mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Add Shorewall Guy's port explaination to the traffic shaping page
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9342 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
93504cfeeb
commit
19c9ad895b
@ -586,6 +586,62 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
evaluation of rules in this file will continue after a match. So the
|
evaluation of rules in this file will continue after a match. So the
|
||||||
final mark for each packet will be the one assigned by the LAST tcrule
|
final mark for each packet will be the one assigned by the LAST tcrule
|
||||||
that matches.</para>
|
that matches.</para>
|
||||||
|
|
||||||
|
<para>Also unlike rules in the <ulink
|
||||||
|
url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
|
||||||
|
the tcrules file is not stateful. So every packet that goes into, out
|
||||||
|
of or through your firewall is subject to entries in the tcrules
|
||||||
|
file.</para>
|
||||||
|
|
||||||
|
<para>Because tcrules are not stateful, it is necessary to understand
|
||||||
|
basic IP socket operation. Here is an excerpt from a post on the
|
||||||
|
Shorewall Users list:<blockquote>
|
||||||
|
<para>For the purposes of this discussion, the world is separated
|
||||||
|
into clients and servers. Servers provide services to
|
||||||
|
clients.</para>
|
||||||
|
|
||||||
|
<para>When a server starts, it creates a socket and *binds* the
|
||||||
|
socket to an *address*. For AF_INET (IPv4) and AF_INET6 (IPv6)
|
||||||
|
sockets, that address is an ordered triple consisting of an IPv4
|
||||||
|
or IPv6 address, a protocol, and possibly a port number. Port
|
||||||
|
numbers are only used when the protocol is TCP, UDP, SCTP or SCCP.
|
||||||
|
The protocol and port number used by a server are typically
|
||||||
|
well-known so that clients will be able to connect to it. So SSH
|
||||||
|
servers bind to TCP port 22, SMTP servers bind to TCP port 25,
|
||||||
|
etc. We will call this port the SERVER PORT. </para>
|
||||||
|
|
||||||
|
<para>When a client want to use the service provided by a server,
|
||||||
|
it also creates a socket. Like the server's socket, the client's
|
||||||
|
socket must also be bound to an address. But in the case of the
|
||||||
|
client, the socket is usually given an automatic address binding.
|
||||||
|
For AF_INET and AF_INET6 sockets. the IP address is the IP address
|
||||||
|
of the client system (loose generalization) and the port number is
|
||||||
|
selected from a *local port range*. On Linux systems, the local
|
||||||
|
port ranges can be seen by 'cat
|
||||||
|
/proc/sys/net/ipv4/ip_local_port_range'. So it is not possible in
|
||||||
|
advance to determine what port the client will be using. Whatever
|
||||||
|
it is, we'll call it the CLIENT PORT. </para>
|
||||||
|
|
||||||
|
<para>Now: <blockquote>
|
||||||
|
<para>Packets send from the client to the server will
|
||||||
|
have:<blockquote>
|
||||||
|
<para>SOURCE PORT = CLIENT PORT</para>
|
||||||
|
|
||||||
|
<para>DEST PORT = SERVER PORT</para>
|
||||||
|
</blockquote></para>
|
||||||
|
|
||||||
|
<para>Packets send from the server to the client will have:
|
||||||
|
<blockquote>
|
||||||
|
<para>SOURCE PORT = SERVER PORT</para>
|
||||||
|
|
||||||
|
<para>DEST PORT = CLIENT PORT</para>
|
||||||
|
</blockquote></para>
|
||||||
|
</blockquote></para>
|
||||||
|
|
||||||
|
<para>Since the SERVER PORT is generally the only port known ahead
|
||||||
|
of time, we therefore categorize traffic from the server to the
|
||||||
|
client using the SOURCE PORT.</para>
|
||||||
|
</blockquote></para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The fwmark classifier provides a convenient way to classify
|
<para>The fwmark classifier provides a convenient way to classify
|
||||||
|
Loading…
Reference in New Issue
Block a user