Hi, I am trying to switch on internal traffic shaping and I am wondering if I set it up correctly... I have clients behind a firewall connected to 3 providers.
I have 1 SDSL and 2 ADSL: tcdevices: eth1 4mbit 4mbit eth2 6mbit 796kbit eth3 6mbit 796kbit I setup 4 classes for eth1, 3 for eth2 and 3 for eth3: tcclasses: eth1 1 full*20/100 full*95/100 1 # ping/ssh[/dns] eth1 2 full*60/100 full*95/100 2 # web eth1 3 full*10/100 full*95/100 3 # email eth1 4 full*10/100 full*95/100 3 default eth2 5 full*20/100 full*95/100 1 # ping/ssh[/dns] eth2 6 full*60/100 full*95/100 2 # web/email eth2 7 full*20/100 full*95/100 3 default eth3 8 full*20/100 full*95/100 1 # ping/ssh[/dns] eth3 9 full*60/100 full*95/100 2 # web/email eth3 10 full*20/100 full*95/100 3 default For the rules: 1. ping, ssh and dns from the firewall are priority 1 2. forwarded clients traffic (192.168.16.0/20) is split as: ssh, web [, email for eth1], default tcrules: # --- eth1 --- 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1 0.0.0.0/0 0.0.0.0/0 tcp 22 1 0.0.0.0/0 0.0.0.0/0 tcp 53 1 0.0.0.0/0 0.0.0.0/0 udp 53 # --- eth1 FORWARD --- 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 1:F 192.168.16.0/20 123.123.123.0/23 tcp 22 2:F 192.168.16.0/20 123.123.123.0/23 tcp 80,443 3:F 192.168.16.0/20 123.123.123.0/23 tcp 25,465,993 # --- eth2 --- 5 0.0.0.0/0 0.0.0.0/0 icmp echo-request 5 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 5 0.0.0.0/0 0.0.0.0/0 tcp 22 5 0.0.0.0/0 0.0.0.0/0 tcp 53 5 0.0.0.0/0 0.0.0.0/0 udp 53 # --- eth2 FORWARD --- 5:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 5:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 5:F 192.168.16.0/20 123.123.123.0/23 tcp 22 6:F 192.168.16.0/20 123.123.123.0/23 tcp 80,443 6:F 192.168.16.0/20 123.123.123.0/23 tcp 25,465,993 # --- eth3 --- 8 0.0.0.0/0 0.0.0.0/0 icmp echo-request 8 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 8 0.0.0.0/0 0.0.0.0/0 tcp 22 8 0.0.0.0/0 0.0.0.0/0 tcp 53 8 0.0.0.0/0 0.0.0.0/0 udp 53 # --- eth3 FORWARD --- 8:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 8:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 8:F 192.168.16.0/20 123.123.123.0/23 tcp 22 9:F 192.168.16.0/20 123.123.123.0/23 tcp 80,443 9:F 192.168.16.0/20 123.123.123.0/23 tcp 25,465,993 Does everything look ok? Do I need to put "reverse rules" for the traffic coming back? By example, if I have: 1:F 192.168.16.0/20 123.123.123.0/23 tcp 22 Do I need the following? 1:F 123.123.123.0/23 192.168.16.0/20 tcp - 22 Thx, JD ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
