[Shorewall-users] Bandwith Control with a firewall/bridge

Miguel Ángel Domínguez Durán mdominguez at cherrytel.com
Wed Feb 16 01:59:14 PST 2005


>Miguel Ángel Domínguez Durán wrote:
>> Hello again,
>> First, excuse me for my poor english.
>> I'm trying now to make bandwith control in a firewall machine running
>> Shorewall. This machine is also a bridge using bridge-utils
>> bridge-utils-devel. It is a mandrake 10. The configuration is something
>> like
>> this:
>>
>> FTP/Webserver ------|   eth0                                    eth1
>> Mailserver -------------|------BRIDGE/FIREWALL------Router-----Internet
>> DB App. server -------|
>>
>> I have installed iptoute2 and all kernel options needed. I have stated
>> TC_ENABLED = Yes and copied my own script in the tcstart file so 
>> shorewall
>> should run it when it gets restarted. I don't get any errors when the
>> script
>> is executed, but all the packets go through the default queue in uplink 
>> and
>> downlink when i analize the queues using .
>> I use the following script to start the bridge:

>This is really off-topic but you cannot use -i and -o in a bridged
>environment in your iptables rules (why aren't you using the tcrules
>file to mark your packets??? that way, the correct rules would get
>generated).

>You must use "-m physdev --physdev-{in|out}"

I've used the tcrules to mark the packets and removed the iptables commands 
in the tcstart script. When i restarted shorewall everything seemed to be 
working ok, but a few minutes later the machine hanged on!!!
The tcrules file is:

##############################################################################
#MARK           SOURCE                                     DEST 
PROTO
20             0.0.0.0/0 
213.9.139.30,213.9.139.31,213.9.139.32                all
21             0.0.0.0/0                          213.9.139.22,213.9.139.71 
all
22             0.0.0.0/0                                213.9.139.25 
all
23             0.0.0.0/0                                213.9.139.24 
all

70      213.9.139.30,213.9.139.31,213.9.139.32          0.0.0.0/0 
all
71      213.9.139.22,213.9.139.71                       0.0.0.0/0 
all
72           213.9.139.25                               0.0.0.0/0 
all
73           213.9.139.24                               0.0.0.0/0 
all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The rest of the fields that doesn't appear are left blank

What could be wrong?

Thanks

UN CORDIAL SALUDO

Miguel Ángel Domínguez Durán.
Departamento Técnico.
Cherrytel Comunicaciones, S.L.
mdominguez at cherrytel.com
http://www.cherrytel.com/
Tlf. 902 115 673
Fax 952218170 



More information about the Shorewall-users mailing list