From: Grant <ema...@gm...> - 2009-01-29 20:17:47
|
>>>>>> BTW, here's my latest incarnation. >>> I also notice that you have no rules for marking traffic that originates >>> on the firewall itself. Is that intentional or an oversight? >> >> Aren't I shaping everything that goes out over eth0, including traffic >> which originates on the firewall? > > No you are not -- that's why I brought up the issue. > > Under the description of the tcrules SOURCE column in both the man page > and in the Traffic Shaping HOWTO: > > "... all packets for connections masqueraded to eth0 from other > interfaces can be matched in a single rule with several > alternative SOURCE criteria. However, a connection whose > packets get to eth0 in a different way, e.g., direct from the > firewall itself, needs a different rule. > > Accordingly, use $FW in its own separate rule for packets > originating on the firewall. In such a rule, the MARK column may > NOT specify either :P or :F because marking for > firewall-originated packets always occurs in the OUTPUT chain. Thank you, I never would have figured that out. With only 5 systems making up the network, I'm starting to wonder if I should just specify each system instead of 0.0.0.0/0. Latest tcrules: 1 192.168.100.5 0.0.0.0/0 1 0.0.0.0/0 0.0.0.0/0 udp 5060 1 0.0.0.0/0 0.0.0.0/0 udp 8000 2 0.0.0.0/0 0.0.0.0/0 tcp 22 2 $FW 0.0.0.0/0 tcp - 22 2 0.0.0.0/0 0.0.0.0/0 udp 123 2 $FW 0.0.0.0/0 udp 123 2 0.0.0.0/0 0.0.0.0/0 tcp - 631 2 0.0.0.0/0 0.0.0.0/0 udp - 631 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request 2 $FW 0.0.0.0/0 icmp echo-request,echo-reply 3 0.0.0.0/0 0.0.0.0/0 udp 53 3 $FW 0.0.0.0/0 udp 53 3 0.0.0.0/0 0.0.0.0/0 tcp 80,443 3 $FW 0.0.0.0/0 tcp 80,443 3 0.0.0.0/0 0.0.0.0/0 udp 465 3 0.0.0.0/0 0.0.0.0/0 udp 993 4 0.0.0.0/0 0.0.0.0/0 tcp 873 4 $FW 0.0.0.0/0 tcp 873 - Grant |