-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm planning on a redo of a small company setup, using a linux-box on 2.4.2x kernel as router/natbox/firewall. We have a rather complex shaping/policing setup, currently using multiple imq's, htb, sfq and a few thousand lines of scripts. In addition I have varying classes of rules regarding outbound traffic depending on the internal origin of the traffic, and a few thousand lines of permit/deny rules. Now, in order to e.g. permit use of outbound ssh to a specific net, and also ensure that ssh have a higher priority than e.g. web traffic, I have to triplicate a rule classifying a stream as ssh; NEW outbound permit, ingress MARK for htb on an IMQ dev, egress MARK for htb. I'd like to reduce the number of rules per stream, both for maintenance and performace purposes. So, 1a) Is it possible/recommended to ACCEPT/DROP/REJECT in mangle FORWARD? 1b) Is it possible/recommended to MARK in filter FORWARD? 2) Can i safely put SFQ on a HTB leaf? 3) It appears that only packets that are not conntracked traverse the nat table, is this correct? 4) Does mangle OUTPUT happen before or after routing? 5) When exactly in the packet traversal do egress shaping happen? After mangle POSTROUTING? After nat POSTROUTING? 6) Recommendations on handling the massive number of connections created by P2P? When P2P classes need to stop borrowing from higher priority classes, the sheer number of connections appear to create some latency. Thanks, - --Erik -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFATzGjds9m9uhAobARAtfJAKDG2WCKH0YdzFTrZ8/6tuq8pHj4UwCfVdo+ FpUxeg2h1sahuPoNwOMu/go= =xSuH -----END PGP SIGNATURE----- -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
