László Balogh wrote: > Hi! > > I am quite new to shorewall - worked a lot with isa 2004 -, > but while I found it easy to config, still i have a question: > > My FW config is following: > > eth0 fix ip 40/40mbs Internet > eth1 fix ip 100Mbps DMZ (192.168.100.0/24) (we host websites) > eth2 fix ip 100Mbps Local net with dhcp (192.168.101.0/24 > eth3 fix ip 100Mbps sales net with dhcp (lot less allowed than local > net) (192.168.102.0/24) > > I got this config to work already. > > My question begins here: > > I was asked to limit the bandwidth of the users on Local and Sales > have towards and from the Internet to 1mbps/1mbps each. (So that > users dont eat the bandwidth)
HTB (the queuing discipline used by Shorewall) is ill-suited for implementing this Draconian policy. It is rather intended to allocate bandwidth by type of traffic rather than by individual host. SFQ is then used within each HTB class to ensure fairness. Limiting each user to 1mbps: a) Makes all users suffer for the sins of a few b) Ensures that the internet link will be under-utilized much of the time. c) Does nothing to help when the system is really busy (more than 40 users downloading large files simultaneously). > Browsing the website i found the following solution: > make classes for each ip and make rules for them > > (i did the tables with TAB-s, just i couldn't get it to work with my webmail) > And I've deleted them in my response since my mailer made them totally unreadable. > > Is This configuration correct? No. The sum of the RATE column for each interface exceeds the OUT-BANDWIDTH for the interface. The RATE column specifies what you GUARANTEE each class, no matter how congested the link is, so the sum of the numbers in that column cannot exceed the OUT-BANDWIDTH. > > Becouse this means i have to create shedloads of classes! > I can have around 500 Clients in the DHCP ranges, > but in the description of the website, it is mentioned that > 256 classes is the max..... Again, HTB in general (and Shorewall's use of it in particular) is ill-suited for implementing your policy. But then, your policy is a poor one IMO. One additional note about Shorewall traffic shaping. SFQ, by default, assures fairness within *flows* which correspond closely to TCP connections. So it is possible for a single user to dominate a particular class by having many flows. You can use CONNLIMIT in your policy and rules file to limit the number of outgoing connections that each local station can have but a better solution would be for Shorewall to use the *flow* classifier to cause SFQ to ensure fairness between local systems rather than connections. Unfortunately, we have been unable to make that classifier work correctly, but hopefully we will have that feature available soon. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
