[Firewall] Self-connect possible?

Roland Haeder r.haeder at gmx.de
Thu Mar 18 18:16:48 CET 2010


On Thu, 2010-03-18 at 18:05 +0100, Arno van Amersfoort wrote:
> You can also use the DNAT plugin to fix this....
But then my whole box is opened to the Internet, right? I would prefer
the more restrict approach with bandwidth limitation (traffic shaper)
because of my ADSL link.

BTW: Here is my shaper config:
======================================================
#
------------------------------------------------------------------------------
#           -= Arno's iptables firewall - Traffic-Shaper plugin =-
#
------------------------------------------------------------------------------

# To actually enable this plugin make ENABLED=1:
#
------------------------------------------------------------------------------
ENABLED=0

# The next three parameters need to be configured.  The rest can be used
# as is, unless you have particular requirements.  (These should be
globals)
#
------------------------------------------------------------------------------
DOWNLINK=800
UPLINK=64

# Specify qdisc type: htb (default) or hfsc
SHAPER_TYPE="htb"

# Most users can leave the port classification as is.  The notation
signifies
# the destination port on *outbound* traffic.  Ports are prefixed by 'u'
for
# UDP and 't' for TCP.  Ranges are given as 5060:5064.
#
# Additionally, UDP packets tagged with DSCP classes EF, CS3, AF21 and
AF31
# will be automatically placed with the proper priority.
#
------------------------------------------------------------------------------

SHAPER_STREAMINGMEDIA_PORTS="u4569 u1720 u1731 t25 t110 t8080"

# t80 t443
SHAPER_INTERACTIVE_PORTS="u53 t22 u1194 t3389 u5060:5064 t5900 t6418"

SHAPER_BULKDATA_PORTS="t20 t21 t137:139 u137:139 t143 t465 t515 t993"
======================================================
I disabled it because the connection got very slow (e.g. to port
80/443). I would like to have good "performance" on receiving data on
port 8080 (forwarded to 192.168.1.17) and still have good out-going
traffic to port 80/443 because of YaCy is a search engine (with
crawler).

Roland

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100318/9527bdbb/attachment.pgp>


More information about the Firewall mailing list