László Balogh wrote: > Well, I forgot to mention background information about the company. > We host websites that are used for webmail and client access > and having enough bandwidth for those is the primary thing. > Most of the users don't have anything to do on the internet. > Even if the users go on the net, they shouldn't be able to eat > bandwidth. > > Secondary, i have to deal with private used laptops, > and there have been cases on infected hardware eating all the > bandwidth (botnet client), that is why i have to limit each user to a maximum > of bandwidth. (closing all unnecessary ports is not an option, regretfully)
Then Shorewall's traffic shaping does not offer you a workable solution.
>
>>> Browsing the website i found the following solution:
>>> make classes for each ip and make rules for them
>>>
>>> (i did the tables with TAB-s, just i couldn't get it to work with my
>>> webmail)
>>>
>> And I've deleted them in my response since my mailer made them totally
>> unreadable.
>
> I will ll try to paste them again with one space between each word.
>
> tcdevices
> #INTERFACE IN-BANDWITH OUT-BANDWIDTH
> eth0 40mbps 40mbps
> eth2 100mbps 100mbps
>
> tcclasses
> #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
> eth0 1 full full 1 default
> eth2 1 full full 1 default
> eth0 2 100kbps 1mbps 2
> eth2 2 100kbps 1mbps 2
> eth0 3 100kbps 1mbps 2
> eth2 3 100kbps 1mbps 2
> eth0 4 100kbps 1mbps 2
> eth2 4 100kbps 1mbps 2
>
> tcrules
> #MARK SOURCE DESTINATION PROTIOCOL PORT(s)
> 2:F 192.168.101.11 eth0 all
> 2:F eth0 192.168.101.11 all
> 3:F 192.168.101.12 eth0 all
> 3:F eth0 192.168.101.12 all
> 4:F 192.168.101.13 eth0 all
> 4:F eth0 192.168.101.13 all
> ...
>
>
>>> Is This configuration correct?
>> No. The sum of the RATE column for each interface exceeds the
>> OUT-BANDWIDTH for the interface. The RATE column specifies what you
>> GUARANTEE each class, no matter how congested the link is, so the sum of
>> the numbers in that column cannot exceed the OUT-BANDWIDTH.
>
> Do you mean that this works, but if more than 40 users use the 1 mbit, then
> traffic shaping becomes useless, or do you mean that shorewall won't
> even accept it?
No -- I mean this won't work at all. You are guaranteeing ALL OF THE
BANDWIDTH to the default class ('full' in the RATE column). So there is
none left over for the other classes. When HTB is configured like this,
it just plain doesn't work.
>
> If u know any other sw that works beside shorewall and is better suited,
> please write and url.
I know of no good solution on Linux that scales to 100s of internal systems.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
