Finale: Prasanna was kind enough to send me a Debian package for Shorewall 3.2.2 since there does not currently exist any official Debian Shorewall package beyond 3.0.7-1. I have uploaded the package to my webspace at http://bahj.com/flotsam/shorewall_3.2.2-1_all.deb in case anyone else needs a copy of it. Using 3.2, I was able to get the kind of behavior I wanted using these rules:
3 0.0.0.0/0 0.0.0.0/0 tcp 22 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 4 0.0.0.0/0 0.0.0.0/0 tcp 22 - - - - 8 4 0.0.0.0/0 0.0.0.0/0 tcp - 22 - - - 8 Cheers! Zach > Prasanna, > > Thanks for the reply. :) I would upgrade to Shorewall 3.2.x but, for > some reason, there is no Debian package newer than 3.0.7 (even in > unstable). I wouldn't know how to create a package for myself and I > don't think the Shorewall source comes Debian-package-ready... and I'd > like to keep to the package system if possible because it makes > accounting for those programs which are installed much easier. > > However, I did try your first two suggestions. Unfortunately, I had no > luck with them. For (a), I reversed the order of "default" and > "tos-maximize-throughput" to no avail. For (b), I moved > "tos-maximize-throughput" to tcclass 4 in my tcclasses file (as > previously shown) and it had no effect. When I performed the SCP > transfer, nothing showed up under tcclass 4. > > My tcrules file is as follows: > > > # ************ Maximize priority of VoIP traffic > ******************************************* > 1 192.168.0.248 > > # ************ Prioritize pings with low payload > ******************************************* > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request > 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply > > # ************ Prioritize services > ********************************************************* > > # DNS > 3 0.0.0.0/0 0.0.0.0/0 tcp 53 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 53 > 3 0.0.0.0/0 0.0.0.0/0 udp 53 > 3 0.0.0.0/0 0.0.0.0/0 udp - 53 > > # HTTP > 3 0.0.0.0/0 0.0.0.0/0 tcp 80 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 80 > > # SMTP/POP3 > 3 0.0.0.0/0 0.0.0.0/0 tcp 25 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 25 > 3 0.0.0.0/0 0.0.0.0/0 tcp 110 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 110 > > # SSH > 3 0.0.0.0/0 0.0.0.0/0 tcp 22 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 > > # VNC > 3 0.0.0.0/0 0.0.0.0/0 tcp 5500 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 5500 > 3 0.0.0.0/0 0.0.0.0/0 tcp 5900 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 5900 > > # ************ Prioritize various applications which requrie > interactivity ***************** > > # AIM > 3 0.0.0.0/0 0.0.0.0/0 tcp 5190 > > # Battle for Wesnoth > 3 0.0.0.0/0 0.0.0.0/0 tcp 14998:15000 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 14998:15000 > > # CounterStrike > 3 0.0.0.0/0 0.0.0.0/0 udp 1200 > 3 0.0.0.0/0 0.0.0.0/0 udp - 1200 > 3 0.0.0.0/0 0.0.0.0/0 udp 27000:27015 > 3 0.0.0.0/0 0.0.0.0/0 udp - 27000:27015 > 3 0.0.0.0/0 0.0.0.0/0 tcp 27030:27039 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 27030:27039 > > # Diablo II > 3 0.0.0.0/0 0.0.0.0/0 tcp 4000 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 4000 > 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 > 3 0.0.0.0/0 0.0.0.0/0 udp 6112 > 3 0.0.0.0/0 0.0.0.0/0 udp - 6112 > > # Diablo II - ChaosEmpire > 3 0.0.0.0/0 0.0.0.0/0 tcp 4001 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 4001 > > # Scorched3D > 3 0.0.0.0/0 0.0.0.0/0 tcp 27270 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 27270 > > # Sea3D > 3 0.0.0.0/0 0.0.0.0/0 tcp 7176 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 7176 > > # World of Warcraft > 3 0.0.0.0/0 0.0.0.0/0 tcp 3724 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 3724 > 3 0.0.0.0/0 0.0.0.0/0 tcp 6112 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 6112 > > # Yahoo! Games > 3 0.0.0.0/0 0.0.0.0/0 tcp 11999 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 11999 > > > Thanks for your help and your time. :) > > Cheers, > > Zach > > > Prasanna Krishnamoorthy wrote: > >> Couple of suggestions, >> >> a) Can you change the order of default and tos-maximize-throughput? >> b) If that doesn't work, separate classes for default and >> tos-maximize-throughput? >> c) Can you try with a tcrule for this? Using the TOS field. This >> requires an upgrade to 3.2.0 though. >> >> If none of these work, post a copy of your tcrules here. >> >> Prasanna. >> >> On 10/11/06, Zachary Palmer <[EMAIL PROTECTED]> wrote: >> >> >>> Hello, all. I am led to understand that I might be able to post a dump >>> of my Shorewall configuration and ask for some assistance regarding a >>> QoS problem I've been having. I do hope I'm posting in the right place >>> and not violating any rules of etiquette; if I am, please let me know. :) >>> >>> The task at hand: differentiate between SSH packets and SCP packets >>> using Shorewall 3.0.7. I'm aware that both use the same protocol and >>> port and this is where the difficulty comes in. All of my other QoS >>> info is being handled by prioritizing certain ports on certain >>> machines. Those things which are deemed important (HTTP, SMTP, DNS, >>> etc.) should be passed to tcclass 3; everything else should go to >>> tcclass 5. Excepting my special rules for my VoIP phone (tcclass 1) and >>> ACK packets (tcclass 2), this is an accurate representation of how >>> things are working right now. My tcclasses file, for reference: >>> >>> eth0 1 100kbit 200kbit 1 >>> eth0 2 full/4 full 2 >>> tcp-ack >>> eth0 3 full/2 full 3 >>> eth0 4 50kbit 100kbit 4 >>> eth0 5 full/10 full*8/10 5 >>> default,tos-maximize-throughput >>> >>> It all works great except for the "tos-maximize-throughput" option. I >>> want packets with the Maximize Throughput TOS bit set to be routed to >>> tcclass 5 regardless of all other rules. That way, SCP (which has >>> Maximize Throughput set) will be lumped in with low priority batch >>> transfers while SSH (which does not) will be treated with dignity and >>> respect. I eventually hope to pass SCP to tcclass 4 so that it is >>> treated as slightly more important than things like FTP downloads but >>> still doesn't interfere with interactive connections. >>> >>> I've used wireshark to examine the incoming packets. SCP packets are >>> definitely TOS-flagged properly, as are the SSH packets. However, when >>> I use "watch tc -s qdisc" and perform an SCP transfer, it is very >>> apparent that the SCP packets have been sent to tcclass 3. The only >>> reason I can imagine this is happening is the set of rules I'm using to >>> prioritize SSH: >>> >>> 3 0.0.0.0/0 0.0.0.0/0 tcp 22 >>> 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 >>> >>> However, the tcclasses documentation specifically says that packets >>> which match the TOS options on a tcclass are sent to that class >>> regardless of the mark on the packet. So I'm proceeding with the >>> assumption that that isn't what's happening. >>> >>> Looking at the end of my Shorewall dump, I see this: >>> >>> Traffic Filters >>> >>> Device eth0: >>> filter parent 1: protocol ip pref 10 u32 >>> filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 >>> filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht >>> 800 bkt 0 flowid 1:12 >>> match 00060000/00ff0000 at 8 >>> match 05000000/0f00ffc0 at 0 >>> match 00100000/00ff0000 at 32 >>> filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht >>> 800 bkt 0 flowid 1:15 >>> match 00080000/00080000 at 0 >>> >>> I'm not exactly a tc expert but that looks to me like that's the part of >>> the configuration which will distinguish between Maximize Throughput and >>> otherwise for me. However, I'm quite sure that it's not working right; >>> a friend of mine fetched a CD image from my machine using SCP earlier >>> and it purely crippled my connection. I've been hammering away at this >>> since with no success at all. >>> >>> Attached, you'll find my gzipped Shorewall dump (with the established >>> connections section snipped out for brevity). The firewall is a Debian >>> Etch machine (i686) running the stock Debian 2.6.17 kernel. I am >>> prepared to compile a custom kernel if necessary, but I didn't see >>> anything under the stock kernel config's netfilter section that wasn't >>> at least compiled as a module. I will, of course, provide any other >>> information which might illuminate the issue here. >>> >>> Thanks for reading! Any advice or suggestions are greatly appreciated. >>> Shorewall has thus far done a fantastic job of replacing my old custom >>> firewall script; this is pretty much the last hurdle I have to jump. >>> >>> Thanks again, >>> >>> Zachary Palmer >>> >>> >>> ------------------------------------------------------------------------- >>> Using Tomcat but need to do more? Need to support web services, security? >>> Get stuff done quickly with pre-integrated technology to make your job >>> easier >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >>> >>> >>> >> ------------------------------------------------------------------------- >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
