Hello!
> László Balogh wrote: >> Hi! >> >> I am quite new to shorewall - worked a lot with isa 2004 -, >> but while I found it easy to config, still i have a question: >> >> My FW config is following: >> >> eth0 fix ip 40/40mbs Internet >> eth1 fix ip 100Mbps DMZ (192.168.100.0/24) (we host websites) >> eth2 fix ip 100Mbps Local net with dhcp (192.168.101.0/24 >> eth3 fix ip 100Mbps sales net with dhcp (lot less allowed than local >> net) (192.168.102.0/24) >> >> I got this config to work already. >> >> My question begins here: >> >> I was asked to limit the bandwidth of the users on Local and Sales >> have towards and from the Internet to 1mbps/1mbps each. (So that >> users dont eat the bandwidth) > > HTB (the queuing discipline used by Shorewall) is ill-suited for > implementing this Draconian policy. It is rather intended to allocate > bandwidth by type of traffic rather than by individual host. SFQ is then > used within each HTB class to ensure fairness. > > Limiting each user to 1mbps: > > a) Makes all users suffer for the sins of a few > b) Ensures that the internet link will be under-utilized much of the time. > c) Does nothing to help when the system is really busy (more than 40 > users downloading large files simultaneously). Well, I forgot to mention background information about the company. We host websites that are used for webmail and client access and having enough bandwidth for those is the primary thing. Most of the users don't have anything to do on the internet. Even if the users go on the net, they shouldn't be able to eat bandwidth. Secondary, i have to deal with private used laptops, and there have been cases on infected hardware eating all the bandwidth (botnet client), that is why i have to limit each user to a maximum of bandwidth. (closing all unnecessary ports is not an option, regretfully) >> Browsing the website i found the following solution: >> make classes for each ip and make rules for them >> >> (i did the tables with TAB-s, just i couldn't get it to work with my webmail) >> > And I've deleted them in my response since my mailer made them totally > unreadable. I will ll try to paste them again with one space between each word. tcdevices #INTERFACE IN-BANDWITH OUT-BANDWIDTH eth0 40mbps 40mbps eth2 100mbps 100mbps tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth0 1 full full 1 default eth2 1 full full 1 default eth0 2 100kbps 1mbps 2 eth2 2 100kbps 1mbps 2 eth0 3 100kbps 1mbps 2 eth2 3 100kbps 1mbps 2 eth0 4 100kbps 1mbps 2 eth2 4 100kbps 1mbps 2 tcrules #MARK SOURCE DESTINATION PROTIOCOL PORT(s) 2:F 192.168.101.11 eth0 all 2:F eth0 192.168.101.11 all 3:F 192.168.101.12 eth0 all 3:F eth0 192.168.101.12 all 4:F 192.168.101.13 eth0 all 4:F eth0 192.168.101.13 all ... >> >> Is This configuration correct? > > No. The sum of the RATE column for each interface exceeds the > OUT-BANDWIDTH for the interface. The RATE column specifies what you > GUARANTEE each class, no matter how congested the link is, so the sum of > the numbers in that column cannot exceed the OUT-BANDWIDTH. Do you mean that this works, but if more than 40 users use the 1 mbit, then traffic shaping becomes useless, or do you mean that shorewall won't even accept it? We currently have about 20 workers, so i thought later i 'll adjust the numbers. >> Becouse this means i have to create shedloads of classes! >> I can have around 500 Clients in the DHCP ranges, >> but in the description of the website, it is mentioned that >> 256 classes is the max..... > > Again, HTB in general (and Shorewall's use of it in particular) is > ill-suited for implementing your policy. But then, your policy is a poor > one IMO. Well, it is my first go at it, i didn't expect to master it in one night. The problem is that shorewall is already implemented. I have to add this to it as an extra. If u know any other sw that works beside shorewall and is better suited, please write and url. > One additional note about Shorewall traffic shaping. SFQ, by default, > assures fairness within *flows* which correspond closely to TCP > connections. So it is possible for a single user to dominate a > particular class by having many flows. You can use CONNLIMIT in your > policy and rules file to limit the number of outgoing connections that > each local station can have but a better solution would be for Shorewall > to use the *flow* classifier to cause SFQ to ensure fairness between > local systems rather than connections. Unfortunately, we have been > unable to make that classifier work correctly, but hopefully we will > have that feature available soon. (TT_TT) My boss wouldn't be able to digest that he can only have x pieces of net connections, plus we have software that opens a lot of connections to the net (while not eating much bandwidth.). > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > Thx 4 your answer Laszlo Balogh ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
