mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Add Shorewall Guy's port explaination to the traffic shaping page
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9342 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
93504cfeeb
commit
19c9ad895b
@ -586,6 +586,62 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
evaluation of rules in this file will continue after a match. So the
|
||||
final mark for each packet will be the one assigned by the LAST tcrule
|
||||
that matches.</para>
|
||||
|
||||
<para>Also unlike rules in the <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
|
||||
the tcrules file is not stateful. So every packet that goes into, out
|
||||
of or through your firewall is subject to entries in the tcrules
|
||||
file.</para>
|
||||
|
||||
<para>Because tcrules are not stateful, it is necessary to understand
|
||||
basic IP socket operation. Here is an excerpt from a post on the
|
||||
Shorewall Users list:<blockquote>
|
||||
<para>For the purposes of this discussion, the world is separated
|
||||
into clients and servers. Servers provide services to
|
||||
clients.</para>
|
||||
|
||||
<para>When a server starts, it creates a socket and *binds* the
|
||||
socket to an *address*. For AF_INET (IPv4) and AF_INET6 (IPv6)
|
||||
sockets, that address is an ordered triple consisting of an IPv4
|
||||
or IPv6 address, a protocol, and possibly a port number. Port
|
||||
numbers are only used when the protocol is TCP, UDP, SCTP or SCCP.
|
||||
The protocol and port number used by a server are typically
|
||||
well-known so that clients will be able to connect to it. So SSH
|
||||
servers bind to TCP port 22, SMTP servers bind to TCP port 25,
|
||||
etc. We will call this port the SERVER PORT. </para>
|
||||
|
||||
<para>When a client want to use the service provided by a server,
|
||||
it also creates a socket. Like the server's socket, the client's
|
||||
socket must also be bound to an address. But in the case of the
|
||||
client, the socket is usually given an automatic address binding.
|
||||
For AF_INET and AF_INET6 sockets. the IP address is the IP address
|
||||
of the client system (loose generalization) and the port number is
|
||||
selected from a *local port range*. On Linux systems, the local
|
||||
port ranges can be seen by 'cat
|
||||
/proc/sys/net/ipv4/ip_local_port_range'. So it is not possible in
|
||||
advance to determine what port the client will be using. Whatever
|
||||
it is, we'll call it the CLIENT PORT. </para>
|
||||
|
||||
<para>Now: <blockquote>
|
||||
<para>Packets send from the client to the server will
|
||||
have:<blockquote>
|
||||
<para>SOURCE PORT = CLIENT PORT</para>
|
||||
|
||||
<para>DEST PORT = SERVER PORT</para>
|
||||
</blockquote></para>
|
||||
|
||||
<para>Packets send from the server to the client will have:
|
||||
<blockquote>
|
||||
<para>SOURCE PORT = SERVER PORT</para>
|
||||
|
||||
<para>DEST PORT = CLIENT PORT</para>
|
||||
</blockquote></para>
|
||||
</blockquote></para>
|
||||
|
||||
<para>Since the SERVER PORT is generally the only port known ahead
|
||||
of time, we therefore categorize traffic from the server to the
|
||||
client using the SOURCE PORT.</para>
|
||||
</blockquote></para>
|
||||
</important>
|
||||
|
||||
<para>The fwmark classifier provides a convenient way to classify
|
||||
|
Loading…
Reference in New Issue
Block a user