Hi there. I would like to distribute certain port numbers into 2 ISPs and i did managed to do it based on shorewall''s "Shorewall & Routing" documentation. However, do i need to copy all those port from rules files to tcrules? Here''s my configuration files :- /etc/shorewall/tcrules :- #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1:P eth2,eth3,eth4 0.0.0.0/0 tcp 80,1863,443,5050,5190 - - - 1:P eth2,eth3,eth4 202.188.0.133,202.188.1.5 udp 53 - - - 2:P eth2,eth3,eth4 0.0.0.0/0 tcp 21,6881 - - - /etc/shorewall/providers :- tm2mbps 1 1 main eth0 192.168.100.1 track eth2,eth3,eth4 tm1mbps 2 2 main eth1 192.168.110.1 track eth2,eth3,eth4 /etc/shorewall/masq :- #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth2 eth0 eth3 eth0 eth4 eth1 eth2 eth1 eth3 eth1 eth4 /etc/shorewall/rules :- <Please read the attached file...> As for time being, the connection is doing fine. Previously, I tried to balance both ISPs and both ISPs connection went down after 3 hours or so. Seems like i dont want port 80 to be balanced on both ISP, thats why i removed it from MARK under tcrules file. Im just confused over what to do with rules file. I mean, those blocked ports will be running as it normal or not? I`d really appreciate any advices or so. -- Regards, Wong Chee Chun
>Hi there. I would like to distribute certain port numbers into 2 ISPs >and i did managed to do it based on shorewall''s "Shorewall & Routing" >documentation. However, do i need to copy all those port from rules >files to tcrules? Here''s my configuration files :-Yes, you need to restate the ports in the tcrules file, for your allowed outbound traffic. You are doing policy routing to a preferred isp, based on a certian port, netfilter is just marking the traffic based on your wishes. <snip>>As for time being, the connection is doing fine. Previously, I tried >to balance both ISPs and both ISPs connection went down after 3 hours >or so.Can you expand on that a little bit please.>Seems like i dont want port 80 to be balanced on both ISP, >thats why i removed it from MARK under tcrules file.That is not what you posted, port 80 is listed. Did you use ''balance'' as an option in providers and then use tcrules to favor the preferred isp?>Im just confused >over what to do with rules file. I mean, those blocked ports will be >running as it normal or not? I`d really appreciate any advices or so.Don''t state, in tcrules, the ports used in the DROP''d rules, those connections are not going to make it out anyway. The rules file needs to have some context to it, the interfaces, zones, and policy files come into play here. Just to have a clearer picture of your setup, your best bet is to capture a "shorewall status", along with all the config files that were modified, for us to have a look at. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> >Seems like i dont want port 80 to be balanced on both ISP, > >thats why i removed it from MARK under tcrules file. > > That is not what you posted, port 80 is listed. Did you use ''balance'' as > an option in providers and then use tcrules to favor the preferred isp? >When i use ''balance'' option, i can see some port 80 traffic on eth1. Im not sure how ''balance'' work but i just want port 80 traffic to be at eth0.> >Im just confused > >over what to do with rules file. I mean, those blocked ports will be > >running as it normal or not? I`d really appreciate any advices or so. > > Don''t state, in tcrules, the ports used in the DROP''d rules, those > connections are not going to make it out anyway. The rules file needs > to have some context to it, the interfaces, zones, and policy files come > into play here. Just to have a clearer picture of your setup, your best > bet is to capture a "shorewall status", along with all the config files that > were modified, for us to have a look at.I`ll get back to you guys with those information as soon as i arrived at my office tomorrow. Thanks for your time!!> > Jerry > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Regards, Wong Chee Chun Network Engineer Softmy Co. Ltd (http://www.softmy.com) ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
>> That is not what you posted, port 80 is listed. Did you use ''balance'' as >> an option in providers and then use tcrules to favor the preferred isp? >> > >When i use ''balance'' option, i can see some port 80 traffic on eth1. >Im not sure how ''balance'' work but i just want port 80 traffic to be >at eth0.When you tried ''balance'', did you also have an entry in tcrules for port 80? Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
On 9/7/05, Jerry Vonau <jvonau@shaw.ca> wrote:> > >> That is not what you posted, port 80 is listed. Did you use ''balance'' as > >> an option in providers and then use tcrules to favor the preferred isp? > >> > > > >When i use ''balance'' option, i can see some port 80 traffic on eth1. > >Im not sure how ''balance'' work but i just want port 80 traffic to be > >at eth0. > > When you tried ''balance'', did you also have an entry in tcrules for port 80? >Yes. Below is my current tcrules setup :- #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1:P eth2,eth3,eth4 0.0.0.0/0 tcp 80,1863,443,5050,5190 - - - 1:P eth2,eth3,eth4 202.188.0.133,202.188.1.5 udp 53 - - - 2:P eth2,eth3,eth4 0.0.0.0/0 tcp 21,6881 - - -> > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Regards, Wong Chee Chun Network Engineer Softmy Co. Ltd (http://www.softmy.com) ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf