John Doe <[email protected]> wrote: > Do I need to put "reverse rules" for the traffic coming back? > By example, if I have: > 1:F 192.168.16.0/20 123.123.123.0/23 tcp 22 > Do I need the following? > 1:F 123.123.123.0/23 192.168.16.0/20 tcp - 22
You can only traffic shape egress traffic. This isn't too hard to do on the internal interface where inbound traffic (to your site) is egress traffic relative to the firewall - with the limitation that inbound traffic to the firewall itself won't be included. The complication in your case is that you have multiple external interfaces, and thus your rules are more complicated. I had a thread where some aspects related to this were discussed - you should find it in the archives from 29th Oct 2012 with the subject "Clarification on traffic control". In theory you can do inbound traffic shaping by using an IFB (or for you, an IFB per external interface) - but then you can't use tcrules (you need to use the less efficient tcfilters). What I'd probably look at doing is something like : Use tcrules to classify traffic by external interface, then use the class as a qualifier in following tcrules. Eg, suppose you used classes 10, 20, and 30 - you'd need tcrules to put traffic from ISP 1 into class 10, traffic from ISP 2 into class 20, etc. Then write the rules in terms of : <new> <source> <dest> <proto> <port> -- 10 to put traffic from ISP 1 into class <new> that matches the qualifiers you've specified. You'll need to read the docs to see if you can do this based either on the ingress port, and how that's done. I very vaguely recall it being possible to mark a packet during ingress and keep that mark with the packet through the network chain. You also need to have rules to allow traffic from the firewall itself to be unrestricted to the internal network. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
