This is the FireHOL/FireQOS installation method and configuration that I use for my home server, here for easy reference in case I need to set it up again, or something similar.
- apt purge ufw # First, uninstall Ubuntu’s default firewall.
- # Ubuntu comes with FireHOL 2.x, need to install PPA for 3.x series for connmark support. Connmark is useful in that it allows you to mark incoming packets for established connections, allowing QOS on downstream traffic by process. This is especially useful for programs that have dynamic server/client ports, such as torrents.
- add-apt-repository ppa:andvgal/firehol-bpo
- apt update
- apt install fireqos ulogd
- /etc/default/firehol # Must explicitly enable startup
version 6 FIREHOL_LOG_MODE="NFLOG" # Prevents log spamming. ipv4 transparent_proxy http 3128 "" src 192.168.0.0/24 # Squid HTTP proxy. The process owner is intentionally blank, in order that all locally-originating connections bypass the proxy. (if it breaks, I need to Google how to fix it!) #ipv4 transparent_proxy https 3130 "" src 192.168.0.0/24 # Squid HTTPS proxy connmark 1 OUTPUT user "proxy" # Mark all proxied connections mark 1 FORWARD # Mark all routed/masqueraded connections connmark 7 OUTPUT user "i2psvc" # Mark local i2p connmark 8 OUTPUT user "debian-tor" # Mark local TOR connmark 9 OUTPUT user "debian-transmission" # Mark local torrent client # Save/restore connmarks on outgoing/incoming packets connmark save OUTPUT connmark restore PREROUTING # service definitions server_udpweb_ports="udp/80 udp/443" # QUIC/SPDY protocols client_udpweb_ports="default" interface br0 mylan policy accept interface eth_discreet internet policy drop protection strong # 10/sec 10 server http accept server httpalt accept server https accept #tor server ICMP accept server openvpn accept server ssh accept server webcache accept server custom torrent_tcp tcp/51413 any accept server custom torrent_udp udp/51413 any accept server custom i2p_udp udp/29996 any accept server custom i2p_tcp tcp/29996 any accept client dhcp accept # DHCP is a "complex" protocol, best to specifically allow it if your ISP assigns you dynamic IPs. client all accept router mylan2internet inface br0 outface eth_discreet masquerade route udpweb deny # Block QUIC/SPDY protocols, squid can't cache them. This forces TCP connections and allows caching of sites like YouTube. route all accept
- firehol try
- /etc/default/fireqos # Must explicitly enable startup
FIREQOS_CONNMARK_RESTORE="act_connmark" DEVICE=eth_discreet INPUT_SPEED=16mbit OUTPUT_SPEED=2mbit LINKTYPE="" # Service definitions server_openvpn_ports="any/1194" server_httpalt_ports="tcp/8080" server_bittorrent_ports="any/6881:6999,51413" server_i2p_ports="any/29996" service_facetime_ports="udp/3478:3497,16384:16387,16393:16402" server_hng_ports="tcp/15000:15500,16667 udp/16000:17000" # Game: Heroes and Generals server_lol_ports="udp/5000:5500" # Game: League of Legends interface $DEVICE world bidirectional $LINKTYPE input rate $INPUT_SPEED output rate $OUTPUT_SPEED # By omitting 'balanced' from the interface line, packets are prioritized in order of the class that they are in. class latency commit 20% # Placeholder for time-critical packets (games) class bandwidth commit 40% # Placeholder for bandwidth-dependent streams (videoconferencing) class responsive client dns server ssh # SSH is not in the 'time-critical' class, because it is sometimes used for file transfers or tunnels. It cannot be allowed to interfere with the preceeding classes. client ssh match icmp server openvpn class group routed commit 1% # Router traffic match mark 1 # Intercept generic forwarded packets match connmark 1 # This classes packets marks as Squid traffic class default client hng class latency # Reassign Heroes & Generals to time-critical priority client lol class latency # Reassign League of Legends to time-critical priority match udp sports 3478:3481 dports 3478:3481 class bandwidth # Facebook/Skype use two sets of dynamic ports on both sides of the connection / match sports 49152:65535 dports 49152:65535 class bandwidth # / Reassign them to bandwidth-dependent priority # Background match sports 16384:65535 dports 16384:65535 class background #Torrent catch-all class group end class default class background server http # Local webserver server httpalt # Local webserver match connmark 9 # transmission process server bittorrent class hidden match connmark 8 prio 6 # tor process server https prio 6 # tor port match connmark 7 prio 7 # i2p process server i2p prio 7 # i2p
- (use “fireqos status world-in” to monitor)
- I found that FireHOL doesn’t like to start up at boot. I haven’t yet properly solved this, but my temporary workaround is to add this to crontab:
@reboot sleep 60 && /usr/sbin/firehol start