bwm-tools-tech Mailing List for Bandwidth Management Tools (Page 12)
Brought to you by:
nkukard
Menu
▾
▴
bwm-tools-tech — General & Technical Discussion
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(13) |
Jul
(2) |
Aug
(1) |
Sep
(5) |
Oct
(10) |
Nov
(11) |
Dec
(8) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(6) |
Feb
(3) |
Mar
(22) |
Apr
(26) |
May
(15) |
Jun
|
Jul
(8) |
Aug
(2) |
Sep
(3) |
Oct
(4) |
Nov
|
Dec
(1) |
| 2005 |
Jan
(2) |
Feb
(6) |
Mar
(12) |
Apr
(34) |
May
(23) |
Jun
(21) |
Jul
|
Aug
(4) |
Sep
(5) |
Oct
(3) |
Nov
(2) |
Dec
|
| 2006 |
Jan
(3) |
Feb
(28) |
Mar
(12) |
Apr
(6) |
May
(17) |
Jun
(5) |
Jul
(19) |
Aug
(15) |
Sep
(10) |
Oct
(12) |
Nov
(1) |
Dec
|
| 2007 |
Jan
(5) |
Feb
(1) |
Mar
(5) |
Apr
(5) |
May
(7) |
Jun
(6) |
Jul
(2) |
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
(5) |
Jun
|
Jul
|
Aug
(8) |
Sep
(8) |
Oct
(2) |
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
(6) |
May
(6) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(7) |
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Nigel K. <nk...@lb...> - 2005-04-18 18:02:34
|
Hi Ralph, If you getting "segmentation fault" from any of the bwm tools utilities, this is bad. Is it reproducable? Can you send me the steps you took, including configuration files that led to the segfault? Thanks Nigel ral...@ra... wrote: > > Hi Again, > > over the weekend i try many think, that the traffic control works. > > Now i'm a little bit farhter, because the traffic control works by P2P > and ftp traffic. > Think there is a big mistake in my firewall rules, because when this > work, i can't open > any websites or many other thinks. > Is this idea the right way or can be anythink other wrong ? > > Ok, by this test i want to look over the bwm_monitor, how the bwm_tool > works. > So i start the bwm_monitor, but nothing happen ! > After canceling the prozess i become the errormessage "Segmentation > fault". > > So i try anythink and i find out ..... > .. that when i chance in the acl-table the targets from -j bwmd to -j > ACCEPT then the > bwm_monitor start without problems. > What is here wrong ? > Is there a mistake in my firewall.xml ? > > Then i have a question to the traffic-control .. > How differ the flow table between input and output ? > Is this only the option "in" and "out" in the name from the flow-table. > > Thanks for answer ! > > > > best Regards > > Ralph Buchmann > > > To: nk...@lb... > bwm...@li... -- Nigel Kukard, PhD CompSc (Chief Executive Officer) Linux Based Systems Design Web: www.lbsd.net Email: nk...@lb... Tel: (+27) 023 349 8000 Cell: (+27) 082 333 3723 Fax: (+27) 023 349 1395 Support: 086 747 7600 Address: LIGT House, 2 Klipdrift Rd, Rawsonville Linux Systems Design & Technology Solutions The best language to use is the language that was designed for what you want to use it for. ===================================================================== Disclaimer ---------- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Linux Based Systems Design, LinuxRulz or any of it's subsideries, associated companies or principals and is therefore not endorsed by Linux Based Systems Design or LinuxRulz. Due to e-maill communication being insecure, Linux Based Systems Design and LinuxRulz do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent. |
|
From: <ral...@ra...> - 2005-04-18 14:10:41
|
Hi Again,
over the weekend i try many think, that the traffic control works.
Now i'm a little bit farhter, because the traffic control works by P2P and ftp traffic.
Think there is a big mistake in my firewall rules, because when this work, i can't open
any websites or many other thinks.
Is this idea the right way or can be anythink other wrong ?
Ok, by this test i want to look over the bwm_monitor, how the bwm_tool works.
So i start the bwm_monitor, but nothing happen !
After canceling the prozess i become the errormessage "Segmentation fault".
So i try anythink and i find out .....
. that when i chance in the acl-table the targets from -j bwmd to -j ACCEPT then the
bwm_monitor start without problems.
What is here wrong ?
Is there a mistake in my firewall.xml ?
Then i have a question to the traffic-control ...
How differ the flow table between input and output ?
Is this only the option "in" and "out" in the name from the flow-table.
Thanks for answer !
best Regards
Ralph Buchmann
To: nk...@lb...
bwm...@li...
|
|
From: Nigel K. <nk...@lb...> - 2005-04-18 08:37:14
|
Ok.... you need to use -j MARK --set-mark 2001 in your mangle table,
you must mark the traffic you wish to send to bwmd for shaping.
Once it has been marked, your normal ACCEPT target must be changed to
the bwmd target, which will intercept the traffic and shape it....
check the iptables firewall generated for the example.xml configuration
file and also that generated for the examples in the bwm tools
documentation.
You can then rewrite the bwmd configuration like this... (try it with
the most basic config, before you start fine-tuning the optional params)
<firewall><global>
<modules>
<load name="ip_queue"/>
</modules>
</global>
# Traffic flows
<traffic>
<flow name="mainline" max-rate="65536" report-timeout="60">
<queue nfmark="2001">
</queue>
</flow>
</traffic>
And add some rules maybe like this... (off the top of my head)...
iptables -t mangle -A FORWARD -p tcp --sport 20 -j MARK --set-mark 2001
iptables -t mangle -A FORWARD -p tcp --sport 21 -j MARK --set-mark 2001
iptables -t mangle -A FORWARD -p tcp --dport 20 -j MARK --set-mark 2001
iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set-mark 2001
iptables -A FORWARD -j bwmd
(i'm assuming there is no other rules in the above chains)
-Nigel
Rizwan Sarwar Sundhu wrote:
> Hi,
> i am not using bwmd for firewall, i only want to use it for
> traffic control at the moment because i am still getting familiar with
> it.Here is what i do,
>
> Create a new chain in existing iptables generated by my SuSEfirewall2:
>
> #iptables -N bwmd
>
>
> Then i add these two rules:
>
> #iptables -A bwmd -m mark ! --mark 0 -j QUEUE
> #iptables -A bwmd -j ACCEPT
>
>
> So i get this in iptables -L bwmd
>
> # iptables -L bwmd
> Chain bwmd (0 references)
> target prot opt source destination
> QUEUE all -- anywhere anywhere MARK
> match !0x0
> ACCEPT all -- anywhere anywhere
> Next i start bwmd with this command (file firewall.xm used is pasted
> below.)
>
> # bwmd -c test/firewall.xml
> BWM Daemon v200504060857 - Copyright (c) 2003-2005 Linux Based Systems
> Design
>
> Loading ip_queue...done
>
>
> File used as firewall.xml:
>
>
> <firewall><global>
> <modules>
> <load name="ip_queue"/>
> </modules>
> <class name="ftp_traffic_out_data">
> <address name="a_traffic_out"
> src="192.168.0.221" src-port="20"/>
> </class>
> <class name="ftp_traffic_out_control">
> <address name="b_traffic_out"
> src="192.168.0.221" src-port="21"/>
> </class></global>
> # Traffic flows
> <traffic><flow name="mainline" stats-len="10" queue-size="1000"
> queue-len="100" max-rate="65536" burst-rate="67172" report-timeout="60">
> <queue prio="50" nfmark="2001">
> ftp_traffic_out_data;
> ftp_traffic_out_control;
> </queue>
> </flow>
>
> </traffic>
>
> </firewall>
>
>
> Regards
> Rizwan
>
>
>
>
>
> ----- Original Message -----
> *From:* Nigel Kukard <mailto:nk...@lb...>
> *To:* Rizwan Sarwar Sundhu <mailto:ra...@ya...>
> *Cc:* bwm-tools-tech@lists..sourceforge.net
> <mailto:bwm...@li...>
> *Sent:* Monday, April 18, 2005 8:54 AM
> *Subject:* Re: [bwm-tools-tech] Traffic Control!!!!
>
> Hrm....
>
> You must have -j bwmd as the ACCEPT rules for traffic you want
> to shape.
>
> Can you attach your bwm tools config file, along with the iptables
> file it generates plz.
>
> Regards
> Nigel
>
> Rizwan Sarwar Sundhu wrote:
>
>> Hi,
>> Thanks for replying, i checked iptables -vnL bwmd but it does
>> not show any increase in counters.
>>
>> # iptables -vnL bwmd
>> Chain bwmd (0 references)
>> pkts bytes target prot opt in out
>> source destination
>> 0 0 QUEUE all -- * *
>> 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
>> 0 0 ACCEPT all -- * *
>> 0.0.0.0/0 0.0.0.0/0
>> I can understand that traffic is not being forwaded to bwmd, but
>> why, not making sense to me. waiting for ur response
>>
>> Regard
>> Rizwan
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Plan great trips with Yahoo! Travel
> <http://us.lrd.yahoo.com/_ylc=X3oDMTFmZ2htMTlyBF9TAzMyOTc1MDIEX3MDODYyNzYxNwRwb3MDMQRzZWMDbWFpbARzbGsDZm9vdGVy/SIG=10tesb5j9/**http%3a//travel.yahoo.com/>:
> Now over 17,000 guides!
> <http://us.lrd.yahoo.com/_ylc=X3oDMTFmMnFhajhhBF9TAzMyOTc1MDIEX3MDODYyNzYxNwRwb3MDMgRzZWMDbWFpbARzbGsDZm9vdGVy/SIG=12jqk5n45/**http%3a//travel.yahoo.com/p-travelguide-191500002-destination_guides_vacations-i>
--
Nigel Kukard, PhD CompSc
(Chief Executive Officer)
Linux Based Systems Design
Web: www.lbsd.net Email: nk...@lb...
Tel: (+27) 023 349 8000 Cell: (+27) 082 333 3723
Fax: (+27) 023 349 1395 Support: 086 747 7600
Address: LIGT House, 2 Klipdrift Rd, Rawsonville
Linux Systems Design & Technology Solutions
The best language to use is the language that was designed for
what you want to use it for.
=====================================================================
Disclaimer
----------
The contents of this message and any attachments are intended
solely for the addressee's use and may be legally privileged and/or
confidential information. This message may not be retained,
distributed, copied or used if you are not he addressee of this
message. If this message was sent to you in error, please notify
the sender immediately by reply e-mail and then destroy the message
and any copies thereof.
Opinions, conclusions and other information in this message may be
personal to the sender and is not that of Linux Based Systems Design,
LinuxRulz or any of it's subsideries, associated companies or
principals and is therefore not endorsed by Linux Based Systems
Design or LinuxRulz. Due to e-maill communication being insecure,
Linux Based Systems Design and LinuxRulz do not guarantee
confidentiality, security, accuracy or performance of the e-mail.
Any liability for viruses is excluded to the fullest extent.
|
|
From: Nigel K. <nk...@lb...> - 2005-04-18 08:24:11
|
download version v0.2.0, not the snapshot -Nigel Nigel Kukard wrote: > Hi, > > Ok.... could you start from scratch... > > 1. Extract bwmtools source > 2. Extract rrdtool source inside the bwmtools directory > 3. Symlink the rrdtool directory to rrdtool > 4. Run ./configure --with-rrdtool-source > 5. type... make > > I've tested the above procedure quite a number of times and it works > for my fine... if it doesn't work for you can you please send me all > the info you can, paste each step in an email so I can see what is > going on and if there is a bug i'll be more then happy to fix it. > > > -Nigel > > hard dave wrote: > >> Hello >> sir, >> >> still in confusion need help: >> >> >> >> *could you try changing line 49 in the configure.ac file and line 19500 >> in the configure file to read librrd.a instead of librrdtool.a and see >> if this works. >> * >> I tried this but it seem appear same as it previusly >> : >> >> >> *gcc: /rrdtool/src/.libs/librrd.a: No such file or directory* >> >> *make[2]: *** [bwm_graph] Error 1* >> >> *make[2]: Leaving directory >> `/root/Desktop/proj/bwm_tools-200504060857/bwm_graph'make[1]: *** >> [all-recursive] Error 1* >> >> *make[1]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857'* >> >> *make: *** [all] Error 2* >> >> // >> >> ------------------------------------------------------------------------ >> Do you Yahoo!? >> Yahoo! Small Business - Try our new resources site! >> <http://us.rd.yahoo.com/evt=31637/*http://smallbusiness.yahoo.com/resources/> > > |
|
From: Nigel K. <nk...@lb...> - 2005-04-18 08:12:16
|
Hi, Ok.... could you start from scratch... 1. Extract bwmtools source 2. Extract rrdtool source inside the bwmtools directory 3. Symlink the rrdtool directory to rrdtool 4. Run ./configure --with-rrdtool-source 5. type... make I've tested the above procedure quite a number of times and it works for my fine... if it doesn't work for you can you please send me all the info you can, paste each step in an email so I can see what is going on and if there is a bug i'll be more then happy to fix it. -Nigel hard dave wrote: > Hello > sir, > > still in confusion need help: > > > > *could you try changing line 49 in the configure.ac file and line 19500 > in the configure file to read librrd.a instead of librrdtool.a and see > if this works. > * > I tried this but it seem appear same as it previusly > : > > > *gcc: /rrdtool/src/.libs/librrd.a: No such file or directory* > > *make[2]: *** [bwm_graph] Error 1* > > *make[2]: Leaving directory > `/root/Desktop/proj/bwm_tools-200504060857/bwm_graph'make[1]: *** > [all-recursive] Error 1* > > *make[1]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857'* > > *make: *** [all] Error 2* > > // > > ------------------------------------------------------------------------ > Do you Yahoo!? > Yahoo! Small Business - Try our new resources site! > <http://us.rd.yahoo.com/evt=31637/*http://smallbusiness.yahoo.com/resources/> -- Nigel Kukard, PhD CompSc (Chief Executive Officer) Linux Based Systems Design Web: www.lbsd.net Email: nk...@lb... Tel: (+27) 023 349 8000 Cell: (+27) 082 333 3723 Fax: (+27) 023 349 1395 Support: 086 747 7600 Address: LIGT House, 2 Klipdrift Rd, Rawsonville Linux Systems Design & Technology Solutions The best language to use is the language that was designed for what you want to use it for. ===================================================================== Disclaimer ---------- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Linux Based Systems Design, LinuxRulz or any of it's subsideries, associated companies or principals and is therefore not endorsed by Linux Based Systems Design or LinuxRulz. Due to e-maill communication being insecure, Linux Based Systems Design and LinuxRulz do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent. |
|
From: Nigel K. <nk...@lb...> - 2005-04-18 07:57:21
|
Hrm.... You must have -j bwmd as the ACCEPT rules for traffic you want to shape. Can you attach your bwm tools config file, along with the iptables file it generates plz. Regards Nigel Rizwan Sarwar Sundhu wrote: > Hi, > Thanks for replying, i checked iptables -vnL bwmd but it does not > show any increase in counters. > > # iptables -vnL bwmd > Chain bwmd (0 references) > pkts bytes target prot opt in out source > destination > 0 0 QUEUE all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0 > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > I can understand that traffic is not being forwaded to bwmd, but why, > not making sense to me. waiting for ur response > > Regard > Rizwan > > > ----- Original Message ----- > *From:* Nigel Kukard <mailto:nk...@lb...> > *To:* Rizwan Sarwar Sundhu <mailto:ra...@ya...> > *Sent:* Monday, April 18, 2005 7:37 AM > *Subject:* Re: [bwm-tools-tech] Traffic Control!!!! > > Do the counters in the bwmd chain increase? > > iptables -vnL bwmd > > -Nigel > > Rizwan Sarwar Sundhu wrote: > >> Hi, >> i am having problem in controling traffic using bwmd. i >> talked to Kobe about it earlier and he advised me to make some >> corrections to my rules and forward traffic to bwmd. I still can >> not see any traffic in bwm_monitor and no traffic being forward >> to bwmd as well. Following is the output from iptables -L bwmd >> >> # iptables -L bwmd >> Chain bwmd (0 references) >> target prot opt source destination >> QUEUE all -- anywhere anywhere MARK >> match !0x0 >> ACCEPT all -- anywhere anywhere >> >> bwmd -c firewall.xml is running as well. Just going to paste the >> rules again to show you that they are ok or not, >> >> <firewall><global> >> <modules> >> <load name="ip_queue"/> >> </modules> >> <class name="ftp_traffic_out_data"> >> <address name="a_traffic_out" >> src="192.168.0.221" src-port="20"/> >> </class> >> <class name="ftp_traffic_out_control"> >> <address name="b_traffic_out" >> src="192.168.0.221" src-port="21"/> >> </class></global> >> # Traffic flows >> <traffic><flow name="mainline" stats-len="10" queue-size="1000" >> queue-len="100" max-rate="65536" burst-rate="67172" >> report-timeout="60"> >> <queue prio="50" nfmark="2001"> >> ftp_traffic_out_data; >> ftp_traffic_out_control; >> </queue> >> </flow> >> >> </traffic> >> >> </firewall> >> >> >> No traffic or counter is increasing in bwm_monitor although it is >> showing the flow "mainline" as configured in rules above. I must >> be doing something wrong again. Something is missing. please help. >> >> Regards >> Rizwan >> >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >> > > ------------------------------------------------------------------------ > Do you Yahoo!? > Yahoo! Mail > <http://us.rd.yahoo.com/mail_us/taglines/security/*http://promotions.yahoo.com/new_mail/static/protection.html> > - You care about security. So do we. |
|
From: Rizwan S. S. <ra...@ya...> - 2005-04-17 10:33:53
|
Hi,
i am having problem in controling traffic using bwmd. i talked to Kobe about it earlier and he advised me to make some corrections to my rules and forward traffic to bwmd. I still can not see any traffic in bwm_monitor and no traffic being forward to bwmd as well. Following is the output from iptables -L bwmd
# iptables -L bwmd
Chain bwmd (0 references)
target prot opt source destination
QUEUE all -- anywhere anywhere MARK match !0x0
ACCEPT all -- anywhere anywhere
bwmd -c firewall.xml is running as well. Just going to paste the rules again to show you that they are ok or not,
<firewall><global>
<modules>
<load name="ip_queue"/>
</modules>
<class name="ftp_traffic_out_data">
<address name="a_traffic_out" src="192.168.0.221" src-port="20"/>
</class>
<class name="ftp_traffic_out_control">
<address name="b_traffic_out" src="192.168.0.221" src-port="21"/>
</class></global>
# Traffic flows
<traffic><flow name="mainline" stats-len="10" queue-size="1000" queue-len="100" max-rate="65536" burst-rate="67172" report-timeout="60">
<queue prio="50" nfmark="2001">
ftp_traffic_out_data;
ftp_traffic_out_control;
</queue>
</flow>
</traffic>
</firewall>
No traffic or counter is increasing in bwm_monitor although it is showing the flow "mainline" as configured in rules above. I must be doing something wrong again. Something is missing. please help.
Regards
Rizwan
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com |
|
From: <ral...@ra...> - 2005-04-15 14:00:02
|
Hi Nigel,
thanks for the fast answer !
OK, i chance all "-j ACCEPT" targets in "-j bwmd" in my filter-table, but then i can't open any website's.
And i see no traffic over the bwmd chain !
(Under the mangle-table i can't chance the ACCEPT-target. When i try this, i become an errormessage !
Is this right ?)
But i try this any time before, because i see it of the website from Kobe.
He use extra the rule "-A bwmd -j ACCEPT".
When i add this to my rules, i see traffic over this rule, but nothing again over the bwmd Queue !
What can be wrong ?
Bye for now
Ralph
Original Message processed by Tobit InfoCenter
Subject: Re: [bwm-tools-tech] Please Help ...Traffic Control don't work ! (15-Apr-2005 11:56)
From: nk...@lb...
To: ral...@ra...
Hi Ralph,
I see nothing is being sent to be QUEUE'd for bandwidth shaping...
0 0 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
counters are 0.
I assume you have a box acting as a firewall for example... intenret => firewall => network or similar.
All the ACCEPT targets for traffic that must be shaped must change to -j bwmd (what i mean is, everything that has been MARK'd), i see you have the bwmd chain, this is good... you're nearly up and running!
-Nigel
ral...@ra... wrote:
Hi again,
sorry i must disturb again, but the traffic control don't work and i don't know why !?
Ok i chance a little bit by my firewall.xml what i post yesterday.
Now i can open all website with and without squid.
But what i see and think, all traffic from http and https goes past the bwm_tool.
So i test ftp traffic, and suddenly i have move in my Forward chain when i look under
"iptables -L -n -v -t mangle" (see below).
But the ftp and all other traffic don't control from the bwm_tool.
Please help, what is wrong in my firewall-file !?
Or is anything wrong around the bwm_tool ?
When i start the bwm_tool at first i sent the iptables with "bwm_firewall firewall.xml -l", then i start bwmd or bwmd -f.
So i think it must work, or not ?
Here comes now the output with "iptables -L -n -v -t mangle" and "iptables -L -n -v", hope you
see anything.
iptables -L -t mangle -v -n
Chain PREROUTING (policy ACCEPT 153K packets, 122M bytes)
pkts bytes target prot opt in out source destination
80557 101M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 TOS set 0x08
9286 411K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS set 0x08
323 50860 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 TOS set 0x10
175 11695 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 TOS set 0x10
Chain INPUT (policy ACCEPT 126K packets, 104M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 22009 packets, 18M bytes)
pkts bytes target prot opt in out source destination
8030 393K MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x514
10 673 MARK udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x514
131 5451 MARK tcp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x4e3
0 0 MARK udp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x4e3
8030 393K MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x8fc
10 673 MARK udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x8fc
131 5451 MARK tcp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x8cb
0 0 MARK udp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x8cb
Chain OUTPUT (policy ACCEPT 130K packets, 99M bytes)
pkts bytes target prot opt in out source destination
tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 TOS set 0x08
54457 3505K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 TOS set 0x10
175 41207 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 TOS set 0x10
302 21791 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 TOS set 0x10
Chain POSTROUTING (policy ACCEPT 152K packets, 117M bytes)
pkts bytes target prot opt in out source destination
iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
175 11695 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
239 18164 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
839 211K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1812
160 34803 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
122K 104M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
187 18996 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 input_int all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto50
1517 72824 input_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
95 79913 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all - * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
278 13316 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp toPMTU
0 0 forward_int all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
8040 394K forward_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
13969 17M forward_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 5 packets, 200 bytes)
pkts bytes target prot opt in out source destination
296 43919 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
130K 99M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain POSTROUTING (0 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (0 references)
pkts bytes target prot opt in out source destination
Chain bwmd (0 references)
pkts bytes target prot opt in out source destination
0 0 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
Chain forward_ext (1 references)
pkts bytes target prot opt in out source destination
2 150 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3
13967 17M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain forward_int (2 references)
pkts bytes target prot opt in out source destination
8028 393K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain input_ext (1 references)
pkts bytes target prot opt in out source destination
1 104 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type3
59 72560 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
3 99 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:1024:65535
32 7150 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain input_int (2 references)
pkts bytes target prot opt in out source destination
1517 72824 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Hope you can see anything about this, when not, please let me know what you need.
Understand i right, that all traffic what i want to control with the bwm_tool must go over the FORWARD Chains !?
Best Regards
Ralph Buchmann
To: bwm...@li...
bwm...@li...
bwm...@li...
Cc: nk...@lb...
To: nk...@lb...
bwm...@li...
|
|
From: hard d. <har...@ya...> - 2005-04-15 11:23:56
|
Hello sir, still in confusion need help: could you try changing line 49 in the configure.ac file and line 19500 in the configure file to read librrd.a instead of librrdtool.a and see if this works. I tried this but it seem appear same as it previusly : gcc: /rrdtool/src/.libs/librrd.a: No such file or directory make[2]: *** [bwm_graph] Error 1 make[2]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857/bwm_graph'make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857' make: *** [all] Error 2 --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site! |
|
From: Nigel K. <nk...@lb...> - 2005-04-15 09:57:00
|
Hi Ralph, I see nothing is being sent to be QUEUE'd for bandwidth shaping... 0 0 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0 counters are 0. I assume you have a box acting as a firewall for example... intenret => firewall => network or similar. All the ACCEPT targets for traffic that must be shaped must change to -j bwmd (what i mean is, everything that has been MARK'd), i see you have the bwmd chain, this is good... you're nearly up and running! -Nigel ral...@ra... wrote: > Hi again, > > sorry i must disturb again, but the traffic control don't work and i > don't know why !? > > Ok i chance a little bit by my firewall.xml what i post yesterday. > Now i can open all website with and without squid. > But what i see and think, all traffic from http and https goes past > the bwm_tool. > So i test ftp traffic, and suddenly i have move in my Forward chain > when i look under > /"iptables -L -n -v -t mangle"/ (see below). > But the ftp and all other traffic don't control from the bwm_tool. > > Please help, what is wrong in my firewall-file !? > Or is anything wrong around the bwm_tool ? > When i start the bwm_tool at first i sent the iptables with > "bwm_firewall firewall.xml -l", then i start bwmd or bwmd -f. > So i think it must work, or not ? > > Here comes now the output with "/iptables -L -n -v -t mangle"/ and > "/iptables -L -n -v", /hope you > see anything. > /iptables -L -t mangle -v -n > Chain PREROUTING (policy ACCEPT 153K packets, 122M bytes) > pkts bytes target prot opt in out source > destination > 80557 101M TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:80 TOS set 0x08 > 9286 411K TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 TOS set 0x08 > 323 50860 TOS udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 TOS set 0x10 > 175 11695 TOS udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 TOS set 0x10 > Chain INPUT (policy ACCEPT 126K packets, 104M bytes) > pkts bytes target prot opt in out source > destination > Chain FORWARD (policy ACCEPT 22009 packets, 18M bytes) > pkts bytes target prot opt in out source > destination > 8030 393K MARK tcp -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x514 > 10 673 MARK udp -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x514 > 131 5451 MARK tcp -- eth1 * 192.168.125.5 > !192.168.125.0/24 MARK set 0x4e3 > 0 0 MARK udp -- eth1 * 192.168.125.5 > !192.168.125.0/24 MARK set 0x4e3 > 8030 393K MARK tcp -- eth1 * > 0.0.0.0/0 0.0.0.0/0 MARK set 0x8fc > 10 673 MARK udp -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x8fc > 131 5451 MARK tcp -- eth1 * 192.168.125.5 > !192.168.125.0/24 MARK set 0x8cb > 0 0 MARK udp -- eth1 * 192.168.125.5 > !192.168.125.0/24 MARK set 0x8cb > Chain OUTPUT (policy ACCEPT 130K packets, 99M bytes) > pkts bytes target prot opt in out source > destination > tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp > spt:80 TOS set 0x08 > 54457 3505K TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 TOS set 0x08 > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:53 TOS set 0x10 > 0 0 TOS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:53 TOS set 0x10 > 175 41207 TOS udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 TOS set 0x10 > 302 21791 TOS udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 TOS set 0x10 > Chain POSTROUTING (policy ACCEPT 152K packets, 117M bytes) > pkts bytes target prot opt in out source > destination/ > > /iptables -L -n -v/ > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 175 11695 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 > 239 18164 ACCEPT udp -- * * > 0.0.0.0/0 0.0.0.0/0 udp dpt:123 > 839 211K ACCEPT udp -- * * > 0.0.0.0/0 0.0.0.0/0 udp dpt:1812 > 160 34803 ACCEPT all -- lo * > 0.0.0.0/0 0.0.0.0/0 > 122K 104M ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 187 18996 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 input_int all -- * * 0.0.0.0/0 > 0.0.0.0/0 policy match dir in pol ipsec proto50 > 1517 72824 input_int all -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 > 95 79913 input_ext all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP all - * * 0.0.0.0/0 > 0.0.0.0/0 > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 278 13316 TCPMSS tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp toPMTU > 0 0 forward_int all -- * * 0.0.0.0/0 > 0.0.0.0/0 policy match dir in pol ipsec proto 50 > 8040 394K forward_int all -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 > 13969 17M forward_ext all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain OUTPUT (policy DROP 5 packets, 200 bytes) > pkts bytes target prot opt in out source > destination > 296 43919 ACCEPT all -- * lo 0.0.0.0/0 > 0.0.0.0/0 > 130K 99M ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW,RELATED,ESTABLISHED > Chain POSTROUTING (0 references) > pkts bytes target prot opt in out source > destination > Chain PREROUTING (0 references) > pkts bytes target prot opt in out source > destination > Chain bwmd (0 references) > pkts bytes target prot opt in out source > destination > 0 0 QUEUE all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0 > Chain forward_ext (1 references) > pkts bytes target prot opt in out source > destination > 2 150 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED icmp type 3 > 13967 17M ACCEPT all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain forward_int (2 references) > pkts bytes target prot opt in out source > destination > 8028 393K ACCEPT all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 state NEW,RELATED,ESTABLISHED > 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 12 480 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain input_ext (1 references) > pkts bytes target prot opt in out source > destination > 1 104 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED icmp type3 > 59 72560 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpts:1024:65535 > 3 99 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW udp dpts:1024:65535 > 32 7150 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PKTTYPE = broadcast > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain input_int (2 references) > pkts bytes target prot opt in out source > destination > 1517 72824 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Hope you can see anything about this, when not, please let me know > what you need. > > Understand i right, that all traffic what i want to control with the > bwm_tool must go over the FORWARD Chains !? > > Best Regards > > Ralph Buchmann > > > To: bwm...@li... > bwm...@li... > bwm...@li... > Cc: nk...@lb... |
|
From: <ral...@ra...> - 2005-04-15 09:43:55
|
Hi again,
sorry i must disturb again, but the traffic control don't work and i don't know why !?
Ok i chance a little bit by my firewall.xml what i post yesterday.
Now i can open all website with and without squid.
But what i see and think, all traffic from http and https goes past the bwm_tool.
So i test ftp traffic, and suddenly i have move in my Forward chain when i look under
"iptables -L -n -v -t mangle" (see below).
But the ftp and all other traffic don't control from the bwm_tool.
Please help, what is wrong in my firewall-file !?
Or is anything wrong around the bwm_tool ?
When i start the bwm_tool at first i sent the iptables with "bwm_firewall firewall.xml -l", then i start bwmd or bwmd -f.
So i think it must work, or not ?
Here comes now the output with "iptables -L -n -v -t mangle" and "iptables -L -n -v", hope you
see anything.
iptables -L -t mangle -v -n
Chain PREROUTING (policy ACCEPT 153K packets, 122M bytes)
pkts bytes target prot opt in out source destination
80557 101M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 TOS set 0x08
9286 411K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS set 0x08
323 50860 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 TOS set 0x10
175 11695 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 TOS set 0x10
Chain INPUT (policy ACCEPT 126K packets, 104M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 22009 packets, 18M bytes)
pkts bytes target prot opt in out source destination
8030 393K MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x514
10 673 MARK udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x514
131 5451 MARK tcp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x4e3
0 0 MARK udp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x4e3
8030 393K MARK tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x8fc
10 673 MARK udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x8fc
131 5451 MARK tcp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x8cb
0 0 MARK udp -- eth1 * 192.168.125.5 !192.168.125.0/24 MARK set 0x8cb
Chain OUTPUT (policy ACCEPT 130K packets, 99M bytes)
pkts bytes target prot opt in out source destination
tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 TOS set 0x08
54457 3505K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 TOS set 0x10
175 41207 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 TOS set 0x10
302 21791 TOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 TOS set 0x10
Chain POSTROUTING (policy ACCEPT 152K packets, 117M bytes)
pkts bytes target prot opt in out source destination
iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
175 11695 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
239 18164 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
839 211K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1812
160 34803 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
122K 104M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
187 18996 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 input_int all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto50
1517 72824 input_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
95 79913 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all - * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
278 13316 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp toPMTU
0 0 forward_int all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
8040 394K forward_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
13969 17M forward_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 5 packets, 200 bytes)
pkts bytes target prot opt in out source destination
296 43919 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
130K 99M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain POSTROUTING (0 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING (0 references)
pkts bytes target prot opt in out source destination
Chain bwmd (0 references)
pkts bytes target prot opt in out source destination
0 0 QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0
Chain forward_ext (1 references)
pkts bytes target prot opt in out source destination
2 150 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3
13967 17M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain forward_int (2 references)
pkts bytes target prot opt in out source destination
8028 393K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
12 480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain input_ext (1 references)
pkts bytes target prot opt in out source destination
1 104 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type3
59 72560 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
3 99 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:1024:65535
32 7150 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain input_int (2 references)
pkts bytes target prot opt in out source destination
1517 72824 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Hope you can see anything about this, when not, please let me know what you need.
Understand i right, that all traffic what i want to control with the bwm_tool must go over the FORWARD Chains !?
Best Regards
Ralph Buchmann
To: bwm...@li...
bwm...@li...
bwm...@li...
Cc: nk...@lb...
|
|
From: hard d. <har...@ya...> - 2005-04-15 06:29:27
|
i have a error while compile mena when i type make then this error appear: gcc: /rrdtool/src/.libs/librrdtool.a: No such file or directory make[2]: *** [bwm_graph] Error 1 make[2]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857/bwm_graph'make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857' make: *** [all] Error 2 what i sholud do? I m using fedora 2 linux --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site! |
|
From: Nigel K. <nk...@lb...> - 2005-04-15 05:48:47
|
Hi, could you try changing line 49 in the configure.ac file and line 19500 in the configure file to read librrd.a instead of librrdtool.a and see if this works. - Nigel hard dave wrote: > Respected Sir, > > Thanks for guide to step by step guide-line. > It is working up to 7th step nicely > means we got configuration nice and also got message like "configure > is done!" > > but when we try to compile mean to say execute command *make* > then following error appear after checking some thing after some time: > > > *gcc: /rrdtool/src/.libs/librrdtool.a: No such file or directory* > > *make[2]: *** [bwm_graph] Error 1* > > *make[2]: Leaving directory > `/root/Desktop/proj/bwm_tools-200504060857/bwm_graph'make[1]: *** > [all-recursive] Error 1* > > *make[1]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857'* > > *make: *** [all] Error 2* > > > > *and stop compiling* > *so please say something how i remove this error and also tell that > after installing this project how can I use this tool? Means to see > the out put and execute whole project > * |
|
From: hard d. <har...@ya...> - 2005-04-14 15:02:20
|
Respected Sir,
Thanks for guide to step by step guide-line.
It is working up to 7th step nicely
means we got configuration nice and also got message like "configure is done!"
but when we try to compile mean to say execute command make
then following error appear after checking some thing after some time:
gcc: /rrdtool/src/.libs/librrdtool.a: No such file or directory
make[2]: *** [bwm_graph] Error 1
make[2]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857/bwm_graph'make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/Desktop/proj/bwm_tools-200504060857'
make: *** [all] Error 2
and stop compiling
so please say something how i remove this error and also tell that after installing this project how can I use this tool? Means to see the out put and execute whole project
Nigel Kukard <nk...@lb...> wrote:
Ok....
1. download rrdtool http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/pub/rrdtool-1.0.49.tar.gz
2. download bwmtools http://belnet.dl.sourceforge.net/sourceforge/bwm-tools/bwm_tools-200504060857.tar.bz2
3. type... tar jxvf bwm_tools-200504060857.tar.bz2
4. type... cd bwm_tools-200504060857
5. type... tar zxvf ../rrdtool-1.0.49.tar.gz
6. type... ln -s rrdtool-1.0.49 rrdtool
7. type... ./configure --with-rrdtool-source
then...
8. make
9. make install
The mailing list can be subscribed to here... http://lists.sourceforge.net/mailman/listinfo/bwm-tools-tech
once you have subscribed send support requests to bwm...@li...
Kind Regards
Nigel Kukard
hard dave wrote: Hello sir,
I already have been configured the bwm tool with rrdtool source
pls send me step by step configuration for that .
In ur answer i already symlink for that i also get the symlink for that file.
The icon that i seen in my bwm dir.
And sir u told me to put in mailing list what is that i don't know?
so again i ask u for step by step guide to me.
but one thing i mark after symlink rrdtool if i double click on that i got the message that
the symlink is broken.
why? that?
And tell me it works on FEDORA CORE 2 version of Linux.
---------------------------------
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site! |
|
From: Kobe L. <Ko...@pu...> - 2005-04-14 10:58:13
|
Hello, You are mis-filtering FTP traffic, port 21 is the control channel, and port 20 is the default data channel. But if you're using passive mode you should also filter the traffic originating from the passive portrange you specified in your ftpd, or lookup the default portrange your ftpd uses. BTW, always use bwm_monitor and iptables -L -n -v to check if your rules mark traffic as you expect it. Greetz Kobe Rizwan Sarwar wrote: > Hi, > i have been recently trying out this tool for bandwidth > management. i can not seem to figure out how to get the rules right. i > have a an ftp server which is connect to internet with a 1Mbps line. i > want to limit all outgoing ftp traffic to 512Kbps because the rest of > traffic is needed for some HTTP traffic and normal user requests etc. > I tried following rules in firewall.xml and loaded "bwmd -c firewall.xml". > > <firewall> <global> > <modules> > <load name="ip_queue"/> > </modules> > <class name="ftp_traffic_out"> > <address name="aftp_traffic_out" src="192.168.0.200" src-port="21"/> > </class> </global> > # Traffic flows > <traffic> > <flow name="mainline" stats-len="10" queue-size="1000" > queue-len="100" max-rate="60000" burst-rate="70000" report-timeout="60"> > <flow name="my_ftp_out" max-rate="55000"> > <queue prio="50" nfmark="1001"> > ftp_traffic_out; > </queue> > </flow> > </flow> > </traffic> > </firewall> > Ok what i understand from above rules is that it should limit > "ftp_traffic_out" type traffic to 55000 bytes ~= 55Kbytes/sec. But it > does not work, instead ftp keeps using full bandwidth and no > limitation happens. I should mention that i am using bwm tools only > for traffic management, my system has its own firewall i-e > SuSEFirewall2 which come with SuSE. Please help me, am i doing it not > right or is it not the tool for my problem. > > Thank you. > |
|
From: <ral...@ra...> - 2005-04-14 10:41:45
|
Hi again from Germany,
at first, thank you very much Nigel, that you integrate the MASQUERADE
funktion so fast !
But i have any problem to create the firewall.
At first i try to create my own little firewall, but she don't work.
So i take the old rules from the Suse 9.2 firewall (this works ok yet)
and create with it the firewall.xml for the bwm_tool.
I take all the same rules, only without the dmz-part.
Now i have the problem, that i can't open any new websites.
When i ask for website, which chached in the squid proxy, i see them. But
with this sites i havn't any traffic over the traffic-control, only by the INPUT
and OUTPUT chains.
When i open any webinterfaces over https from devices in my own network, then
its ok. I see all sites and then the traffic go over my ip and the bwm_tool.
(Hope you understand what i want to say, because i know my english is not the best.)
OK, now here my rules and the outputfile.
Hope any can help me to create the right rules.
I think it is any wrong in the INPUT-chains, and i try here a lot, but nothing works
right.
the firewire.xml:
- <firewall>
# Global configuration and access classes
- <global>
- <modules>
<load name="ip_queue" />
<load name="ip_conntrack_ftp" />
<load name="ip_nat_ftp" />
</modules>
# Firewall All
- <class name="ftp_data">
<address proto="tcp" dst-port="20" />
<address proto="udp" dst-port="20" />
</class>
- <class name="ftp">
<address proto="tcp" dst-port="21" />
<address proto="udp" dst-port="21" />
</class>
- <class name="dns">
<address proto="tcp" dst-port="53" />
<address proto="udp" dst-port="53" />
</class>
- <class name="http">
<address proto="tcp" dst-port="80" />
<address proto="udp" dst-port="80" />
</class>
- <class name="ntp">
<address proto="tcp" dst-port="123" />
<address proto="udp" dst-port="123" />
</class>
- <class name="https">
<address proto="tcp" dst-port="443" />
<address proto="udp" dst-port="443" />
</class>
- <class name="openvpn">
<address proto="tcp" dst-port="1194" />
<address proto="udp" dst-port="1194" />
</class>
- <class name="pptp">
<address proto="tcp" dst-port="1723" />
<address proto="udp" dst-port="1723" />
</class>
- <class name="Radius">
<address proto="tcp" dst-port="1812" />
<address proto="tcp" dst-port="1813" />
<address proto="tcp" dst-port="1814" />
<address proto="udp" dst-port="1812" />
<address proto="udp" dst-port="1813" />
<address proto="udp" dst-port="1814" />
</class>
- <class name="http_proxy">
<address proto="tcp" dst-port="3128" />
</class>
# For Mangle
- <class name="mangle_sport20">
<address proto="tcp -m tcp" src-port="20" />
</class>
- <class name="mangle_dport20">
<address proto="tcp -m tcp" dst-port="20" />
</class>
- <class name="mangle_tcp_sport53">
<address proto="tcp -m tcp" src-port="53" />
</class>
- <class name="mangle_tcp_dport53">
<address proto="tcp -m tcp" dst-port="53" />
</class>
- <class name="mangle_udp_sport53">
<address proto="udp -m udp" src-port="53" />
</class>
- <class name="mangle_udp_dport53">
<address proto="udp -m udp" dst-port="53" />
</class>
- <class name="mangle_sport80">
<address proto="tcp -m tcp" src-port="80" />
</class>
- <class name="mangle_dport80">
<address proto="tcp -m tcp" dst-port="80" />
</class>
# For Filter
- <class name="lo">
<address src-iface="lo" />
</class>
- <class name="tcp_related">
<address proto="tcp -m state" cmd-line="--state RELATED,ESTABLISHED" />
</class>
- <class name="udp_related">
<address proto="udp -m state" cmd-line="--state RELATED,ESTABLISHED" />
</class>
- <class name="dir_in">
<address cmd-line="-m policy --dir in --pol ipsec --proto esp" />
</class>
- <class name="eth0">
<address src-iface="eth0" />
</class>
- <class name="eth1">
<address src-iface="eth1" />
</class>
- <class name="input_drop">
<address />
</class>
- <class name="tcp_flags">
<address proto="tcp -m tcp" cmd-line="--tcp-flags SYN,RST SYN" />
</class>
- <class name="forward_drop">
<address />
</class>
- <class name="loo">
<address cmd-line="-o lo" />
</class>
- <class name="output_related">
<address cmd-line="-m state --state NEW,RELATED,ESTABLISHED" />
</class>
- <class name="icmp1">
<address proto="icmp -m icmp" cmd-line="--icmp-type 11" />
</class>
- <class name="icmp2">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/3" />
</class>
- <class name="icmp3">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/4" />
</class>
- <class name="icmp4">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/9" />
</class>
- <class name="icmp5">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/10" />
</class>
- <class name="icmp6">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3/13" />
</class>
- <class name="icmp_drop">
<address proto="icmp -m icmp" cmd-line="--icmp-type 3" />
</class>
- <class name="for_ext_state">
<address cmd-line="-m state --state INVALID" />
</class>
- <class name="for_ext_related">
<address proto="icmp -m state" cmd-line="--state RELATED -m icmp --icmp-type 3" />
</class>
- <class name="for_ext_related2">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 0" />
</class>
- <class name="for_ext_related3">
<address cmd-line="-o eth0 -m state --state NEW,RELATED,ESTABLISHED" />
</class>
- <class name="for_ext_related4">
<address cmd-line="-i eth0 -m state --state RELATED,ESTABLISHED" />
</class>
- <class name="for_int_state">
<address cmd-line="-m state --state INVALID" />
</class>
- <class name="in_ext_broadcast">
<address cmd-line="-m pkttype --pkt-type broadcast" />
</class>
- <class name="in_ext_icmp4">
<address proto="icmp -m icmp" cmd-line="--icmp-type 4" />
</class>
- <class name="in_ext_icmp8">
<address proto="icmp -m icmp" cmd-line="--icmp-type 8" />
</class>
- <class name="in_ext_icmp_related">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 0" />
</class>
- <class name="in_ext_icmp_related3">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 3" />
</class>
- <class name="in_ext_icmp_related11">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 11" />
</class>
- <class name="in_ext_icmp_related12">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 12" />
</class>
- <class name="in_ext_icmp_related14">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 14" />
</class>
- <class name="in_ext_icmp_related18">
<address proto="icmp -m state" cmd-line="--state RELATED,ESTABLISHED -m icmp --icmp-type 18" />
</class>
- <class name="in_ext_dp53">
<address proto="tcp -m tcp" cmd-line="--dport 53" />
</class>
- <class name="in_ext_u_dp53">
<address proto="udp -m udp" cmd-line="--dport 53" />
</class>
- <class name="in_ext_dp80">
<address proto="tcp -m tcp" cmd-line="--dport 80" />
</class>
- <class name="in_ext_u_dp80">
<address proto="udp -m udp" cmd-line="--dport 80" />
</class>
- <class name="in_ext_dp123">
<address proto="tcp -m tcp" cmd-line="--dport 123" />
</class>
- <class name="in_ext_u_dp123">
<address proto="udp -m udp" cmd-line="--dport 123" />
</class>
- <class name="in_ext_dp443">
<address proto="tcp -m tcp" cmd-line="--dport 443" />
</class>
- <class name="in_ext_u_dp443">
<address proto="udp -m udp" cmd-line="--dport 443" />
</class>
- <class name="in_ext_dp1194">
<address proto="tcp -m tcp" cmd-line="--dport 1194" />
</class>
- <class name="in_ext_dp1723">
<address proto="tcp -m tcp" cmd-line="--dport 1723" />
</class>
- <class name="in_ext_dp1812">
<address proto="tcp -m tcp" cmd-line="--dport 1812" />
</class>
- <class name="in_ext_u_dp1812">
<address proto="udp -m udp" cmd-line="--dport 1812" />
</class>
- <class name="in_ext_dp1813">
<address proto="tcp -m tcp" cmd-line="--dport 1813" />
</class>
- <class name="in_ext_u_dp1813">
<address proto="udp -m udp" cmd-line="--dport 1813" />
</class>
- <class name="in_ext_dp1814">
<address proto="tcp -m tcp" cmd-line="--dport 1814" />
</class>
- <class name="in_ext_u_dp1814">
<address proto="udp -m udp" cmd-line="--dport 1814" />
</class>
- <class name="in_ext_dprest">
<address proto="tcp -m tcp" cmd-line="--dport 1024:65535" />
</class>
- <class name="in_ext_dp113">
<address proto="tcp -m tcp" cmd-line="--dport 113 -m state --state NEW" />
</class>
- <class name="in_ext_u_dprest">
<address proto="udp -m state" cmd-line="--state NEW -m udp --dport 1024:65535" />
</class>
- <class name="in_int_acc">
<address />
</class>
- <class name="in_int_esp">
<address proto="esp" />
</class>
- <class name="reject">
<address />
</class>
- <class name="reject_tcp">
<address proto="tcp" />
</class>
- <class name="reject_udp">
<address proto="udp" />
</class>
# For Nat
- <class name="proxy_redirect">
<address cmd-line="-s 192.168.125.0/255.255.255.0 -p tcp -m tcp --dport 80" />
</class>
- <class name="internal_traffic">
<address dst-iface="eth0" />
</class>
# For Traffic
- <class name="out_other">
<address name="out_other_tcp" src-iface="eth1" proto="tcp" />
<address name="out_other_udp" src-iface="eth1" proto="udp" />
</class>
- <class name="out_RaBuLap">
<address name="out_RaBuLap_tcp" src-iface="eth1" proto="tcp" src="192.168.125.5" dst="! 192.168.125.0/24" />
<address name="out_RaBuLap_udp" src-iface="eth1" proto="udp" src="192.168.125.5" dst="! 192.168.125.0/24" />
</class>
- <class name="out_karsten">
<address name="out_karsten_tcp" src-iface="eth1" proto="tcp" src="192.168.125.102" dst="! 192.168.125.0/24" />
<address name="out_karsten_udp" src-iface="eth1" proto="udp" src="192.168.125.102" dst="! 192.168.125.0/24" />
</class>
- <class name="out_test">
<address name="out_test_tcp" src-iface="eth1" proto="tcp" src="192.168.125.110" dst="! 192.168.125.0/24" />
<address name="out_test_udp" src-iface="eth1" proto="udp" src="192.168.125.110" dst="! 192.168.125.0/24" />
</class>
- <class name="in_other">
<address name="in_other_tcp" src-iface="eth1" proto="tcp" />
<address name="in_other_udp" src-iface="eth1" proto="udp" />
</class>
- <class name="in_RaBuLap">
<address name="in_RaBuLap_tcp" src-iface="eth1" proto="tcp" src="192.168.125.5" dst="! 192.168.125.0/24" />
<address name="in_RaBuLap_udp" src-iface="eth1" proto="udp" src="192.168.125.5" dst="! 192.168.125.0/24" />
</class>
- <class name="in_karsten">
<address name="in_karsten_tcp" src-iface="eth1" proto="tcp" src="192.168.125.102" dst="! 192.168.125.0/24" />
<address name="in_karsten_udp" src-iface="eth1" proto="udp" src="192.168.125.102" dst="! 192.168.125.0/24" />
</class>
- <class name="in_test">
<address name="in_test_tcp" src-iface="eth1" proto="tcp" src="192.168.125.110" dst="! 192.168.125.0/24" />
<address name="in_test_udp" src-iface="eth1" proto="udp" src="192.168.125.110" dst="! 192.168.125.0/24" />
</class>
</global>
# ACL
- <acl>
- <table name="mangle">
- <chain name="PREROUTING" default="ACCEPT">
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport20 mangle_dport20</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport80 mangle_dport80</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x10">mangle_tcp_sport53 mangle_tcp_dport53 mangle_udp_sport53 mangle_udp_dport53</rule>
</chain>
<chain name="POSTROUTING" default="ACCEPT" />
- <chain name="OUTPUT" default="ACCEPT">
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport20 mangle_dport20</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x08">mangle_sport80 mangle_dport80</rule>
<rule name="allow_traffic" target="TOS --set-tos 0x10">mangle_tcp_sport53 mangle_tcp_dport53 mangle_udp_sport53 mangle_udp_dport53</rule>
</chain>
</table>
- <table name="filter">
# Custom Rules
<chain name="PREROUTING" />
<chain name="POSTROUTING" />
- <chain name="INPUT" default="DROP">
<rule name="allowed_traffic" target="ACCEPT">
ftp_data
ftp
dns
http
ntp
https
openvpn
Radius
pptp
http_proxy</rule>
<rule name="allow_traffic" target="ACCEPT">
lo
tcp_related
udp_related</rule>
<rule name="allow_traffic" target="input_int">dir_in eth1</rule>
<rule name="allow_traffic" target="input_ext">eth0</rule>
<rule target="DROP">input_drop</rule>
</chain>
- <chain name="FORWARD" default="DROP">
<rule name="allow_traffic" target="TCPMSS --clamp-mss-to-pmtu">tcp_flags</rule>
<rule name="allow_traffic" target="forward_int">dir_in eth1</rule>
<rule name="allow_traffic" target="forward_ext">eth0</rule>
<rule target="DROP">forward_drop</rule>
</chain>
- <chain name="OUTPUT" default="DROP">
<rule name="allow_traffic" target="ACCEPT">
loo
output_related
icmp1
icmp2
icmp3
icmp4
icmp5
icmp6</rule>
<rule target="DROP">icmp_drop</rule>
</chain>
# System Forward Rules
- <chain name="forward_ext">
<rule name="allow_traffic" target="ACCEPT">
for_ext_related
for_ext_related2
for_ext_related3
for_ext_related4</rule>
<rule target="DROP">for_ext_state forward_drop</rule>
</chain>
- <chain name="forward_int">
<rule name="allow_traffic" target="ACCEPT">
for_ext_related
for_ext_related2
for_ext_related3
for_ext_related4</rule>
<rule target="DROP">for_int_state forward_drop</rule>
</chain>
# System Input Rules
- <chain name="input_ext">
<rule Name="allow_traffic" target="ACCEPT">
in_ext_icmp4
in_ext_icmp8
in_ext_icmp_related
in_ext_icmp_related3
in_ext_icmp_related11
in_ext_icmp_related12
in_ext_icmp_related14
in_ext_icmp_related18
in_ext_dp53
in_ext_dp80
in_ext_dp123
in_ext_dp443
in_ext_dp1194
in_ext_dp1723
in_ext_dp1812
in_ext_dp1813
in_ext_dp1814
in_ext_dprest
in_ext_u_dp53
in_ext_u_dp80
in_ext_u_dp123
in_ext_u_dp443
in_ext_u_dp1812
in_ext_u_dp1813
in_ext_u_dp1814
in_ext_u_dprest</rule>
<rule target="DROP">
in_ext_broadcast
for_int_state
forward_drop</rule>
<rule target="reject_func">in_ext_dp113</rule>
</chain>
- <chain name="input_int">
<rule target="ACCEPT">
in_int_acc
in_ext_icmp4
in_ext_icmp8
in_ext_icmp_related
in_ext_icmp_related3
in_ext_icmp_related11
in_ext_icmp_related12
in_ext_icmp_related14
in_ext_icmp_related18
in_int_esp
in_ext_dp53
in_ext_dp80
in_ext_dp123
in_ext_dp443
in_ext_dp1194
in_ext_dp1723
in_ext_dp1812
in_ext_dp1813
in_ext_dp1814
in_ext_dprest
in_ext_u_dp53
in_ext_u_dp80
in_ext_u_dp123
in_ext_u_dp443
in_ext_u_dp1812
in_ext_u_dp1813
in_ext_u_dp1814
in_ext_u_dprest</rule>
<rule target="DROP">for_int_state forward_drop</rule>
</chain>
# System Reject Rules
- <chain name="reject_func">
<rule target="REJECT --reject-with tcp-reset">reject_tcp</rule>
<rule target="REJECT --reject-with icmp-port-unreachable">reject_udp</rule>
<rule target="REJECT --reject-with icmp-proto-unreachable">reject</rule>
</chain>
</table>
# NAT
- <table name="nat">
- <chain name="PREROUTING">
<rule target="REDIRECT --to-ports 3128">proxy_redirect</rule>
</chain>
- <chain name="POSTROUTING">
<rule target="MASQUERADE">internal_traffic</rule>
</chain>
</table>
</acl>
# NAT # Traffic flows
- <traffic>
# Rate can be specified in either IN, OUT or TOTAL (rate-total) # If rate-total == 0, no rate limits
- <flow name="out_dsl" stats-len="5" queue-size="524288" queue-len="4000" max-rate="358225" burst-rate="384000" report-timeout="60">
- <flow name="out_other" max-rate="14400" burst-rate="16000" queue-size="8192" stats-len="5" report-timeout="60">
<queue prio="90" nfmark="1300">out_other;</queue>
</flow>
- <flow name="out_RaBuLap" max-rate="230400" burst-rate="256000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="10" nfmark="1251">out_RaBuLap;</queue>
</flow>
- <flow name="out_karsten" max-rate="115200" burst-rate="128000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="30" nfmark="1252">out_karsten;</queue>
</flow>
- <flow name="out_test" max-rate="57600" burst-rate="64000" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="50" nfmark="1253">out_test;</queue>
</flow>
</flow>
- <flow name="in_dsl" stats-len="5" queue-size="262144" queue-len="3000" max-rate="58982" burst-rate="65536" report-timeout="60">
- <flow name="in_other" max-rate="922" burst-rate="1024" queue-size="8192" stats-len="5" report-timeout="60">
<queue prio="90" nfmark="2300">out_other;</queue>
</flow>
- <flow name="in_RaBuLap" max-rate="29491" burst-rate="32768" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="10" nfmark="2251">out_RaBuLap;</queue>
</flow>
- <flow name="in_karsten" max-rate="14746" burst-rate="16384" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="30" nfmark="2252">out_karsten;</queue>
</flow>
- <flow name="in_test" max-rate="7373" burst-rate="8192" queue-size="16384" stats-len="5" report-timeout="60">
<queue prio="50" nfmark="2253">out_test;</queue>
</flow>
</flow>
</traffic>
</firewall>
and here the outputfile from this firewall.xml
# Generated using BWM Firewall v0.2.0: Thu Apr 14 08:48:06 2005
*mangle
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:PREROUTING ACCEPT
-A OUTPUT --protocol tcp -m tcp --source-port 20 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --destination-port 20 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --source-port 80 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --destination-port 80 -j TOS --set-tos 0x08
-A OUTPUT --protocol tcp -m tcp --source-port 53 -j TOS --set-tos 0x10
-A OUTPUT --protocol tcp -m tcp --destination-port 53 -j TOS --set-tos 0x10
-A OUTPUT --protocol udp -m udp --source-port 53 -j TOS --set-tos 0x10
-A OUTPUT --protocol udp -m udp --destination-port 53 -j TOS --set-tos 0x10
-A FORWARD --protocol tcp --in-interface eth1 -j MARK --set-mark 1300
-A FORWARD --protocol udp --in-interface eth1 -j MARK --set-mark 1300
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol tcp --in-interface eth1 -j MARK --set-mark 1251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol udp --in-interface eth1 -j MARK --set-mark 1251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol tcp --in-interface eth1 -j MARK --set-mark 1252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol udp --in-interface eth1 -j MARK --set-mark 1252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol tcp --in-interface eth1 -j MARK --set-mark 1253
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol udp --in-interface eth1 -j MARK --set-mark 1253
-A FORWARD --protocol tcp --in-interface eth1 -j MARK --set-mark 2300
-A FORWARD --protocol udp --in-interface eth1 -j MARK --set-mark 2300
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol tcp --in-interface eth1 -j MARK --set-mark 2251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.5 --protocol udp --in-interface eth1 -j MARK --set-mark 2251
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol tcp --in-interface eth1 -j MARK --set-mark 2252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.102 --protocol udp --in-interface eth1 -j MARK --set-mark 2252
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol tcp --in-interface eth1 -j MARK --set-mark 2253
-A FORWARD --destination ! 192.168.125.0/24 --source 192.168.125.110 --protocol udp --in-interface eth1 -j MARK --set-mark 2253
-A PREROUTING --protocol tcp -m tcp --source-port 20 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --destination-port 20 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --source-port 80 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --destination-port 80 -j TOS --set-tos 0x08
-A PREROUTING --protocol tcp -m tcp --source-port 53 -j TOS --set-tos 0x10
-A PREROUTING --protocol tcp -m tcp --destination-port 53 -j TOS --set-tos 0x10
-A PREROUTING --protocol udp -m udp --source-port 53 -j TOS --set-tos 0x10
-A PREROUTING --protocol udp -m udp --destination-port 53 -j TOS --set-tos 0x10
COMMIT
*filter
:OUTPUT DROP
:input_ext -
:forward_ext -
:bwmd -
:input_int -
:POSTROUTING -
:forward_int -
:reject_func -
:INPUT DROP
:FORWARD DROP
:PREROUTING -
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/3 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/9 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/10 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3/13 -j ACCEPT
-A OUTPUT --protocol icmp -m icmp --icmp-type 3 -j DROP
-A input_ext --protocol icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext --protocol icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 53 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 80 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 123 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 443 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1194 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1723 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1812 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1813 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1814 -j ACCEPT
-A input_ext --protocol tcp -m tcp --dport 1024:65535 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 53 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 80 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 123 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 443 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 1812 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 1813 -j ACCEPT
-A input_ext --protocol udp -m udp --dport 1814 -j ACCEPT
-A input_ext --protocol udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m state --state INVALID -j DROP
-A input_ext -j DROP
-A input_ext --protocol tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A forward_ext --protocol icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m state --state INVALID -j DROP
-A forward_ext -j DROP
-A bwmd -m mark ! --mark 0 -j QUEUE
-A input_int -j bwmd
-A input_int --protocol icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_int --protocol icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int --protocol esp -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 53 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 80 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 123 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 443 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1194 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1723 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1812 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1813 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1814 -j ACCEPT
-A input_int --protocol tcp -m tcp --dport 1024:65535 -j ACCEPT
-A input_int --protocol udp -m udp --dport 53 -j ACCEPT
-A input_int --protocol udp -m udp --dport 80 -j ACCEPT
-A input_int --protocol udp -m udp --dport 123 -j ACCEPT
-A input_int --protocol udp -m udp --dport 443 -j ACCEPT
-A input_int --protocol udp -m udp --dport 1812 -j ACCEPT
-A input_int --protocol udp -m udp --dport 1813 -j ACCEPT
-A input_int --protocol udp -m udp --dport 1814 -j ACCEPT
-A input_int --protocol udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A input_int -m state --state INVALID -j DROP
-A input_int -j DROP
-A forward_int --protocol icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int --protocol icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m state --state INVALID -j DROP
-A forward_int -j DROP
-A reject_func --protocol tcp -j REJECT --reject-with tcp-reset
-A reject_func --protocol udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
-A INPUT --protocol tcp --destination-port 20 -j ACCEPT
-A INPUT --protocol udp --destination-port 20 -j ACCEPT
-A INPUT --protocol tcp --destination-port 21 -j ACCEPT
-A INPUT --protocol udp --destination-port 21 -j ACCEPT
-A INPUT --protocol tcp --destination-port 53 -j ACCEPT
-A INPUT --protocol udp --destination-port 53 -j ACCEPT
-A INPUT --protocol tcp --destination-port 80 -j ACCEPT
-A INPUT --protocol udp --destination-port 80 -j ACCEPT
-A INPUT --protocol tcp --destination-port 123 -j ACCEPT
-A INPUT --protocol udp --destination-port 123 -j ACCEPT
-A INPUT --protocol tcp --destination-port 443 -j ACCEPT
-A INPUT --protocol udp --destination-port 443 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1194 -j ACCEPT
-A INPUT --protocol udp --destination-port 1194 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1812 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1813 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1814 -j ACCEPT
-A INPUT --protocol udp --destination-port 1812 -j ACCEPT
-A INPUT --protocol udp --destination-port 1813 -j ACCEPT
-A INPUT --protocol udp --destination-port 1814 -j ACCEPT
-A INPUT --protocol tcp --destination-port 1723 -j ACCEPT
-A INPUT --protocol udp --destination-port 1723 -j ACCEPT
-A INPUT --protocol tcp --destination-port 3128 -j ACCEPT
-A INPUT --in-interface lo -j bwmd
-A INPUT --protocol tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT --protocol udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --proto esp -j input_int
-A INPUT --in-interface eth1 -j input_int
-A INPUT --in-interface eth0 -j input_ext
-A INPUT -j DROP
-A FORWARD --protocol tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j forward_int
-A FORWARD --in-interface eth1 -j forward_int
-A FORWARD --in-interface eth0 -j forward_ext
-A FORWARD -j DROP
COMMIT
*nat
:POSTROUTING -
:PREROUTING -
-A POSTROUTING --out-interface eth0 -j MASQUERADE
-A PREROUTING -s 192.168.125.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
Sorry for this long mail !
One question at last ...
When at some times my firewall.xml work, i want to write a script for autostart the bwmd when i must reboot the PC.
When i start then the bwm_tool with the script, will be load the iptables from the firewall.xml automatic ?
Best Regards
Ralph Buchmann
To: bwm...@li...
bwm...@li...
bwm...@li...
Cc: nk...@lb...
|
|
From: Rizwan S. <riz...@ho...> - 2005-04-14 10:03:39
|
Hi,
i have been recently trying out this tool for bandwidth management. =
i can not seem to figure out how to get the rules right. i have a an ftp =
server which is connect to internet with a 1Mbps line. i want to limit =
all outgoing ftp traffic to 512Kbps because the rest of traffic is =
needed for some HTTP traffic and normal user requests etc. I tried =
following rules in firewall.xml and loaded "bwmd -c firewall.xml".
<firewall> <global>
<modules>
<load name=3D"ip_queue"/>
</modules>
<class name=3D"ftp_traffic_out">
<address name=3D"aftp_traffic_out" src=3D"192.168.0.200" =
src-port=3D"21"/>
</class> </global>=20
# Traffic flows
<traffic>
<flow name=3D"mainline" stats-len=3D"10" queue-size=3D"1000" =
queue-len=3D"100" max-rate=3D"60000" burst-rate=3D"70000" =
report-timeout=3D"60">
<flow name=3D"my_ftp_out" max-rate=3D"55000">
<queue prio=3D"50" nfmark=3D"1001">
ftp_traffic_out;
</queue>
</flow>
</flow>
</traffic>
</firewall>
Ok what i understand from above rules is that it should limit =
"ftp_traffic_out" type traffic to 55000 bytes ~=3D 55Kbytes/sec. But it =
does not work, instead ftp keeps using full bandwidth and no limitation =
happens. I should mention that i am using bwm tools only for traffic =
management, my system has its own firewall i-e SuSEFirewall2 which come =
with SuSE. Please help me, am i doing it not right or is it not the tool =
for my problem.=20
Thank you.
|
|
From: Nigel K. <nk...@lb...> - 2005-04-12 16:49:38
|
Hi Guys, This release is the combined result of over 1 year of development, it has since then been running production in our test environment and all bugs have been cleared up (hopefully). Seeing as no serious bugs or issues were reported with the last devel snapshot, I'm glad to release stable version 0.2.0. Significant changes since the last stable release are as follows... * Multiple compile fixes * Various build fixes * Extra checking in code for invalid specifications in XML config file * Fixed bug in rate limiting code which allowed some flows to exceed their maximum allowed rate * Error messages are now returned for invalid command line arguments * More verbose error messages from reporting module * Bug in datetime parser (in bwm_graph) has been fixed * Generated iptables-restore file now has timestamp * Added logging support to bwmd * Usage of bwm_firewall has been changed, scripts will need to be updated! * bwm_firewall now support loading of firewall instead of user having to run iptables-restore manually * bwm_graph usage options were changed, scripts will need to be updated! some options removed, some added. * DOCUMENTATION is now available!! * bwm-tools can now build rrdtool and link against it all on its own, no need for system-wide rrdtool installation * Fixed wrapping of nfmark value * Required versions of libraries were fixed to reflect test results * Bounds of prio was fixed * Improved bandwidth limiting formula * ECN support (needs testing) * Added support for MASQUERADE target in NAT section This project can be tracked using the freshmeat project page at http://freshmeat.net/projects/bwmtools, this site will always maintain the most up to date links with regards to project home page, mailing list, download links ... etc. Plz report bugs to this mailing list. Regards Nigel |
|
From: Nigel K. <nk...@lb...> - 2005-04-06 13:47:33
|
Hi Guys, We've fixed a few bugs and released snapshot 200504060857, I would recommend upgrading (for testing purposes) as this will become version 0.2.0 if there are no objections or further bugs found. There have been a few changes in the usage of bwm_firewall, and lots of improvements into the bandwidth shaping algorithms. We've also added support for ECN (also needs testing if anyone uses this) and also a <masq> tag in the NAT section... all relevant documentation has been updated. The release can be found and monitored on: http://freshmeat.net/projects/bwmtools/ Kind Regards Nigel Kukard Author |
|
From: Nigel K. <nk...@lb...> - 2005-03-31 14:53:15
|
Yep, The Layer 7 filtering patches as far as I can see add the support to netfilter, BWM Tools uses netfilter for marking, matching and firewalling. Any netfilter match will work with BWM Tools. Regards Nigel Joel Merrick wrote: >Hi list :) > >Is it possible to use bwm-tools with layer 7 filtering patches >(available @ http://l7-filter.sf.net)? > >The L7 filters are basically inline reg exps. that classify the protocol >of the application layer data, based upon a chain of (say) 8 packets. >The packets are then MARKed as X protocol based upon the pattern match. > >Any help would be appreciated! >Joel > > > > |
|
From: Joel M. <jo...@se...> - 2005-03-31 09:04:11
|
Hi list :) Is it possible to use bwm-tools with layer 7 filtering patches (available @ http://l7-filter.sf.net)? The L7 filters are basically inline reg exps. that classify the protocol of the application layer data, based upon a chain of (say) 8 packets. The packets are then MARKed as X protocol based upon the pattern match. Any help would be appreciated! Joel --=20 Joel Merrick |
|
From: Adam M. T. <ad...@co...> - 2005-03-24 16:16:06
|
Google, That is exactly the explanation I've been looking for. Thank you. Don't worry about the sample script. I'm sure I can throw something together. Thanks again for your help. I can finally rest easy. Adam -----Original Message----- From: go0ogl3 [mailto:go...@gm...]=20 Sent: Thursday, March 24, 2005 2:17 AM To: Adam M. Towarnyckyj Cc: bwm...@li... Subject: Re: [bwm-tools-tech] Graphing Traffic You can use the mark feature of the iptables (with bwm tools or without) to "number" the traffic wich classifies as voip traffic. If you have so many clients you have to try and find the best rule to match the voip traffic without to much CPU usage. For graphing with bwm you have to mark the voip packets, put them in a "flow" and graph that flow on a per user or per group basis. If you don't want to graph with bwm then mark the voip packets with iptables and use a script wich get's the bytes or the number of packets or both, something like this: "iptables -t mangle -nxvL FORWARD" and then use grep or sed or awk to "see" only those needed values. Then use mrtg to colect those dates at 1-5 minutes and store them in a rrd database, then graph them. I'm sorry I can't give you a sample script to do that because the output of iptables differs. It's a little of work to do for you but I think it's worth the time. Google On Wed, 23 Mar 2005 11:54:26 -0700, Adam M. Towarnyckyj <ad...@co...> wrote: > I thought that the nfmark option was for shaping. I don't want to do any > shaping of the packets. I just want to log and graph. I'm not sure if > this is what you meant because I didn't investigate nfmark all that much > and I'm still not quite sure what bwm_tools does. No offense to the > creator, but the documentation is a bit sparse on this program. It does > a great job of explaining how to use everything when you want to shape > and integrate it with iptables, but there's nothing on just graphing. >=20 > As for your other suggestions, I've looked everywhere for a tool that > will allow me to track voip usage and graph it. Unfortunately, not many > free programs can do this that I know of. Ipfm is for total usage and > won't let me specify voip traffic. Mrtg and rrdtool only graph data you > already have. I'd need to be able to pull that voip traffic from the > network in order to use mrtg to graph it. I'm looking at bandwidthd but > I fear it may have the same results as ntop did when I tried running it. > It tries to do too much at one time and overloads. It doesn't help when > a program tries writing the data, producing the web page, producing the > png, and servicing web requests all at the same time; especially when > I'm graphing traffic from over 5000 subscribers at one time. > Thank you very much for the suggestions though. I'm going to investigate > bandwidthd a bit further. If you could explain a little bit more on what > you meant by using nfmark, that may help too. Like I said, still a bit > lost on how bwm_tools works. > Thanks for your time. >=20 > Adam >=20 > -----Original Message----- > From: go0ogl3 [mailto:go...@gm...] > Sent: Wednesday, March 23, 2005 11:18 AM > To: Adam M. Towarnyckyj > Cc: bwm...@li... > Subject: Re: [bwm-tools-tech] Graphing Traffic >=20 > I'm new to bwm but if you really want to use bwm tools to graph voip > traffic, why don't u use the nfmark? You only have to mark the packets > from the voip and shape them with bwm tools. This way you can also > graph that voip traffic. >=20 > As an alternate solution you can use ipfm, bandwidthd, mrtg+rrdtool > or one of the many others. >=20 > Google >=20 > On Wed, 23 Mar 2005 10:46:55 -0700, Adam M. Towarnyckyj > <ad...@co...> wrote: > > > > > > Thanks to all for your help in getting this up and running for me. Now > I > > have some technical questions involving the graphing portion. As > stated in > > an earlier post, I am trying to graph voip traffic over our network to > see > > what kind of usage we're running into. All I need is bandwidth usage > in > > bytes for any given time period. Nigel tells me this is possible. I > set up > > my config file as follows: > > > > > > > > <firewall> > > > > <global> > > > > <modules> > > > > <load name=3D"ip_queue"/> > > > > </modules> > > > > <class name=3D"voip_traffic"> > > > > <address name=3D"voip_dst" proto=3D"udp" = src-port=3D"10000:20000" /> > > > > </class> > > > > </global> > > > > <traffic> > > > > <flow name=3D"voip_traffic_out" report-timeout=3D"60"> > > > > voip_traffic > > > > </flow> > > > > </traffic> > > > > </firewall> > > > > > > > > Question one starts here. Is it ok for me to use the standard symbol > for > > specifying a range of ports like that? (10000:20000) If that's not > correct, > > is there another way to go about doing this? I'd rather not go through > and > > write an <address> for each port from 10000 to 20000. J > > > > Question two is "what am I doing wrong?" because this isn't working. > "bwmd" > > loads, but there is no output to any log files even though I have > > "report-timeout" specified. I don't want to do any sort of limiting of > this > > traffic; I just want to log it. > > > > > > > > If you have any suggestions on what I can change to make this work, > they'd > > be very much appreciated. If I can't get bwm_tools to do what I'm > looking > > for, I have no other ideas on how to accomplish this. Thanks! > > > > > > > > Adam Towarnyckyj > |
|
From: go0ogl3 <go...@gm...> - 2005-03-24 09:17:19
|
You can use the mark feature of the iptables (with bwm tools or without) to "number" the traffic wich classifies as voip traffic. If you have so many clients you have to try and find the best rule to match the voip traffic without to much CPU usage. For graphing with bwm you have to mark the voip packets, put them in a "flow" and graph that flow on a per user or per group basis. If you don't want to graph with bwm then mark the voip packets with iptables and use a script wich get's the bytes or the number of packets or both, something like this: "iptables -t mangle -nxvL FORWARD" and then use grep or sed or awk to "see" only those needed values. Then use mrtg to colect those dates at 1-5 minutes and store them in a rrd database, then graph them. I'm sorry I can't give you a sample script to do that because the output of iptables differs. It's a little of work to do for you but I think it's worth the time. Google On Wed, 23 Mar 2005 11:54:26 -0700, Adam M. Towarnyckyj <ad...@co...> wrote: > I thought that the nfmark option was for shaping. I don't want to do any > shaping of the packets. I just want to log and graph. I'm not sure if > this is what you meant because I didn't investigate nfmark all that much > and I'm still not quite sure what bwm_tools does. No offense to the > creator, but the documentation is a bit sparse on this program. It does > a great job of explaining how to use everything when you want to shape > and integrate it with iptables, but there's nothing on just graphing. > > As for your other suggestions, I've looked everywhere for a tool that > will allow me to track voip usage and graph it. Unfortunately, not many > free programs can do this that I know of. Ipfm is for total usage and > won't let me specify voip traffic. Mrtg and rrdtool only graph data you > already have. I'd need to be able to pull that voip traffic from the > network in order to use mrtg to graph it. I'm looking at bandwidthd but > I fear it may have the same results as ntop did when I tried running it. > It tries to do too much at one time and overloads. It doesn't help when > a program tries writing the data, producing the web page, producing the > png, and servicing web requests all at the same time; especially when > I'm graphing traffic from over 5000 subscribers at one time. > Thank you very much for the suggestions though. I'm going to investigate > bandwidthd a bit further. If you could explain a little bit more on what > you meant by using nfmark, that may help too. Like I said, still a bit > lost on how bwm_tools works. > Thanks for your time. > > Adam > > -----Original Message----- > From: go0ogl3 [mailto:go...@gm...] > Sent: Wednesday, March 23, 2005 11:18 AM > To: Adam M. Towarnyckyj > Cc: bwm...@li... > Subject: Re: [bwm-tools-tech] Graphing Traffic > > I'm new to bwm but if you really want to use bwm tools to graph voip > traffic, why don't u use the nfmark? You only have to mark the packets > from the voip and shape them with bwm tools. This way you can also > graph that voip traffic. > > As an alternate solution you can use ipfm, bandwidthd, mrtg+rrdtool > or one of the many others. > > Google > > On Wed, 23 Mar 2005 10:46:55 -0700, Adam M. Towarnyckyj > <ad...@co...> wrote: > > > > > > Thanks to all for your help in getting this up and running for me. Now > I > > have some technical questions involving the graphing portion. As > stated in > > an earlier post, I am trying to graph voip traffic over our network to > see > > what kind of usage we're running into. All I need is bandwidth usage > in > > bytes for any given time period. Nigel tells me this is possible. I > set up > > my config file as follows: > > > > > > > > <firewall> > > > > <global> > > > > <modules> > > > > <load name="ip_queue"/> > > > > </modules> > > > > <class name="voip_traffic"> > > > > <address name="voip_dst" proto="udp" src-port="10000:20000" /> > > > > </class> > > > > </global> > > > > <traffic> > > > > <flow name="voip_traffic_out" report-timeout="60"> > > > > voip_traffic > > > > </flow> > > > > </traffic> > > > > </firewall> > > > > > > > > Question one starts here. Is it ok for me to use the standard symbol > for > > specifying a range of ports like that? (10000:20000) If that's not > correct, > > is there another way to go about doing this? I'd rather not go through > and > > write an <address> for each port from 10000 to 20000. J > > > > Question two is "what am I doing wrong?" because this isn't working. > "bwmd" > > loads, but there is no output to any log files even though I have > > "report-timeout" specified. I don't want to do any sort of limiting of > this > > traffic; I just want to log it. > > > > > > > > If you have any suggestions on what I can change to make this work, > they'd > > be very much appreciated. If I can't get bwm_tools to do what I'm > looking > > for, I have no other ideas on how to accomplish this. Thanks! > > > > > > > > Adam Towarnyckyj > |
|
From: Adam M. T. <ad...@co...> - 2005-03-23 18:54:30
|
I thought that the nfmark option was for shaping. I don't want to do any shaping of the packets. I just want to log and graph. I'm not sure if this is what you meant because I didn't investigate nfmark all that much and I'm still not quite sure what bwm_tools does. No offense to the creator, but the documentation is a bit sparse on this program. It does a great job of explaining how to use everything when you want to shape and integrate it with iptables, but there's nothing on just graphing. As for your other suggestions, I've looked everywhere for a tool that will allow me to track voip usage and graph it. Unfortunately, not many free programs can do this that I know of. Ipfm is for total usage and won't let me specify voip traffic. Mrtg and rrdtool only graph data you already have. I'd need to be able to pull that voip traffic from the network in order to use mrtg to graph it. I'm looking at bandwidthd but I fear it may have the same results as ntop did when I tried running it. It tries to do too much at one time and overloads. It doesn't help when a program tries writing the data, producing the web page, producing the png, and servicing web requests all at the same time; especially when I'm graphing traffic from over 5000 subscribers at one time. Thank you very much for the suggestions though. I'm going to investigate bandwidthd a bit further. If you could explain a little bit more on what you meant by using nfmark, that may help too. Like I said, still a bit lost on how bwm_tools works. Thanks for your time. Adam -----Original Message----- From: go0ogl3 [mailto:go...@gm...]=20 Sent: Wednesday, March 23, 2005 11:18 AM To: Adam M. Towarnyckyj Cc: bwm...@li... Subject: Re: [bwm-tools-tech] Graphing Traffic I'm new to bwm but if you really want to use bwm tools to graph voip traffic, why don't u use the nfmark? You only have to mark the packets from the voip and shape them with bwm tools. This way you can also graph that voip traffic. =20 As an alternate solution you can use ipfm, bandwidthd, mrtg+rrdtool or one of the many others. Google On Wed, 23 Mar 2005 10:46:55 -0700, Adam M. Towarnyckyj <ad...@co...> wrote: >=20 >=20 > Thanks to all for your help in getting this up and running for me. Now I > have some technical questions involving the graphing portion. As stated in > an earlier post, I am trying to graph voip traffic over our network to see > what kind of usage we're running into. All I need is bandwidth usage in > bytes for any given time period. Nigel tells me this is possible. I set up > my config file as follows: >=20 > =20 >=20 > <firewall> >=20 > <global> >=20 > <modules> >=20 > <load name=3D"ip_queue"/> >=20 > </modules> >=20 > <class name=3D"voip_traffic"> >=20 > <address name=3D"voip_dst" proto=3D"udp" = src-port=3D"10000:20000" /> >=20 > </class> >=20 > </global> >=20 > <traffic> >=20 > <flow name=3D"voip_traffic_out" report-timeout=3D"60"> >=20 > voip_traffic >=20 > </flow> >=20 > </traffic> >=20 > </firewall> >=20 > =20 >=20 > Question one starts here. Is it ok for me to use the standard symbol for > specifying a range of ports like that? (10000:20000) If that's not correct, > is there another way to go about doing this? I'd rather not go through and > write an <address> for each port from 10000 to 20000. J >=20 > Question two is "what am I doing wrong?" because this isn't working. "bwmd" > loads, but there is no output to any log files even though I have > "report-timeout" specified. I don't want to do any sort of limiting of this > traffic; I just want to log it. >=20 > =20 >=20 > If you have any suggestions on what I can change to make this work, they'd > be very much appreciated. If I can't get bwm_tools to do what I'm looking > for, I have no other ideas on how to accomplish this. Thanks! >=20 > =20 >=20 > Adam Towarnyckyj |
|
From: go0ogl3 <go...@gm...> - 2005-03-23 18:18:32
|
I'm new to bwm but if you really want to use bwm tools to graph voip traffic, why don't u use the nfmark? You only have to mark the packets from the voip and shape them with bwm tools. This way you can also graph that voip traffic. As an alternate solution you can use ipfm, bandwidthd, mrtg+rrdtool or one of the many others. Google On Wed, 23 Mar 2005 10:46:55 -0700, Adam M. Towarnyckyj <ad...@co...> wrote: > > > Thanks to all for your help in getting this up and running for me. Now I > have some technical questions involving the graphing portion. As stated in > an earlier post, I am trying to graph voip traffic over our network to see > what kind of usage we're running into. All I need is bandwidth usage in > bytes for any given time period. Nigel tells me this is possible. I set up > my config file as follows: > > > > <firewall> > > <global> > > <modules> > > <load name="ip_queue"/> > > </modules> > > <class name="voip_traffic"> > > <address name="voip_dst" proto="udp" src-port="10000:20000" /> > > </class> > > </global> > > <traffic> > > <flow name="voip_traffic_out" report-timeout="60"> > > voip_traffic > > </flow> > > </traffic> > > </firewall> > > > > Question one starts here. Is it ok for me to use the standard symbol for > specifying a range of ports like that? (10000:20000) If that's not correct, > is there another way to go about doing this? I'd rather not go through and > write an <address> for each port from 10000 to 20000. J > > Question two is "what am I doing wrong?" because this isn't working. "bwmd" > loads, but there is no output to any log files even though I have > "report-timeout" specified. I don't want to do any sort of limiting of this > traffic; I just want to log it. > > > > If you have any suggestions on what I can change to make this work, they'd > be very much appreciated. If I can't get bwm_tools to do what I'm looking > for, I have no other ideas on how to accomplish this. Thanks! > > > > Adam Towarnyckyj |
11 messages has been excluded from this view by a project administrator.
