Hi all, I wonder why i can shape all tcp traffic from a particular host, but not from a particular tcp or udp port. Let's see:
i got the following setup: * switch trunked to fw * vlans on fw/switch * shorewall (new)bridge beetwen some vlans * internal shorewall traffic shaping Supposing: vlan20 is the WAN interface, bridged with vlan30 (my DMZ) I want to shape outgoing traffic toward vlan20 My Wan bandwidth is symmetrical 50Mbits/s so my tcdevices: DEVICE IN OUT vlan20 49mbits 49mbits i define two tcclasses: DEVICE MARK RATE CEIL PRIO FLAGS vlan20 1 10kbits 40kbits 1 tcp-ack, tos-minimize-delay vlan20 2 1mbit 2mbits 2 vlan20 3 full/2 full 3 default What works in tcrules: MARK SRC DEST PROTO PORT 1:12 0.0.0.0/0 0.0.0.0/0 tcp - :-) => all my tcp traffic is limited to 2mbits 1:12 $DMZ_server 0.0.0.0/0 tcp - :-) => all my tcp traffic from my DMZ server is limited to 2mbits What does not work in tcrules: 1:12 0.0.0.0/0 0.0.0.0/0 tcp www :-( => DOES NOT WORK 1:12 $DMZ_server 0.0.0.0/0 tcp www :-( => DOES NOT WORK Why does it not work as soon as a specify a port (or a group of ports), either tcp or udp ? More info: * All possible netfilter kernel modules are available from kernel 2.6.18 * In shorewall.conf: TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No BRIDGING=No (NewBridge !!!) Any idea? kernel systune? newbridge problem? forward vs prerouting marking? thanks a lot ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
