yes, thanks for the idea, the reason i did not think of implementing this is that i cannot see how it would help, the data has already passed the bottleneck with no particular qos with regard to interactive sessions, which should mean, if i did egress on the fws internal interface, that the ssh/telnet data would come in bursts from the fw to the host. what i mean is this, i will try to illustrate it, (this is if the egress on the fw would be implemented); data (most bulk traffic, some interactive session too) from the isp -> fw (buffer the bulk traffic, prioritize the session traffic) -> router and lan this in turn would mean that after sending the session traffic the fw would send the bulk traffic in its buffer. meanwhile the fw have received additional session and bulk traffic, and so on. maybe im missing something here? thanks, tomas On Thu, Feb 06, 2003 at 09:55:37AM +0100, Rob Rankin wrote: > Stick an egress filter on the LAN side of the firewall, and use it to > control the *inbound* data from your ISP (downloads pass through the > firewall and become *outbound* traffic on the LAN side / interface). > > Old style Ingress filtering in Linux is horrible. Its a blanket rule > stating "if the bw gets above X, drop packets" with no real filtering > capability. > > Using an egress filter on the opposite side of the firewall from the > traffic flow does actually work, although I'm not entirely sure its a > "supported" configuration. For what its worth, I have it setup exactly > as I am suggesting on my firewalls, and it does actually work. Peak > downloads are slowed down, interactive sessions do get higher priority, > etc. > > The other alternative would be to use the IMQ logical network device, > which allows the use of HTB for both ingress and egress filtering. I > plan on moving to this type of setup as soon as I have a maintenance > window long enough to drop the firewalls and bring them up to date with > the new tools / patches necessary. > > Cheers, hope this was of some help. > > On Wed, 2003-02-05 at 22:28, Tomas Bonnedahl wrote: > > well, if tcp throttles down at the point where packets are dropped is of course good, but still, when a download is peaking at the maximum speed > > minus a couple kbits, the delay is terrible, that's what i want to change. any idea? > > > > regards, > > > > tomas bonnedahl > > > > On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: > > > On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: > > > > to get most out of qos in general, would the best thing be to set up qos on > > > > both ends of a bottleneck with both ingress and egress filtering? the > > > > reason for asking is because we have a 2mbit connection with egress > > > > filtering qos, the problem is that we experience most downloads compared to > > > > uploades and therefor the egress filtering doesnt provide much help. > > > > > > > > what we could do is to get ingress filtering on our side here, but i dont > > > > know how much that would help really, the data has already passed the > > > > bottleneck in the path. so, my question, would i experience any different > > > > delay if adding ingress filtering? > > > Yes. A tcp connection will throttle down if you drop packets. But this is > > > not the same as egress shaping. > > > > > > > it is a 2mbit fiber stub network which looks pretty much like this: > > > > > > > > lan - router - fw - isp - internet > > > > > > > > the egress qos is at the moment at the router which pretty much says > > > > "prioritize interactive sessions". > > > > > > > > > > > > since the filtering for qos is rather simple, just telnet/ssh to a certain > > > > host, should i contact my isp and ask them to set some egress qos going to > > > > our network on the cisco router that is at their place? btw, anyone know > > > > how good the qos is on cisco 2600? > > > I have no idea how the qos works on cisco router. > > > Just give it a try and se what happens. > > > > > > Stef > > > > > > -- > > > > > > stef.coene@docum.org > > > "Using Linux as bandwidth manager" > > > http://www.docum.org/ > > > #lartc @ irc.oftc.net > > > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- > Rob Rankin > mahhy@undertow.ca > http://undertow.ca > >
