Re: [Shorewall-users] Basic traffic shaping

Tue, 21 Apr 2009 13:43:19 -0700 

Laurent CARON wrote:
> Hi,
> 
> I'm fairly new to shorewall (I used to be a FIAIF user).
> 
> I'm basically trying to setup traffic shaping on my firewall/gateway.
> 
> I'd like to get highest prio for interactive traffic (SSH, but not SCP)
> I'd like guaranteed bandwidth for VoIP traffic
> I'd like guaranteed bandwidth for DNS traffic
> I'd like guaranteed bandwidth for WWW traffic
> I'd like best effort for the rest.
> 
> Here is how I did config shorewall:
> 
> /etc/shorewall/tcclasses:
> ppp0        1     20*full/100   40*full/100     1 
> tcp-ack,tos-minimize-delay

You are *guaranteeing* 20% of the bandwidth for this high-priority
traffic but are limiting it to 40% -- *why*?

> ppp0        2     20*full/100   30*full/100     2 
> tos=0x68/0xfc,tos=0xb8/0xfc

Same with VOIP -- why not let it use all of the bandwidth if there is no
lower-priority traffic.

> ppp0        3     20*full/100   25*full/100     3
> ppp0        4     40*full/100   85*full/100     4
> ppp0        5     5*full/100    40*full/100     4                  default
> 
> /etc/shorewall/tcdevices:
> ppp0         25000kbit          830kbit
> 
> /etc/shorewall/tcrules:
> 1:T             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
> 1:T             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
> 1:T             0.0.0.0/0       0.0.0.0/0       tcp     ssh
> 2:T             0.0.0.0/0       0.0.0.0/0       udp     sip,iax
> 2:T             0.0.0.0/0       0.0.0.0/0       tcp     sip,iax

SIP and IAX traffic that is also marked tos-minimize-delay will go in
this class rather than the first; is that what you want?

> 3:T             0.0.0.0/0       0.0.0.0/0       tcp     domain
> 3:T             0.0.0.0/0       0.0.0.0/0       udp     domain
> 4:T             0.0.0.0/0       0.0.0.0/0       tcp     www,https,smtp
> 5:T             0.0.0.0/0       0.0.0.0/0       tcp     4652
> 5:T             0.0.0.0/0       0.0.0.0/0       udp     4652
> SAVE:T          0.0.0.0/0       0.0.0.0/0       all     -             -
>        -       !0
> 

There is no point in saving the packet mark if you don't restore the
mark at the top of the rules and bail out if the connection was already
marked.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to