[Firehol-support] FireQoS and owner match.

Tsaousis, Costa costa at tsaousis.gr
Mon Jan 12 22:42:03 GMT 2015 

Hi,

This may work, but only for outgoing traffic and only if the rsync
process runs on the localhost. Incoming traffic cannot be classified
by this.

What you need to do is this:

1. at the top of firehol add this

mark 1 OUTPUT user "rsyncuser"

This says: mark with 1 all packets sent by the localhost, from all
processes owner by user rsyncuser.

However, since rsync will just give the traffic to ssh which will send
the traffic to the remote host, make sure the ssh process runs under
the same username. If ssh is running with a different user, this user
will be the one sending the traffic and this user has to be matched.

Keep in mind that ALL TRAFFIC from this user will get this mark. Not only rsync.

2. at fireqos at the class you want to put rsync, add this:

match mark 1 prio 1

This says: put in this class all packets marked with 1, and do this
first, before anything else.

This may or many not work. It should as I see it.

There is a simpler way though:

1. redirect traffic from port 23 to port 22, using a redirect rule in
firehol (redirect for localhost, dnat for remote hosts).

redirect to 22 proto tcp dport 23

2. match port 23 in fireqos to the proper low-priority class.

match tcp sport 23 # for output
match tcp dport 23 # for input

3. make rsync client copy files using ssh on port 23.

This will work both ways and will do it even if rsync is running on a
host other than the firewall (just dnat instead of redirect in
firehol). You will also be able to choose if you want low-speed or
high-speed ssh, by sshing to the proper port.

Costa


On Tue, Jan 13, 2015 at 12:02 AM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
> Is it possible to use owner match to classify outgoing traffic?
> Like this:
> http://linuxpoison.blogspot.fi/2010/11/how-to-limit-network-access-by-user.html
>
> What i wan to do is that i use rsyncrypto to make backup to one server on
> the net. This will eat all of my bandwidth because traffic goes over ssh
> link and ssh is on of top priority traffic. Now i want someway to check, if
> process is rsyncrypto then move it traffic as low as possible.
>
> Tommi
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list