Hi all! On Tue, 16 Apr 2002, Martin Peikert wrote:
Linuxdom@in-sight.de wrote:
hi list, I'm planning to configure our firewall with traffic shaping. I'm using SuSEFirewall2. I'm looking for a way to devide my bandwith between two
Read the list archives. Try google. If you use debian, 'apt-get install shaperd' might help.
Actually, *all* of this is *not* very helpful. I had a very hard time myself (as a self-taught Linux user) to find decent documentation about traffic shaping. Of course, you quickly come across the ->Linux Advanced Routing & Traffic Control HOWTO http://mirrors.kernel.org/LDP/HOWTO/Adv-Routing-HOWTO.html But, then it helps you only to understand it, not to set t/s up. You might think it does, but no, you will stumble over the complicated configuration of cbq discs. In the end you hate cbq discs and are frustrated. Especially, when you learn that htb discs are much easier to use, but have to be built into your kernel. *Much more* helpful is cbq.init, a script you get from ->http://sourceforge.net/projects/cbqinit It allows you to set up nice configuration file for everything you would like to shape. Below I added two examples of these files, that can be used to shape/prioritize telnet and ssh traffic. This gives you a responsive & interactive telnet, even when you are uploading at full DSL speed. For completeness and your reference, there are more interesting pages I came across: ->http://online.securityfocus.com/infocus/1285 Mentioned in a previous posting in this group. From that I learned, that marking ip-packets can be used for easy access to t/s. In the examples, however, they use ipchains (not a problem really). ->http://users.pandora.be/stes/ipmenu.html Also, mentioned in a previous posting in this group. Nice tool, but I prefer easy-to-handle configuration files. ->http://www.docum.org/ About Quality-of-Service and Linux. Nicely done, but it blanks out on "Shaping Masqueraded Traffic" (a pity). Nevertheless, this page links to cbq.init, which got me t/s working. ->http://freshmeat.net/projects/htb.init/ ->http://luxik.cdi.cz/~devik/qos/htb/ Two interesting links about htb. Htb is the "more understandable and intuitive replacement for the CBQ qdisc". And this is really needed! Unfortunately, it is not part of the SuSE kernel. It shouldn't be a problem to put it in, but I didn't go into that, esp. after succeding with cbq.init. Ok, now you have my links on that topic (and the results of two days google searching). If you have better ones, please let me know. Do the same, if you find mistakes in the examples below. And no, this is not OT because 1) SuSE doesn't provide you with cbq.init, and you can nicely integrate it into your SuSE distribution 2) it is security-related. You can block syn-flooding with t/s and/or limit other malicious traffic Best regards&happy hacking, Michael Here are the examples for cbq.init, that I promised: My configuration: eth0: Local Ethernet (NAT'ed) eth1: Ethernet with DSL-Modem connected ppp0: Outbound interface SuSEfirewall2 is up and running. ---(setmarks.sh - can be started from ip-up.local)--- #!/bin/bash iptables=/usr/sbin/iptables # TELNET/SSH traffic $iptables -A PREROUTING -i eth1 -t mangle -p tcp --sport telnet -j MARK --set-mark 3 $iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport telnet -j MARK --set-mark 13 $iptables -A PREROUTING -i eth1 -t mangle -p tcp --sport ssh -j MARK --set-mark 3 $iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport ssh -j MARK --set-mark 13 ---(cbq-03.INBOUND-telnet)--- DEVICE=eth0,100Mbit,10Mbit RATE=28Kbit WEIGHT=2.8Kbit PRIO=1 BOUNDED=no LEAF=sfq MARK=03 ---(cbq-13.OUTBOUND-telnet)--- DEVICE=ppp0,256Kbit,25.6Kbit RATE=28Kbit WEIGHT=2.8Kbit PRIO=1 BOUNDED=no LEAF=sfq MARK=13