Hi,
i am using shorewall 4.5.21.3 on CentOS 6.4. i have a two interface
firewall, one wan and the another lan.
the firewall is doing masquerading for the lan, i am trying to setup some
QoS policies however finding it difficult to work.
Also i need some advise and better explanation, according to the LARTC docs
qos policies used be applied to the interface connection to the network,
(AKA LAN Interface?). i see that from the examples from shorewall man pages
that you use the WAN interface. which is better and why?
here is my current config, when specifying ports sport 80 or 443 traffic
not going to the specified class however removing the ports and just
specifying any traffic it works...i've also tried swaping about SPORT and
DPORT..
WAN=eth1
LAN=eth0
/etc/shorewall/shorewall.conf
MARK_IN_FORWARD_CHAIN=yes
/etc/shorewall/tcdevices
###############################################################################
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
eth0 7mbps 7mbps
/etc/shorewall/tcclasses
###############################################################################
#INTERFACE:CLASS MARK RATE: CEIL PRIORITY
OPTIONS
# DMAX:UMAX
eth0 2 120kbps 130kbps 1
eth0 10 50kbps 55kbps 10
default
/etc/shorewall/tcrules
##########################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE USER
TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
# PORT(S) PORT(S)
2 0.0.0.0/0 0.0.0.0/0 tcp 21
2 0.0.0.0/0 0.0.0.0/0 tcp 80,443
Shorewall 4.5.21.3 Traffic Control at localhost.localdomain - Sun Nov 10
09:35:39 SAST 2013
Chain PREROUTING (policy ACCEPT 7058 packets, 4799K bytes)
pkts bytes target prot opt in out source
destination
7058 4799K tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 992 packets, 105K bytes)
pkts bytes target prot opt in out source
destination
992 105K tcin all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 6066 packets, 4694K bytes)
pkts bytes target prot opt in out source
destination
6066 4694K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK and 0xffffff00
6066 4694K tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 415 packets, 114K bytes)
pkts bytes target prot opt in out source
destination
415 114K tcout all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 6481 packets, 4808K bytes)
pkts bytes target prot opt in out source
destination
6481 4808K tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
31 1496 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 MARK set 0x2
1663 99141 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 80,443 MARK set 0x2
Chain tcin (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
Device eth0:
qdisc htb 1: root refcnt 2 r2q 280 default 110 direct_packets_stat 0 ver
3.17
Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 6844 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 2: parent 1:12 limit 127p quantum 1500b flows 127/1024 perturb
10sec
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 3: parent 1:110 limit 127p quantum 1500b flows 127/1024 perturb
10sec
Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc ingress ffff: parent ffff:fff1 ----------------
Sent 156423 bytes 2598 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
class htb 1:110 parent 1:1 leaf 3: prio 7 quantum 1500 rate 400000bit ceil
440000bit burst 1600b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead
0b level 0
Sent 4538948 bytes 3463 pkt (dropped 41, overlimits 0 requeues 0)
rate 430520bit 38pps backlog 0b 0p requeues 0
lended: 3156 borrowed: 307 giants: 0
tokens: 477500 ctokens: 434078
class htb 1:1 root rate 56000Kbit ceil 56000Kbit burst 1589b/8 mpu 0b
overhead 0b cburst 1589b/8 mpu 0b overhead 0b level 7
Sent 4538948 bytes 3463 pkt (dropped 0, overlimits 0 requeues 0)
rate 436024bit 38pps backlog 0b 0p requeues 0
lended: 307 borrowed: 0 giants: 0
tokens: 3406 ctokens: 3406
class htb 1:12 parent 1:1 leaf 2: prio 1 quantum 1500 rate 960000bit ceil
1040Kbit burst 1599b/8 mpu 0b overhead 0b cburst 1599b/8 mpu 0b overhead 0b
level 0
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 0 borrowed: 0 giants: 0
tokens: 208328 ctokens: 192296
Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1
1 1 1 1
Sent 12772642 bytes 159778 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
