hi list, I'm planning to configure our firewall with traffic shaping. I'm using SuSEFirewall2. I'm looking for a way to devide my bandwith between two nets. the intranet should only get a small part of the total bandwith, so the rest will be used by our extranet. So if anyone understands what I mean.... ;o ) : Is there a tool for traffic shaping ? I've heart of a package that comes with SuSE, which does traffic shaping, but I can't remember it's name. Please note, that I don't wanna use squid for traffic shaping but the firewall. thanks for your help maX Bauer
hi list, I'm planning to configure our firewall with traffic shaping. I'm using SuSEFirewall2. I'm looking for a way to devide my bandwith between two nets. the intranet should only get a small part of the total bandwith, so the rest will be used by our extranet. So if anyone understands what I mean.... ;o ) : Is there a tool for traffic shaping ? I've heart of a package that comes with SuSE, which does traffic shaping, but I can't remember it's name.
Use QoS-features of netfilter, e.g. with <snip> ipmenu also allows CBQ (class based queueing) to be configured, to divide a link into "chunks" or "classes" of a given bandwidth. <snap> http://users.pandora.be/stes/ipmenu.html Yours Michael Appeldorn
Linuxdom@in-sight.de wrote:
hi list, I'm planning to configure our firewall with traffic shaping. I'm using SuSEFirewall2. I'm looking for a way to devide my bandwith between two
Read the list archives. Try google. If you use debian, 'apt-get install shaperd' might help. GTi
Hi all! On Tue, 16 Apr 2002, Martin Peikert wrote:
Linuxdom@in-sight.de wrote:
hi list, I'm planning to configure our firewall with traffic shaping. I'm using SuSEFirewall2. I'm looking for a way to devide my bandwith between two
Read the list archives. Try google. If you use debian, 'apt-get install shaperd' might help.
Actually, *all* of this is *not* very helpful. I had a very hard time myself (as a self-taught Linux user) to find decent documentation about traffic shaping. Of course, you quickly come across the ->Linux Advanced Routing & Traffic Control HOWTO http://mirrors.kernel.org/LDP/HOWTO/Adv-Routing-HOWTO.html But, then it helps you only to understand it, not to set t/s up. You might think it does, but no, you will stumble over the complicated configuration of cbq discs. In the end you hate cbq discs and are frustrated. Especially, when you learn that htb discs are much easier to use, but have to be built into your kernel. *Much more* helpful is cbq.init, a script you get from ->http://sourceforge.net/projects/cbqinit It allows you to set up nice configuration file for everything you would like to shape. Below I added two examples of these files, that can be used to shape/prioritize telnet and ssh traffic. This gives you a responsive & interactive telnet, even when you are uploading at full DSL speed. For completeness and your reference, there are more interesting pages I came across: ->http://online.securityfocus.com/infocus/1285 Mentioned in a previous posting in this group. From that I learned, that marking ip-packets can be used for easy access to t/s. In the examples, however, they use ipchains (not a problem really). ->http://users.pandora.be/stes/ipmenu.html Also, mentioned in a previous posting in this group. Nice tool, but I prefer easy-to-handle configuration files. ->http://www.docum.org/ About Quality-of-Service and Linux. Nicely done, but it blanks out on "Shaping Masqueraded Traffic" (a pity). Nevertheless, this page links to cbq.init, which got me t/s working. ->http://freshmeat.net/projects/htb.init/ ->http://luxik.cdi.cz/~devik/qos/htb/ Two interesting links about htb. Htb is the "more understandable and intuitive replacement for the CBQ qdisc". And this is really needed! Unfortunately, it is not part of the SuSE kernel. It shouldn't be a problem to put it in, but I didn't go into that, esp. after succeding with cbq.init. Ok, now you have my links on that topic (and the results of two days google searching). If you have better ones, please let me know. Do the same, if you find mistakes in the examples below. And no, this is not OT because 1) SuSE doesn't provide you with cbq.init, and you can nicely integrate it into your SuSE distribution 2) it is security-related. You can block syn-flooding with t/s and/or limit other malicious traffic Best regards&happy hacking, Michael Here are the examples for cbq.init, that I promised: My configuration: eth0: Local Ethernet (NAT'ed) eth1: Ethernet with DSL-Modem connected ppp0: Outbound interface SuSEfirewall2 is up and running. ---(setmarks.sh - can be started from ip-up.local)--- #!/bin/bash iptables=/usr/sbin/iptables # TELNET/SSH traffic $iptables -A PREROUTING -i eth1 -t mangle -p tcp --sport telnet -j MARK --set-mark 3 $iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport telnet -j MARK --set-mark 13 $iptables -A PREROUTING -i eth1 -t mangle -p tcp --sport ssh -j MARK --set-mark 3 $iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport ssh -j MARK --set-mark 13 ---(cbq-03.INBOUND-telnet)--- DEVICE=eth0,100Mbit,10Mbit RATE=28Kbit WEIGHT=2.8Kbit PRIO=1 BOUNDED=no LEAF=sfq MARK=03 ---(cbq-13.OUTBOUND-telnet)--- DEVICE=ppp0,256Kbit,25.6Kbit RATE=28Kbit WEIGHT=2.8Kbit PRIO=1 BOUNDED=no LEAF=sfq MARK=13
Michael Seewald wrote:
Hi all!
On Tue, 16 Apr 2002, Martin Peikert wrote:
Linuxdom@in-sight.de wrote:
hi list, I'm planning to configure our firewall with traffic shaping. I'm using SuSEFirewall2. I'm looking for a way to devide my bandwith between two
Read the list archives. Try google. If you use debian, 'apt-get install shaperd' might help.
Actually, *all* of this is *not* very helpful. I had a very hard time myself (as a self-taught Linux user) to find decent documentation about traffic shaping.
---8<---
->http://online.securityfocus.com/infocus/1285 Mentioned in a previous posting in this group.
Right. That was me. And did you take a look at the program called shaperd I mentioned? See http://freshmeat.net/projects/shaperd/ - Shaperd is a user-mode program that can shape traffic passing through a Linux box. So don't tell me that "*all* of this is *not* very helpful". Anyway, you did a good job with your examples. GTi
On Thu, 18 Apr 2002, Martin Peikert wrote:
And did you take a look at the program called shaperd I mentioned? See
Hmm. First lines of the README:
Advice ====== Try CBQ first, http://ds9a.nl/lartc (no kidding).
The author (Leandro Santi) states that he started the project when there were no docs about cbq discs. Now, there are some and he suggests cbq for t/s. Besides, this project didn't leave alpha stage so far! Michael
Michael Seewald wrote:
The author (Leandro Santi) states that he started the project when there were no docs about cbq discs. Now, there are some and he suggests cbq for t/s.
Right, in the meantime there is some documentation. You gave us some, too. As I said before: You did a good job with your examples.
Besides, this project didn't leave alpha stage so far!
Before I decide to run some software in a production environment I haven't tested and configured before I run that in a test environment. I do _not_ care about alpha or beta - if it runs stable, it's okay for me. It has to fulfill my requirements and needs. Nothing else. GTi P.S.: Isn't there a lot of alpha software in the SuSE distribution?
participants (4)
-
Linuxdom@in-sight.de -
Martin Peikert -
Michael Appeldorn -
Michael Seewald