holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Don't mention downloads in the complex TC doc

Browse Source
This commit is contained in:
Tom Eastep 2011-04-04 19:01:06 -07:00
parent 159c871f18
commit 81437b2bb1
4 changed files with 68 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -4,7 +4,7 @@ Changes in Shorewall 4.4.19 RC 1
2) Display mangle table in the output from 'shorewall show tc'.
3) Exit tcpost early if connection is marked.
3) Allow simple TC to work on both IPv4 and IPv6
Changes in Shorewall 4.4.19 Beta 5

10
Shorewall/releasenotes.txt
View File

@ -124,6 +124,16 @@ Beta 1
6) The contents of the Netfilter mangle table are now included in the
output from 'shorewall show tc'.
7) Simple traffic shaping can now have a common configuration between
IPv4 and IPv6. To do that:
- Set TC_ENABLED=Simple in both /etc/shorewall/shorewall.conf and
/etc/shorewall6/shorewall6.conf
- Configure /etc/shorewall/tcinterfaces.
- Leave /etc/shorewall6/tcinterfaces empty.
- Configure /etc/shorewall/tcpri (if desired)
- Configure /etc/shorewall6/tcpri (if desired)
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------

55
docs/simple_traffic_shaping.xml
View File

@ -290,6 +290,61 @@ tun0 Internal</programlisting>
point where latency is acceptable.</para>
</section>
<section>
<title>Combined IPv4/IPv6 Simple TC Configuration</title>
<para>Beginning with Shorewall 4.4.19, a combined configuration is
possible. To do that:</para>
<itemizedlist>
<listitem>
<para>Set TC_ENABLED=Simple in both
<filename>/etc/shorewall/shorewall.conf</filename> and
<filename>/etc/shorewall6/shorewall6.conf</filename>.</para>
</listitem>
<listitem>
<para>Configure your interface(s) in
<filename>/etc/shorewall/tcinterfaces</filename>.</para>
</listitem>
<listitem>
<para>Add entries to <filename>/etc/shorewall/tcpri</filename> and
<filename>/etc/shorewall6/tcpri</filename> as desired. Entries in the
former classify IPv4 traffic and entries in the latter classify IPv6
traffic.</para>
</listitem>
</itemizedlist>
<para>Example:</para>
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
</programlisting>etc/shorewall/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 70.90.191.124/31
COMMENT Bit Torrent is in band 3
3 ipp2p:all bit
COMMENT But give a boost to DNS queries
2 udp 53
COMMENT And place echo requests in band 1 to avoid false line-down reports
1 icmp 8
</programlisting>
<para>etc/shorewall6/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 2001:470:b:227::40/124
COMMENT But give a boost to DNS queries
2 udp 53
COMMENT And place echo requests in band 1 to avoid false line-down reports
1 icmp 8
</programlisting>
</section>
<section>
<title>Additional Reading</title>

59
docs/traffic_shaping.xml
View File

@ -153,12 +153,6 @@
IFB can result in queues building up both at your ISPs router and at your
own.</emphasis></para>
<para>If you wish to shape downloads, you can also configure traffic
shaping on your firewall's local interface. An example appears <link
linkend="Downloads">below</link>. Again, however, <emphasis
role="bold">this can result in queues building up both at your ISPs router
and at your own</emphasis>.</para>
<para>You shape and control outgoing traffic by assigning the traffic to
<firstterm>classes</firstterm>. Each class is associated with exactly one
network interface and has a number of attributes:</para>
@ -1786,59 +1780,6 @@ eth0 - 1000kbit hfsc</programlisting>
</section>
</section>
<section id="Downloads">
<title>Shaping Download Traffic</title>
<para>As stated at the outset, traffic shaping works on traffic being sent
by the firewall. Download traffic from the Internet to local hosts is sent
by the firewall over a local interface. So it follows that if you want to
shape such traffic, you must configure shaping on the local
interface.</para>
<para>Shaping of download traffic is most straightforward when there are
only two interface. That way, traffic leaving the local interface falls
into only two broad categories:</para>
<itemizedlist>
<listitem>
<para>Traffic being forwarded from the Internet</para>
</listitem>
<listitem>
<para>Traffic that originated on the firewall itself</para>
</listitem>
</itemizedlist>
<para>In general, you will want to shape the forwarded traffic and leave
the local traffic unrestricted.</para>
<para>Extending the <link linkend="simiple">simple example</link>
above:</para>
<para><filename>/etc/shorewall/tcdevices</filename>:<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
ppp0 6000kbit 700kbit
eth1 - 100mbit</programlisting></para>
<para>/etc/shorewall/tcclasses:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
ppp0 1 10kbit 50kbit 1 tcp-ack,tos-minimize-delay
ppp0 2 300kbit full 2
ppp0 3 300kbit full 2
ppp0 4 90kbit 200kbit 3 default
eth1 1 100kbit 500kbit 1 tcp-ack
eth1 2 3mbit 6mbit 2
eth1 3 3mbit 6mbit 3
eth1 4 94mbit full 4 default #for local traffic</programlisting></para>
<para>/etc/shorewall/tcrules:<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
2:F 192.168.2.23 0.0.0.0/0 all
3:F 192.168.2.42 0.0.0.0/0 all
2:F ppp0 192.168.2.23 all
3:F ppp0 192.168.2.42 all</programlisting></para>
</section>
<section id="IFB">
<title>Intermediate Functional Block (IFB) Devices</title>