Re: iptables mark qos
From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 08/22/04
- Previous message: P Gentry: "Re: Need VPN Firewall security advice"
- In reply to: moritz gartenmeister: "Re: iptables mark qos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 22 Aug 2004 11:42:35 -0700
moritz@uplink-verein.ch (moritz gartenmeister) wrote in message news:<25d255b5.0408210549.2038d2cc@posting.google.com>...
[snip]
> hope this gives some light.
> moritz
Much light indeed !
Just a few items ...
"AdminNIC, Server1, LoggerServer all connected to a switch (also the
FireWallServer)." Like this ....
--[LAN1]---\
/--- Company
[FireWallServer]---+------------+------------[Gateway/NAT]
--[LAN2]---/ | (eth0) | [swt] | [swt]
\--- WWW
AdminNIC Sever1 LoggerServer
or like this ....? Still a bit confused, but does it matter?
--[LAN1]---\
/--- Company
[FireWallServer]---------------[Gateway/NAT]
--[LAN2]---/ |
\--- WWW
|(eth0)
|
----------------
| [switch] |
----------------
| | |
AdminNIC Sever1 LoggerServer
When you say you want to limit incoming WWW traffic, I assume you mean
replies (eg., downloads) to LANx originated requests. Are you
concerned with outgoing traffic from web/ftp servers?
Anyway, we've (I have) hit a wall due to lack of production experience
using linux as a bridge -- just exploring to let kids at school get
some hands-on, nothing as sophisticated as your setup. Your best bet
is probably lartc and netfilter mailing lists or go here to search
some archives (bottom of page):
http://www.linuxguruz.com/iptables/
While snooping did find mixed posts re: fwmark and filtering -- some
said it worked OK, others gave up. Those that "fixed it" seemed to
have to get the right combnation of patch versions installed/compiled.
Eg,:
http://mailman.ds9a.nl/pipermail/lartc/2003q2/008744.html
A couple of posts indicated marking/filtering _both_ in FORWARD ... ?
Others that fwmark was simply not available :-(
Between running a Linux OS with promisc nics and this kernel
maintainence, I just can't develop much interest in Linux bridging --
yours probably as good an argument/need as I've seen. Even then, if
it was me I would find a way to use a router ;-)
Except for the logging -- any way to do it on the LANx side? -- if I
understand your concerns, it would seem to me to be better to place
the tc queues/filters on the _downstream_ side, ie., the LANx
interfaces. Here's my reasoning:
-- you're already rate limited at GW, probably by dropping packets
(that's usually the only way to get the source to back off)
-- if you implement ingress policing, you will drop packets also --
packets that have already been passed by GW -- which will cause more
re-transmits, etc, and "duplicate" traffic with increased latency
-- ingress policing is rather crude since it provides no
buffering/delay conditioning
-- egress shaping is much better at providing varied service levels
for different classes of traffic (and can incorporate policers if
needed) and can offer the LANx clients a more consistent
bandwidth/load pattern with buffers and shared bandwidth
-- would allow you to employ iptables/tc on Sever1 directly if you
need to without having to filter/shape/police its traffic on
FireWallServer
How this might affect your logging I don't know. Your idea of
"dropping" clients (because their too greedy?) seems pretty draconian
to me. That's one of the things that "fair" queueing disciplines are
meant to address.
Since so much of what you want to do is MAC oriented, why not check
out ebtables and see what it offers for your situation -- it works at
the MAC (data link) layer.
Sorry I couldn't be of more useful help. FWIW, your
reasoning/approach (while different from mine) seems reasonable except
as noted above. Wish I could offer you more bridging experience to
work off of.
good luck (and maybe post your results?),
prg
email above disabled
- Previous message: P Gentry: "Re: Need VPN Firewall security advice"
- In reply to: moritz gartenmeister: "Re: iptables mark qos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
