Re: [Shorewall-users] Internal TC: problem marking rules with a given tcp / udp port

Tue, 19 Jun 2007 08:35:47 -0700 

Tristan DEFERT wrote:
> Hi all,
> 
> I wonder why i can shape all tcp traffic from a particular host, but not
> from a particular tcp or udp port. Let's see:
> 
> i got the following setup:
> 
> * switch trunked to fw
> * vlans on fw/switch
> * shorewall (new)bridge beetwen some vlans
> * internal shorewall traffic shaping
> 
> Supposing:
> 
> vlan20 is the WAN interface, bridged with vlan30 (my DMZ)
> 
> I want to shape outgoing traffic toward vlan20
> My Wan bandwidth is symmetrical 50Mbits/s 
> 
> so my tcdevices:
> DEVICE        IN      OUT
> vlan20        49mbits 49mbits
> 
> i define two tcclasses:
> DEVICE        MARK    RATE    CEIL    PRIO    FLAGS
> vlan20        1       10kbits 40kbits 1       tcp-ack, tos-minimize-delay
> vlan20        2       1mbit   2mbits  2
> vlan20        3       full/2  full    3       default
> 
> 
> What works in tcrules:
> MARK  SRC             DEST            PROTO   PORT
> 1:12  0.0.0.0/0       0.0.0.0/0       tcp     -
> :-) => all my tcp traffic is limited to 2mbits
> 1:12  $DMZ_server     0.0.0.0/0       tcp     -
> :-) => all my tcp traffic from my DMZ server is limited to 2mbits
> 
> What does not work in tcrules:
> 1:12  0.0.0.0/0       0.0.0.0/0       tcp     www
> :-( => DOES NOT WORK
> 1:12  $DMZ_server     0.0.0.0/0       tcp     www
> :-( => DOES NOT WORK
> 
> Why does it not work as soon as a specify a port (or a group of ports),
> either tcp or udp ?
> 

I assume that you have an HTTP server in your DMZ? If so, then on outgoing
traffic the SOURCE PORT is 80 (www), not the DEST PORT.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to