Re: [Shorewall-users] traffic shaping

Fri, 17 Aug 2007 08:05:09 -0700 

>> >> Accordingly this advice from 'traffic_shaping.htm':
>> >> 
>> >> Normally, packet marking occurs in the PREROUTING chain before any 
>> >>address 
>> >> rewriting takes place. This makes it impossible to mark inbound 
>>packets 
>> >> based on their destination address when SNAT or Masquerading are 
>>being 
>> >> used. You can cause packet marking to occur in the FORWARD chain by 
>> >>using 
>> >> the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
>> >> 
>> >>     i MUST use 'MARK_IN_FORWARD_CHAIN=Yes' or ':F' suffix in a lot of 
>> >> rules
>> >> in 'tcrules' if i use NAT/SNAT (configured in 'masq' file) and want 
>>to 
>> >>use
>> >> internal (private) IP-addresses (or networks) in 'tcrules'.
>> >>     Do i correct understand?
>> > 
>> > The only time where the above applies is if you want to mark incoming
>> > traffic by its destination IP and you are SNAT/Masquerading.
>>   
>>    Destination address is local (not external) IPs?
>>    And i can want this only for tc-rules for external interface.
>>    Am i right?
> 
> If the destination address is LOCAL, then the traffic is going out of
> the LOCAL interface. So this would only apply if you are shaping the
> LOCAL interface.

    Yes, and when i shaping the LOCAL going out traffic i shaping inbound
EXTERNEL traffic on EXTERNAL interface (if i make corresponding tc-rule):

5       $EXT_IF           $INT_IF:192.168.5.45       all


    And yet one question. If i use follow ONE tc-rule:

1       0.0.0.0/0       0.0.0.0/0       icmp    echo-request

    would it be suit for any interfaces in tc-classes (i want so):

$DMZ_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay

$EXT_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay

$INT_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay


    Alex


         






-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to