[Firehol-support] FireQoS and owner match.

Tsaousis, Costa costa at tsaousis.gr
Sun Feb 15 20:34:49 CET 2015


Good to know. Thanks.

Just posted back your message to the list, so others can benefit from it too.

Costa


On Sun, Feb 15, 2015 at 5:15 PM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
> Hello,
>
> I try that first approach and it's working nicely:
>
>
>
> ion temp # cat /etc/firehol/firehol.conf
> #
> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
> #
> # This configuration file will allow all requests originating from the
> # local machine to be send through all network interfaces.
> #
> # No requests are allowed to come from the network. The host will be
> # completely stealthed! It will not respond to anything, and it will
> # not be pingable, although it will be able to originate anything
> # (even pings to other hosts).
> #
>
> version 5
>
> mark            10      OUTPUT user "rsyncrypto"
> transparent_proxy 80    8087 "polipo privoxy root" inface eth1 src
> 10.10.10.0/24
>
>
> interface "eth0" world
>         policy  reject
>         protection              strong  10/sec  10
>         server  ident           reject  with tcp-reset
>         server  http            accept
>         server  https           accept
> #       server  ssh             accept
>         server  icmp            accept
>         server  dns             accept
>         server  samba           drop
>         server  multicast       drop
>         client  all             accept
>
> interface "eth1" internal
>         policy  accept
> #        protection              strong  10/sec  10
>         server  ident           reject  with tcp-reset
>
>         client  all             accept
>
>
> router tun_nat  inface "eth0" outface "eth1"
>         route   ident           reject with tcp-reset
>         server  ident           reject with tcp-reset
>         masquerade              reverse
>         client  all             accept
>
>
>
> and
>
> ion temp # cat /etc/firehol/fireqos.conf
> # https://github.com/ktsaou/firehol/wiki/FireQOS-Tutorial
> #From modem
> #Upstream 947 (Kbps.)
> #Downstream 15340 (Kbps.)
>
> DEVICE=eth0
> #INPUT_SPEED=14000kbit
> OUTPUT_SPEED=880kbit #920 oikea?
> LINKTYPE="adsl remote bridged-llc mtu 1446"
>
> #interface $DEVICE world-in input rate $INPUT_SPEED $LINKTYPE
> interface $DEVICE world-out output rate $OUTPUT_SPEED $LINKTYPE # balanced
> #   class voip
> #      match mark 10 prio 90
>
>    class interactive
>       match udp port 53             # <<< DNS
>       match tcp port 22             # <<< SSH
>       match icmp                    # <<< ping
>
> #   class vpns
>    class surfing
>         match tcp dports 0:1023
>
>    class synacks                       # <<< the new synacks class
>       match tcp syn                    # <<< TCP packets with SYN set
>       match tcp ack                    # <<< small TCP packets with ACK set
>
>    class default
>
>    class torrents
>       match sports 6881:6999           # <<< official torrent ports
>       match sport 51414 prio 1         # <<< my torrent client
>       match sports 16384:65535 dports 16384:65535 # <<< my trick to match
> torrents
>       match mark 0xc prio 2
>
>    class rsyncrypto
> #      match mark 10 prio 0
>       match mark 0xa prio 2
>
>
> Tommi.
>
>
>
>
> On 13.1.2015 0:42, Tsaousis, Costa wrote:
>>
>> Hi,
>>
>> This may work, but only for outgoing traffic and only if the rsync
>> process runs on the localhost. Incoming traffic cannot be classified
>> by this.
>>
>> What you need to do is this:
>>
>> 1. at the top of firehol add this
>>
>> mark 1 OUTPUT user "rsyncuser"
>>
>> This says: mark with 1 all packets sent by the localhost, from all
>> processes owner by user rsyncuser.
>>
>> However, since rsync will just give the traffic to ssh which will send
>> the traffic to the remote host, make sure the ssh process runs under
>> the same username. If ssh is running with a different user, this user
>> will be the one sending the traffic and this user has to be matched.
>>
>> Keep in mind that ALL TRAFFIC from this user will get this mark. Not only
>> rsync.
>>
>> 2. at fireqos at the class you want to put rsync, add this:
>>
>> match mark 1 prio 1
>>
>> This says: put in this class all packets marked with 1, and do this
>> first, before anything else.
>>
>> This may or many not work. It should as I see it.
>>
>> There is a simpler way though:
>>
>> 1. redirect traffic from port 23 to port 22, using a redirect rule in
>> firehol (redirect for localhost, dnat for remote hosts).
>>
>> redirect to 22 proto tcp dport 23
>>
>> 2. match port 23 in fireqos to the proper low-priority class.
>>
>> match tcp sport 23 # for output
>> match tcp dport 23 # for input
>>
>> 3. make rsync client copy files using ssh on port 23.
>>
>> This will work both ways and will do it even if rsync is running on a
>> host other than the firewall (just dnat instead of redirect in
>> firehol). You will also be able to choose if you want low-speed or
>> high-speed ssh, by sshing to the proper port.
>>
>> Costa
>>
>>
>> On Tue, Jan 13, 2015 at 12:02 AM, Tommi Lundell <tommi.lundell at kapsi.fi>
>> wrote:
>>>
>>> Is it possible to use owner match to classify outgoing traffic?
>>> Like this:
>>>
>>> http://linuxpoison.blogspot.fi/2010/11/how-to-limit-network-access-by-user.html
>>>
>>> What i wan to do is that i use rsyncrypto to make backup to one server on
>>> the net. This will eat all of my bandwidth because traffic goes over ssh
>>> link and ssh is on of top priority traffic. Now i want someway to check,
>>> if
>>> process is rsyncrypto then move it traffic as low as possible.
>>>
>>> Tommi
>>>
>>>
>>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>


More information about the Firehol-support mailing list