Re: [Shorewall-users] Packet shaping basic config review

Tue, 27 Jan 2009 13:35:22 -0800 

>> I've got packet shaping set up with a basic config and I'm wondering
>> if anyone has any recommendations for these settings.  The main thing
>> to be moving along priority 4 should be p2p.  Is this only shaping the
>> outbound traffic or is it doing ingress too?
>>
>> tcdevices:
>> eth0    1000kbps 100kbps
>>
>> tcclasses:
>> eth0    1       full*9/10       full    1
>> eth0    2       full*8/10       full*9/10       2
>> eth0    3       full*7/10       full*9/10       3
>> eth0    4       full*1/10       full*5/10       4       default
>
> Your guarantees add up to > full. So this config won't work well at all.
>
>>
>> tcdevices:
>> 1       0.0.0.0/0       0.0.0.0/0       udp     5060,5061
>> 1       0.0.0.0/0       0.0.0.0/0       tcp     22
>> 1       0.0.0.0/0       0.0.0.0/0       icmp    echo-request
>> 1       0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
>> 2       0.0.0.0/0       0.0.0.0/0       udp     53
>> 2       0.0.0.0/0       0.0.0.0/0       tcp     80,443
>> 3       0.0.0.0/0       0.0.0.0/0       tcp     873
>> 3       0.0.0.0/0       0.0.0.0/0       udp     873
>>
>
> It is not possible to look at a set of rules and tell if they are 'good'
> or not. That is because we don't know what kind of services you provide.
> If you are running servers (including SSHD), your rules are not good at
> all since they categorize traffic only by DEST PORT. Responses from
> servers need to be categorized by SOURCE PORT. Also, your UDP rule for
> port 873 is silly.

Thank you for your advice.  I'm running sshd and cupsd so I've
adjusted tcrules.  Should I also prioritize traffic with source port
5060,5061 for inbound calls?  I'm not sure how that works.  I now
have:

tcrules:
1       0.0.0.0/0       0.0.0.0/0       tcp     22,5060,5061
1       0.0.0.0/0       0.0.0.0/0       tcp     -       22
1       0.0.0.0/0       0.0.0.0/0       udp     5060,5061
1       0.0.0.0/0       0.0.0.0/0       icmp    echo-request,echo-reply
2       0.0.0.0/0       0.0.0.0/0       tcp     80,443
2       0.0.0.0/0       0.0.0.0/0       udp     53
2       0.0.0.0/0       0.0.0.0/0       tcp     -       631
3       0.0.0.0/0       0.0.0.0/0       tcp     873

tcclasses:
eth0    1       full*5/10       full    1
eth0    2       full*3/10       full    2
eth0    3       full*2/10       full    3
eth0    4       full*1/10       full    4       default

Why would I want to set CEIL to any less than full?

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to