Vuurmuur gets traffic shaping

Posted on Oct 2, 2007

The last weeks I’ve been working on adding traffic shaping support to Vuurmuur. The work is largely done, only the GUI part is still missing. But using vuurmuur_script it is already usable in the current SVN trunk. I’ve written before about my shaping ideas here.

The support currently focuses on three different options:

1. Limiting bandwidth usage by rules.

Per rule a limit can be set for the maximum amount of bandwidth all traffic from this rule uses. Both directions of a connection have different limits. The in_max and out_max options can be added to existing rules for this. The syntax of the in_max and out_max is simple: out_max=15kbps means that traffic in the source to destination direction of a rule can at max use 15 kb/s.

2. Guaranteeing bandwidth to rules.

Again per rule a guaranteed minimum of available bandwidth can be configured. This way you can for example make sure your VoIP calls get enough. It’s important to not over commit the bandwidth. If you do that Vuurmuur will issue a warning but will still work because HTB, the used scheduler, accepts it as well. In this case the minimal bandwidth can not be guaranteed. To use this option add the in_min and out_min options. The syntax is the same as with in_max/out_max.

3. Prioritizing rules.

Like the first two options the priority can be set per rule. It’s a number where 1 is the highest prio. The default prio is 3. The syntax is prio=1. The lowest prio possible is 255.

For each interface, Vuurmuur needs to know the maximal bandwidth. Also, the shaping can be enabled and disabled on a per interface basis. Because shaping is attached to interfaces, rules using source and/or destination ‘any’ or ‘firewall(any)’ won’t be able to shape. Also, only outgoing shaping is supported, which is no problem in a gateway setup because then all traffic is outgoing on one of the interfaces, but on traffic from and to the firewall, this can be a limitation.

For example, to set the bandwidth in the interface ‘inet-nic’ which has a bandwidth of 3072kbit/512kbit, use the following vuurmuur_script commands:

vuurmuur_script -M -i inet-nic -V SHAPE -S Yes vuurmuur_script -M -i inet-nic -V BW_IN -S 3 vuurmuur_script -M -i inet-nic -V BW_IN_UNIT -S mbit vuurmuur_script -M -i inet-nic -V BW_OUT -S 512 vuurmuur_script -M -i inet-nic -V BW_OUT_UNIT -S kbit

Using vuurmuur_conf, it’s already possible to set the location of the tc binary. Look at ‘Vuurmuur Config -> General’.

An example of what a full rule using shaping can look like:

accept service ftp from local.lan to world.inet options prio=2, in_max=200kbps, out_max=15kbps

This example limits HTTP downloading to a speed of 200kb/s and uploading to 15kb/s.

The coming days and weeks I’ll finish the GUI support and release a test version.