Configuring a Firewall to prefer certain traffic...

[Bob George]

Jiva DeVoe

> [...]
> Is it possible to configure a linux firewall to prefer traffic from a
> certain host?  In other words, if you have 2 hosts on a network, and
> one is doing a download, if the second one starts something up, it
> will *NOT* be affected by the download on the first box, but the first
> box's traffic will slow down to allow the second one through?

If you don't control the entire network path, the best you'll be able to do
is prioritize packets as they pass through the firewall. If the firewall
itself is the bottleneck, that might improve things. However, true QoS is
required end-to-end to be effective. If the site sending that FTP data
doesn't back off in response to ToS settings, it'll still be pushing data to
the firewall at full speed. And if the next upstream router doesn't do any
sort of prioritization, your efforts at the firewall can only impact what
you're *sending*.

I've typically seen QoS features used when you have control of the routers
*at both ends* of a slow point-to-point link. You can prioritize data using
various queueing schemes etc. But if only one router does it, it really
doesn't change a whole lot, other than the order that packets leave that
router.

Of course, if your network provider supports QoS of some sort (RSVP, ToS),
and actually does something to prioritize traffic end-to-end, then just
ignore all this!

- Bob