Shorewall users - Mar 2014 - Internal traffic shapping...

Hi,

I am trying to switch on internal traffic shaping and I am wondering 
if I set it up correctly...  I have clients behind a firewall connected 
to 3 providers.

I have 1 SDSL and 2 ADSL:

  tcdevices:
    eth1  4mbit  4mbit
    eth2  6mbit  796kbit
    eth3  6mbit  796kbit

I setup 4 classes for eth1, 3 for eth2 and 3 for eth3:

  tcclasses:
    eth1  1   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth1  2   full*60/100   full*95/100   2            # web
    eth1  3   full*10/100   full*95/100   3            # email
    eth1  4   full*10/100   full*95/100   3  default
    eth2  5   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth2  6   full*60/100   full*95/100   2            # web/email
    eth2  7   full*20/100   full*95/100   3  default
    eth3  8   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth3  9   full*60/100   full*95/100   2            # web/email
    eth3  10  full*20/100   full*95/100   3  default

For the rules:
1. ping, ssh and dns from the firewall are priority 1
2. forwarded clients traffic (192.168.16.0/20) is split as:
   ssh, web [, email for eth1], default

  tcrules:

    # --- eth1 ---
    1    0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    1    0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    1    0.0.0.0/0           0.0.0.0/0           tcp     22
    1    0.0.0.0/0           0.0.0.0/0           tcp     53
    1    0.0.0.0/0           0.0.0.0/0           udp     53
    # --- eth1 FORWARD ---
    1:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    1:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    1:F  192.168.16.0/20     123.123.123.0/23    tcp     22
    2:F  192.168.16.0/20     123.123.123.0/23    tcp     80,443
    3:F  192.168.16.0/20     123.123.123.0/23    tcp     25,465,993
    # --- eth2 ---
    5    0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    5    0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    5    0.0.0.0/0           0.0.0.0/0           tcp     22
    5    0.0.0.0/0           0.0.0.0/0           tcp     53
    5    0.0.0.0/0           0.0.0.0/0           udp     53
    # --- eth2 FORWARD ---
    5:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    5:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    5:F  192.168.16.0/20     123.123.123.0/23    tcp     22
    6:F  192.168.16.0/20     123.123.123.0/23    tcp     80,443
    6:F  192.168.16.0/20     123.123.123.0/23    tcp     25,465,993
    # --- eth3 ---
    8    0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    8    0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    8    0.0.0.0/0           0.0.0.0/0           tcp     22
    8    0.0.0.0/0           0.0.0.0/0           tcp     53
    8    0.0.0.0/0           0.0.0.0/0           udp     53
    # --- eth3 FORWARD ---
    8:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    8:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    8:F  192.168.16.0/20     123.123.123.0/23    tcp     22
    9:F  192.168.16.0/20     123.123.123.0/23    tcp     80,443
    9:F  192.168.16.0/20     123.123.123.0/23    tcp     25,465,993

Does everything look ok?
Do I need to put "reverse rules" for the traffic coming back?
By example, if I have:
  1:F  192.168.16.0/20     123.123.123.0/23    tcp     22
Do I need the following?
  1:F  123.123.123.0/23    192.168.16.0/20     tcp     -     22

Thx,
JD

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech