Jump to content

Trafic shapping through a linux box


debianuser
 Share

Recommended Posts

Hi guys

ok this must sound really ridiculous for you but I am stuck and I need help.

We're running a network with around 50 clients, the dns server as well as dhcp runs on windows 2003 server.

Our firewall is a hardware firewall which i believe runs linux.

Ok what's the deal then? well we need to shape the trafic and the company of our firewall does not have any plugin or patches to allow us from the firewall admin panel to set up rules for trafic shapping.

so we decided... well why not take an old pc, install linux on it to shape the trafic and we put it in between the firewall the rest of the network -- ok! i know this sounds really "amateur" and ridiculous but hey! not so much choices when you got a low budget.

So i tried, tried, and tried... I am mainly running Debian - but I am fine with switching distribution.

I tried some open source program on freshmeat.com, but none of them really satisfied me - either they did not really work or were to difficult to configure.

So I was wondering, does anyone has any idea, any suggestion. Anything would be highly welcome.

till then...keep trusting your technolust :shock:

thanks-

Link to comment
Share on other sites

Firstly, I wouldn't have said that this was "amateur" as I know plenty of companies that use systems like this.

For simplicity I would say give Monowall a try (http://www.m0n0.ch/wall/). Its very easy to use and install as well as taking absolutely no time to set up really.

It supports QoS which is your traffic shaping, has a good firewall, along with a lot of extra features. Its very stable as well so you should have a problem with downtime.

If you don't want to use a distro that has everything ready for you, then I suggest if you want to look into a traffic shaping/firewall setup that you have a look at OpenBSD and pf. Its relatively easy once you get the hang of OpenBSD.

Link to comment
Share on other sites

We're running a network with around 50 clients, the dns server as well as dhcp runs on windows 2003 server.

wow 2003 server! that means 50 cals! not including the printers and new server....crazy.

But yea what they said. Im thinking of doing the same thing where i work .... we have windows 2000 server got to move away from that rubbish :)

Link to comment
Share on other sites

Firstly, I wouldn't have said that this was "amateur" as I know plenty of companies that use systems like this.

For simplicity I would say give Monowall a try (http://www.m0n0.ch/wall/). Its very easy to use and install as well as taking absolutely no time to set up really.

It supports QoS which is your traffic shaping, has a good firewall, along with a lot of extra features. Its very stable as well so you should have a problem with downtime.

If you don't want to use a distro that has everything ready for you, then I suggest if you want to look into a traffic shaping/firewall setup that you have a look at OpenBSD and pf. Its relatively easy once you get the hang of OpenBSD.

thanks man.. I am gonna try Monowall and see what comes out of it! I will post for future updates.

thanks again

Link to comment
Share on other sites

Firstly, I wouldn't have said that this was "amateur" as I know plenty of companies that use systems like this.

For simplicity I would say give Monowall a try (http://www.m0n0.ch/wall/). Its very easy to use and install as well as taking absolutely no time to set up really.

It supports QoS which is your traffic shaping, has a good firewall, along with a lot of extra features. Its very stable as well so you should have a problem with downtime.

If you don't want to use a distro that has everything ready for you, then I suggest if you want to look into a traffic shaping/firewall setup that you have a look at OpenBSD and pf. Its relatively easy once you get the hang of OpenBSD.

ok I was wondering do you know how to install that os on the harddrive, without having to run the cd and the floppy disk?

I looked on the site but did not find anything -

i am still trying it - will post updates.

And thanks to all of you who gave me suggestions... if MonoWall does not work, I will try the other possibilities...

thanks very much

Link to comment
Share on other sites

Well guys - here is one update!

I runned Monowall as suggested and it works - it's a pretty sweet thing :lol:

however i have a concern regarding the traffic shaping..

well we know that most of the p2p program runs now with port 80... so is the traffic shaping generated rules check by ports or analyse the packets to know if it's an http request or something totally else?

coz while shaping the trafic for p2p users, we don't want to affect simple users who send http requests

thanks

Link to comment
Share on other sites

ok I was wondering do you know how to install that os on the harddrive, without having to run the cd and the floppy disk?

I looked on the site but did not find anything -

i am still trying it - will post updates.

And thanks to all of you who gave me suggestions... if MonoWall does not work, I will try the other possibilities...

thanks very much

They certainly don't make the installation instructions easy to find...

download the generic pc version and follow instructions here:

http://m0n0.ch/wall/installation_generic.php

you'll need another pc, or a live linux distro to do this.

Link to comment
Share on other sites

well we know that most of the p2p program runs now with port 80... so is the traffic shaping generated rules check by ports or analyse the packets to know if it's an http request or something totally else?

What you want is probably a stateful packet filtering firewall or you could run a proxy server in your lan which would then be the machine that connects to the internet. Block all other IPs from connecting to the internet, then the proxy server would only forward ligitemate packets like http/ftp etc.

Being a corporate network you might be running a proxy already, and this is what have i have played around with for packet filtering http://l7-filter.sourceforge.net/.

Link to comment
Share on other sites

I dont know how up-to-date this is with Todays Standards but i used to have a server for my Internet (firewall proxy etc..) using Ubuntu with Squid. - But theres always SME Server (its a Proxy/Router/firewall straight out of the box... well you download it but you know what i mean...) Its aviable at http://contribs.org/modules/news/ - I used it also - And all the config is Web Based so you dont need to actually be Physically on the server.

Link to comment
Share on other sites

But theres always SME Server (its a Proxy/Router/firewall straight out of the box... well you download it but you know what i mean...) Its aviable at http://contribs.org/modules/news/ - I used it also - And all the config is Web Based so you dont need to actually be Physically on the server.

Ya I heard about that one.. but I was wondering when it shapes the traffic does it analyse the packets to tell if it's p2p or http requests... coz Monowall works great! but it scans by port and that's a bit shacky coz what happens when the p2p program uses port 80?

Being a corporate network you might be running a proxy already, and this is what have i have played around with for packet filtering http://l7-filter.sourceforge.net/.

so I am not sure I am following, we're talking here about a package you can install on an existing linux box which runs a proxy such as Squid for example?

Link to comment
Share on other sites

You don't need to use L7-filter with a proxy. I was simply saying that you could get a proxy to do the job, or use this program.

* You need to match any protocol that uses unpredictable ports (i.e. P2P filesharing)

* You believe that significant traffic is being done on non-standard ports (i.e. HTTP on port 1111)

Thats what it is used for and sound like what you are trying to accomplish. Just remember if the packets are encrypted then you won't be able to traffic shape them or block them.

Link to comment
Share on other sites

Just remember if the packets are encrypted then you won't be able to traffic shape them or block them.

Yes you will. You just won't be able to shape them differently than other encrypted traffic. There should always be a failover shaping rule and since you should have a rule that says standard http traffic is a high priority this other unknown traffic could get a lower priority.

Ben

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...