[CentOS] Traffic shaping on CentOS

Sat Dec 16 18:12:55 UTC 2017
Mark Milhollan <mlm at pixelgate.net>

On Fri, 15 Dec 2017, Kenneth Porter wrote:

> The gateway is for a small business and I don't want shell and remote desktop
> sessions to come to a crawl because someone's uploading/downloading/mailing a
> big CAD file to a customer/vendor, or because several are watching Youtube
> videos.

Slowdown is probably going to happen since these days much file/bulk 
transfer and certainly all Google (YouTube) services use HTTPS and thus 
seem the same to any but the most intrusive inspection and dynamic 
shaping, i.e., SSL bump or peek'n'splice would be needed wherein at 
least the beginning of a session can be inspected so that the real 
purpose can be inferred and used to set the shaping on that single 
session -- though usually they decrypt everything which has many 
concerns.  Static shaping of HTTP(S) can help but certainly can't assure 
that "interactive" sessions won't be impacted by "heavy" sessions.  If 
only SSH and RDP need more priority than anything else that should be 
easily handled by static policy (firehol, wondershaper, etc) though it 
fails when RDP is used for bulk file transfer (you can check TOS/DSCP on 
SSH sessions to de-prioritize SCP/SFTP transfers, provided such hasn't 
been defeated by the sender).


/mark