule to limit ftp as well now and i am using the ftp helper > however i am not seeing any hits on the rule. > > any ideas why? 80 and 443 work 100% now.. > > see attached > > On Tue, Nov 12, 2013 at 7:58 PM, JC Putter <jcputter@gmail.com> wrote: >> Tom, >> >> Thank you very much! got it working, after re-reading shorewall.conf man >> >> FORWARD_CLEAR_MARK was not set (which if i understand the man >> correctly it defaults to YES?) after changing it to No, it seems to >> work now! >> >> >> On Tue, Nov 12, 2013 at 7:10 PM, Tom Eastep <teastep@shorewall.net> wrote: >>> On 11/12/2013 8:24 AM, JC Putter wrote: >>>> attached the shorewall dump. >>>> >>>> MARK_IN_FORWARD_CHAIN=No >>>> >>> >>> As I explained in the last email, it is *never* going to work with >>> MARK_IN_FORWARD_CHAIN=No and FORWARD_CLEAR_MARK=Yes. You must change the >>> setting of one or the other or you must do your marking in the FORWARD >>> or POSTROUTING chains using a :F or :P suffix. >>> >>> -Tom >>> -- >>> Tom Eastep \ When I die, I want to go like my Grandfather who >>> Shoreline, \ died peacefully in his sleep. Not screaming like >>> Washington, USA \ all of the passengers in his car >>> http://shorewall.net \________________________________________________ >>> >>> >>> ------------------------------------------------------------------------------ >>> November Webinars for C, C++, Fortran Developers >>> Accelerate application performance with scalable programming models. Explore >>> techniques for threading, error checking, porting, and tuning. Get the most >>> from the latest Intel processors and coprocessors. See abstracts and register >>> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk