Example 1.
All packets arriving on eth1 should be marked with 1. All packets arriving on eth2 and eth3 should be marked with 2. All packets originating on the firewall itself should be marked with 3.
#MARK SOURCE DESTINATION PROTO PORT(S) SOURCE PORT(S) USER/GROUP TEST
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
3 fw 0.0.0.0/0 all
Example 2.
All GRE (protocol 47) packets not originating on the firewall and destined for 155.186.235.151 should be marked with 12.
#MARK SOURCE DESTINATION PROTO PORT(S) SOURCE PORT(S) USER/GROUP TEST
12 0.0.0.0/0 155.182.235.151 47
Example 3.
All SSH packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22.
#MARK SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) USER/GROUP TEST
22 192.168.1.0/24 155.182.235.151 tcp 22
My Current Setup
I am currently using the HTB version of The Wonder Shaper (I just copied wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper README). WonderShaper DOES NOT USE THE /etc/shorewall/tcrules file.
My Old Setup
I have also run with the following set of hand-crafted rules in my /etc/shorewall/tcstart file.
run_tc qdisc add dev eth0 root handle 1: htb default 30
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k
echo “ Added Top Level Class -- rate 384kbit”
run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
echo “ Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit”
run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
echo “ Enabled PFIFO on Second Level Classes”
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
echo “ Defined fwmark filters”
My tcrules file that went with this tcstart file is shown in Example 1 above. When I was using these rules:
1.
I wanted to allow up to 140kbits/second for traffic outbound from my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ traffic can use all available bandwidth if there is no traffic from the local systems or from my laptop or firewall).
2.
My laptop (which at that time connected via eth3) and local systems (eth2) could use up to 224kbits/second.
3.
My firewall could use up to 20kbits/second.