Re: [Shorewall-users] TC - not marking correctly

Tue, 02 Jan 2007 07:28:29 -0800 

Ismael Milach da Silveira wrote:
> Ok, thanks again, I used delay_pools on some clients and it worked, but
> the problem is, I still can't do traffic shaping with shorewall using
> other ports either.
> 
> tcclasses
> #####################################
> eth0            1      128kbps  256kbps 2
> eth0            2      full full        1 default
> 
> eth1            3      128kbps  256kbps 2
> eth1            4      full full        1 default
> #######################################
> 
> tcrules
> ###############################
> 1       0.0.0.0/0     192.168.200.1     all
> 1       192.168.200.1   0.0.0.0/0       all
> 
> 3       0.0.0.0/0     192.168.200.1     all
> 3       192.168.200.1   0.0.0.0/0       all

Remember that rules in the 'tcrules' file are non-terminating so after a packet
is applied to one rule, it goes on to the next one; so with your rules,
*forwarded* traffic to and from 192.168.200.1 will always have mark 3 and will
never have mark 1. Traffic between 192.168.200.1 and the firewall will never be
marked.

192.168.200.1 connects through eth1. That being the case, any traffic FROM
192.168.200.1 will be coming FROM eth1 and going TO eth0.

So you want:

1          192.168.200.1    0.0.0.0/0      all

Similarly, traffic forwarded TO 192.168.200.1 will be coming FROM eth0 and going
TO eth1. So you want:

3          0.0.0.0/0        192.168.200.1  all

Those are the only two rules you need for forwarded traffic.

If you also want to shape traffic from the firewall to 192.168.200.1, add ONE
additional rule:

3          $FW              192.168.200.1  all

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to