Prasanna, Thanks for the reply. :) I would upgrade to Shorewall 3.2.x but, for some reason, there is no Debian package newer than 3.0.7 (even in unstable). I wouldn't know how to create a package for myself and I don't think the Shorewall source comes Debian-package-ready... and I'd like to keep to the package system if possible because it makes accounting for those programs which are installed much easier.
However, I did try your first two suggestions. Unfortunately, I had no luck with them. For (a), I reversed the order of "default" and "tos-maximize-throughput" to no avail. For (b), I moved "tos-maximize-throughput" to tcclass 4 in my tcclasses file (as previously shown) and it had no effect. When I performed the SCP transfer, nothing showed up under tcclass 4. My tcrules file is as follows: # ************ Maximize priority of VoIP traffic ******************************************* 1 192.168.0.248 # ************ Prioritize pings with low payload ******************************************* 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply # ************ Prioritize services ********************************************************* # DNS 3 0.0.0.0/0 0.0.0.0/0 tcp 53 3 0.0.0.0/0 0.0.0.0/0 tcp - 53 3 0.0.0.0/0 0.0.0.0/0 udp 53 3 0.0.0.0/0 0.0.0.0/0 udp - 53 # HTTP 3 0.0.0.0/0 0.0.0.0/0 tcp 80 3 0.0.0.0/0 0.0.0.0/0 tcp - 80 # SMTP/POP3 3 0.0.0.0/0 0.0.0.0/0 tcp 25 3 0.0.0.0/0 0.0.0.0/0 tcp - 25 3 0.0.0.0/0 0.0.0.0/0 tcp 110 3 0.0.0.0/0 0.0.0.0/0 tcp - 110 # SSH 3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 # VNC 3 0.0.0.0/0 0.0.0.0/0 tcp 5500 3 0.0.0.0/0 0.0.0.0/0 tcp - 5500 3 0.0.0.0/0 0.0.0.0/0 tcp 5900 3 0.0.0.0/0 0.0.0.0/0 tcp - 5900 # ************ Prioritize various applications which requrie interactivity ***************** # AIM 3 0.0.0.0/0 0.0.0.0/0 tcp 5190 # Battle for Wesnoth 3 0.0.0.0/0 0.0.0.0/0 tcp 14998:15000 3 0.0.0.0/0 0.0.0.0/0 tcp - 14998:15000 # CounterStrike 3 0.0.0.0/0 0.0.0.0/0 udp 1200 3 0.0.0.0/0 0.0.0.0/0 udp - 1200 3 0.0.0.0/0 0.0.0.0/0 udp 27000:27015 3 0.0.0.0/0 0.0.0.0/0 udp - 27000:27015 3 0.0.0.0/0 0.0.0.0/0 tcp 27030:27039 3 0.0.0.0/0 0.0.0.0/0 tcp - 27030:27039 # Diablo II 3 0.0.0.0/0 0.0.0.0/0 tcp 4000 3 0.0.0.0/0 0.0.0.0/0 tcp - 4000 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 3 0.0.0.0/0 0.0.0.0/0 udp 6112 3 0.0.0.0/0 0.0.0.0/0 udp - 6112 # Diablo II - ChaosEmpire 3 0.0.0.0/0 0.0.0.0/0 tcp 4001 3 0.0.0.0/0 0.0.0.0/0 tcp - 4001 # Scorched3D 3 0.0.0.0/0 0.0.0.0/0 tcp 27270 3 0.0.0.0/0 0.0.0.0/0 tcp - 27270 # Sea3D 3 0.0.0.0/0 0.0.0.0/0 tcp 7176 3 0.0.0.0/0 0.0.0.0/0 tcp - 7176 # World of Warcraft 3 0.0.0.0/0 0.0.0.0/0 tcp 3724 3 0.0.0.0/0 0.0.0.0/0 tcp - 3724 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 # Yahoo! Games 3 0.0.0.0/0 0.0.0.0/0 tcp 11999 3 0.0.0.0/0 0.0.0.0/0 tcp - 11999 Thanks for your help and your time. :) Cheers, Zach Prasanna Krishnamoorthy wrote: > Couple of suggestions, > > a) Can you change the order of default and tos-maximize-throughput? > b) If that doesn't work, separate classes for default and > tos-maximize-throughput? > c) Can you try with a tcrule for this? Using the TOS field. This > requires an upgrade to 3.2.0 though. > > If none of these work, post a copy of your tcrules here. > > Prasanna. > > On 10/11/06, Zachary Palmer <[EMAIL PROTECTED]> wrote: > >> Hello, all. I am led to understand that I might be able to post a dump >> of my Shorewall configuration and ask for some assistance regarding a >> QoS problem I've been having. I do hope I'm posting in the right place >> and not violating any rules of etiquette; if I am, please let me know. :) >> >> The task at hand: differentiate between SSH packets and SCP packets >> using Shorewall 3.0.7. I'm aware that both use the same protocol and >> port and this is where the difficulty comes in. All of my other QoS >> info is being handled by prioritizing certain ports on certain >> machines. Those things which are deemed important (HTTP, SMTP, DNS, >> etc.) should be passed to tcclass 3; everything else should go to >> tcclass 5. Excepting my special rules for my VoIP phone (tcclass 1) and >> ACK packets (tcclass 2), this is an accurate representation of how >> things are working right now. My tcclasses file, for reference: >> >> eth0 1 100kbit 200kbit 1 >> eth0 2 full/4 full 2 >> tcp-ack >> eth0 3 full/2 full 3 >> eth0 4 50kbit 100kbit 4 >> eth0 5 full/10 full*8/10 5 >> default,tos-maximize-throughput >> >> It all works great except for the "tos-maximize-throughput" option. I >> want packets with the Maximize Throughput TOS bit set to be routed to >> tcclass 5 regardless of all other rules. That way, SCP (which has >> Maximize Throughput set) will be lumped in with low priority batch >> transfers while SSH (which does not) will be treated with dignity and >> respect. I eventually hope to pass SCP to tcclass 4 so that it is >> treated as slightly more important than things like FTP downloads but >> still doesn't interfere with interactive connections. >> >> I've used wireshark to examine the incoming packets. SCP packets are >> definitely TOS-flagged properly, as are the SSH packets. However, when >> I use "watch tc -s qdisc" and perform an SCP transfer, it is very >> apparent that the SCP packets have been sent to tcclass 3. The only >> reason I can imagine this is happening is the set of rules I'm using to >> prioritize SSH: >> >> 3 0.0.0.0/0 0.0.0.0/0 tcp 22 >> 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 >> >> However, the tcclasses documentation specifically says that packets >> which match the TOS options on a tcclass are sent to that class >> regardless of the mark on the packet. So I'm proceeding with the >> assumption that that isn't what's happening. >> >> Looking at the end of my Shorewall dump, I see this: >> >> Traffic Filters >> >> Device eth0: >> filter parent 1: protocol ip pref 10 u32 >> filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 >> filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht >> 800 bkt 0 flowid 1:12 >> match 00060000/00ff0000 at 8 >> match 05000000/0f00ffc0 at 0 >> match 00100000/00ff0000 at 32 >> filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht >> 800 bkt 0 flowid 1:15 >> match 00080000/00080000 at 0 >> >> I'm not exactly a tc expert but that looks to me like that's the part of >> the configuration which will distinguish between Maximize Throughput and >> otherwise for me. However, I'm quite sure that it's not working right; >> a friend of mine fetched a CD image from my machine using SCP earlier >> and it purely crippled my connection. I've been hammering away at this >> since with no success at all. >> >> Attached, you'll find my gzipped Shorewall dump (with the established >> connections section snipped out for brevity). The firewall is a Debian >> Etch machine (i686) running the stock Debian 2.6.17 kernel. I am >> prepared to compile a custom kernel if necessary, but I didn't see >> anything under the stock kernel config's netfilter section that wasn't >> at least compiled as a module. I will, of course, provide any other >> information which might illuminate the issue here. >> >> Thanks for reading! Any advice or suggestions are greatly appreciated. >> Shorewall has thus far done a fantastic job of replacing my old custom >> firewall script; this is pretty much the last hurdle I have to jump. >> >> Thanks again, >> >> Zachary Palmer >> >> >> ------------------------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >> >> > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
