On 29/03/13 12:22, Alan McKay wrote: > Hi folks, > > First of all let me say an enormous THANK YOU for shorewall in > general! It is so easy to write powerful firewall configurations with > this tool! > > Well, it was until I wanted to fiddle with QoS ... now it is not so > easy unfortunately :-( > > I just got VOIP at home a few weeks ago and my connection was > deplorable, which forced me to turn on QoS on my Ubuntu 12.10 > firewall. That solved my VOIP issue but it clobbered my smoking > fast HTTP speeds, and I just can't figure out why. I'm finding the > tc files in shorewall not as easy to understand as the other stuff. I > think I've got it right from an example I found online and don't think > it should be throttling me, but it is. > > Does someone have a working example they can share? > > Or alternately, I have been reading about this method of traffic > shaping where you mark packets using iptables as they come in, and > then you write your QoS rules to simply use the marks to shape. > > http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux > > That looks like a good alternative for me because some of the other > QoS stuff I've read makes me believe that I might be able to just > write my own QoS script and tell shorewall to use my script instead of > the tc files per-se. > > But I'm not sure how to tell shorewall to mark packets like that as > they come in. > > thanks, > -Alan > Hi, unfortunately part of that is a result of the fact tc is not the easiest thing to understand, if you are struggling to work it out in shorewall I recommend not trying to figure it out using TC directly, shorewall is a *lot* easier than tc. Which part are you finding most difficult? Once you have set up your interface definition in tcdevices and your classes in tcclasses the tcrules file is set up in much the same way as regular rules, for VOIP you are probably going to need to use a rule with the sip helper as ports vary.
You can set up shorewall to use marks too, though I find using the
CLASSIFY target (Requires kernel support) even easier to use marks just
set up the device in tcdevices without the classify option, then in the
tcclasses file specify a mark for each class. In tcrules just put the
mark value in the first column of each rule.
By way of an example for the article you linked to, I've not done it
exactly the same way, for instance using an IFB to shape the downlink
instead this way it doesn't interfere with lan traffic and leaves you
free to set separate rules for that if you wish. I also make use of
ipp2p support for the p2p shaping in this example, requires the
xtables-addons package be installed.
tcdevices
1 ppp0 - 550kbit - -
2 ifb0 - 3600kbit - ppp0
tcclasses
1 10 76kbit 76kbit 0 -
1 20 170kbit 170kbit 1 tcp-ack
1 30 106kbit 106kbit 4 -
1 40 84kbit 84kbit 4 default
1 50 76kbit 76kbit 4 -
1 666 38kbit 38kbit 7 -
2 10 720kbit 720kbit 0 -
2 30 1008kbit 2880kbit 4 -
2 40 792kbit 2880kbit 4 default
2 50 720kbit 3420kbit 4 -
2 666 360kbit 3600kbit 7 -
tcrules
#If using shorewall 4.5.14 or later you can do the rules like this
30 - - tcp 80 =
30 - - tcp 443 =
10 - - tcp 22 =
10 - - udp 53 =
30 - - tcp 993 =
#Otherwise it will need 2 rules like this
30 - - tcp - 80
30 - - tcp 80
30 - - tcp - 443
30 - - tcp 443
10 - - tcp - 22
10 - - tcp 22
10 - - tcp - 53
10 - - tcp 53
30 - - tcp - 993
30 - - tcp 993
For the p2p using ipp2p match you need a group of rules, the reason for
this is that p2p protocols are tricky to identify and thus not every
packet of a p2p session can be identified.
RESTORE - - all - - - 0
CONTINUE - - all - - - !0
666 - - ipp2p:all
SAVE - - all - - - !0
This is useful as an example for you also as the same situation applies
to sip VOIP traffic, so to prioritise VOIP you could use something like
this:
RESTORE - - all - - - 0
CONTINUE - - all - - - !0
10 - - all - - -
- - - sip
SAVE - - all - - - !0
I wrote that up fairly quickly but it should give you some idea.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
