Shorewall users - Sep 2005 - multiple ISPs: using only one for email ?

Hello,

   i have a small problem and i am out of ideas.  I''ve setup 
the
shorewall and it works great, with one small issue.
The current setup is  as follows:

ISP1 provides external IP1 - used by eth0
ISP2 provideds external IP2 - used by eth1
- eth2 is connected to internal network
- firewall machine is running mail server

I''ve followed the instructions on 
http://www.shorewall.net/Shorewall_and_Routing.html
and i can see outbound connections being distributed two 
both eth0 and
eth1 (which is great).  Our main DNS is only officially 
mapped to IP1 (IP2 is
used as backup only).  When I send email to Yahoo, if the 
email goes through
ISP1, Yahoo puts it into Inbox; if the email goes through 
ISP2, Yahoo puts it
in ''Bulk'' (since originating IP address (IP2) does not match 
our DNS IP (IP1)).
What I would like to do is to have all outgoing mail go from 
eth0 (IP1), so I don''t
have the above problem.

I''ve followed the suggestions about using the following:

/etc/shorewall/shorewall.conf
...
TC_ENABLED=Yes
...

/etc/shorewall/provides
DSLNET  1       1       main  eth0     65.84.10.209 
track,balance=2 eth2
YAHOO   2       2       main  eth1     69.227.235.46 
track,balance   eth2

/etc/shorewall/tcrules
# none of these seem to matter
1:P            $FW             0.0.0.0/0       tcp     25
1:P            eth2            0.0.0.0/0       tcp     25


-- i''ve restarted firewall, but none of the options seem to 
matter... i still get smtp
traffic on eth1 (verified with tethereal).  I am stuck. 
Please help.

thanks,
-- stanley

p.s. some debug output

Shorewall has detected the following iptables/netfilter 
capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Extended Multi-port Match: Not available
    Connection Tracking Match: Available
    Packet Type Match: Available
    Policy Match: Not available
    Physdev Match: Available
    IP range Match: Available
    Recent Match: Available
    Owner Match: Available
    Ipset Match: Not available
    ROUTE Target: Not available
    Extended MARK Target: Not available
    CONNMARK Target: Available
    Connmark Match: Available
    Raw Table: Available


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Stanley:
> Hello,
> 
>    i have a small problem and i am out of ideas.  I''ve setup 
> the
> shorewall and it works great, with one small issue.
> The current setup is  as follows:
> 
> ISP1 provides external IP1 - used by eth0
> ISP2 provideds external IP2 - used by eth1
> - eth2 is connected to internal network
> - firewall machine is running mail server
> 
> I''ve followed the instructions on 
> http://www.shorewall.net/Shorewall_and_Routing.html
> and i can see outbound connections being distributed two 
> both eth0 and
> eth1 (which is great).  Our main DNS is only officially 
> mapped to IP1 (IP2 is
> used as backup only).  When I send email to Yahoo, if the 
> email goes through
> ISP1, Yahoo puts it into Inbox; if the email goes through 
> ISP2, Yahoo puts it
> in ''Bulk'' (since originating IP address (IP2) does not
match
> our DNS IP (IP1)).
> What I would like to do is to have all outgoing mail go from 
> eth0 (IP1), so I don''t
> have the above problem.
>
I''ve being fooling around with this and waiting for a victim... err 
beta tester to comfirm my findings.
 
> I''ve followed the suggestions about using the following:
> 
> /etc/shorewall/shorewall.conf
> ...
> TC_ENABLED=Yes
> ...
> 
> /etc/shorewall/provides
> DSLNET  1       1       main  eth0     65.84.10.209 
> track,balance=2 eth2
> YAHOO   2       2       main  eth1     69.227.235.46 
> track,balance   eth2
> 
add:
mail  5       5       main  eth0     65.84.10.209 - eth2
> /etc/shorewall/tcrules
> # none of these seem to matter
> 1:P            $FW             0.0.0.0/0       tcp     25
> 1:P            eth2            0.0.0.0/0       tcp     25
> 
add:
5       $FW     0.0.0.0/0       tcp     25      -       -
> 
> -- i''ve restarted firewall, but none of the options seem to 
> matter... i still get smtp
> traffic on eth1 (verified with tethereal).  I am stuck. 
> Please help.
restart now.
> 
> thanks,
> -- stanley
> 
Give it a spin, and report back please.

Jerry 





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

This would need to be the first entry in the providers file....

add:
mail  5       5       main  eth0     65.84.10.209 - eth2
> /etc/shorewall/tcrules
> # none of these seem to matter
> 1:P            $FW             0.0.0.0/0       tcp     25
> 1:P            eth2            0.0.0.0/0       tcp     25
> 
add:
5       $FW     0.0.0.0/0       tcp     25      -       -

Sorry for my, too speedy response.

Jerry



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Jerry Vonau wrote on 23/09/2005 00:38:39:
> 
> 
> This would need to be the first entry in the providers file....
> 
> add:
> mail  5       5       main  eth0     65.84.10.209 - eth2
> 
> > /etc/shorewall/tcrules
> > # none of these seem to matter
> > 1:P            $FW             0.0.0.0/0       tcp     25
> > 1:P            eth2            0.0.0.0/0       tcp     25
> > 
> add:
> 5       $FW     0.0.0.0/0       tcp     25      -       -
> 
> Sorry for my, too speedy response.
> 
> Jerry
> 
I''ve been waiting for this too.  I''m having a simmilar
problem, but in my
case, the two-ISP fw box runs a proxy server (squid). I can''t set https
(443) traffic to one of the ISPs, and I''ve been studying the case in
the
last week. 
If you look at the picture at 
http://www.shorewall.net/images/Netfilter.png, you can see that packets 
created by processes running in the firewall doesn''t traverse
PREROUTING
or FORWARD chains in the mangle table.  That means that the packets 
created in tcpre that should mark that kind of traffic for later ip rule 
processing are never transversed.  For what I could see, if the mark rules 
were created in the tcout chain in the mangle table they would be marked.
So, may be tcrules file should have a new mark type:
1:O     $FW             0.0.0.0/0       tcp     25

Or may be I''m completely wrong and you will all correct my ignorance.

cheers,

--
Eduardo Ferreira

> > This would need to be the first entry in the providers file....
> > 
> > add:
> > mail  5       5       main  eth0     65.84.10.209 - eth2
> > 
> > > /etc/shorewall/tcrules
> > > # none of these seem to matter
> > > 1:P            $FW             0.0.0.0/0       tcp     25
> > > 1:P            eth2            0.0.0.0/0       tcp     25
> > > 
> > add:
> > 5       $FW     0.0.0.0/0       tcp     25      -       -
> > 
> > Sorry for my, too speedy response.
> > 
> > Jerry
> > 
> I''ve been waiting for this too.  I''m having a simmilar
problem, but in my
> case, the two-ISP fw box runs a proxy server (squid). I can''t set
https
> (443) traffic to one of the ISPs, and I''ve been studying the case
in the
> last week. 
> If you look at the picture at 
> http://www.shorewall.net/images/Netfilter.png, you can see that packets 
> created by processes running in the firewall doesn''t traverse
PREROUTING
> or FORWARD chains in the mangle table.  That means that the packets 
> created in tcpre that should mark that kind of traffic for later ip rule 
> processing are never transversed.  For what I could see, if the mark rules 
> were created in the tcout chain in the mangle table they would be marked.
> So, may be tcrules file should have a new mark type:
> 1:O     $FW             0.0.0.0/0       tcp     25
> 
> Or may be I''m completely wrong and you will all correct my
ignorance.
From tcrules:

"Use $FW if the packet originates on the firewall in which case the MARK 
column may NOT specify either ":P" or ":F" (marking always
occurs in the
OUTPUT chain)"

Jerry





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Jerry Vonau wrote on 23/09/2005 10:14:22:
> > > This would need to be the first entry in the providers file....
> > > 
> > Or may be I''m completely wrong and you will all correct my
ignorance.
> >
> "Use $FW if the packet originates on the firewall in which case the
MARK
> column may NOT specify either ":P" or ":F" (marking
always occurs in the
> OUTPUT chain)"
> 
> Jerry
> 
I shouldn''t write a memo before my first three morning coffees.  You
are
absolutely right.

sorry all.

--
Eduardo Ferreira

Jerry,

  thanks for the quick answer... alas it is still
passing email through eth2.... See comments below
on my modifications...

-- stanley
>>   i have a small problem and i am out of ideas.  I''ve setup 
>>the
>>shorewall and it works great, with one small issue.
>>The current setup is  as follows:
>>
>>ISP1 provides external IP1 - used by eth0
>>ISP2 provideds external IP2 - used by eth1
>>- eth2 is connected to internal network
>>- firewall machine is running mail server
>>
>>I''ve followed the instructions on 
>>http://www.shorewall.net/Shorewall_and_Routing.html
>>and i can see outbound connections being distributed two 
>>both eth0 and
>>eth1 (which is great).  Our main DNS is only officially 
>>mapped to IP1 (IP2 is
>>used as backup only).  When I send email to Yahoo, if the 
>>email goes through
>>ISP1, Yahoo puts it into Inbox; if the email goes through 
>>ISP2, Yahoo puts it
>>in ''Bulk'' (since originating IP address (IP2) does not
match
>>our DNS IP (IP1)).
>>What I would like to do is to have all outgoing mail go from 
>>eth0 (IP1), so I don''t
>>have the above problem.
>>
>>    
>>
>
>I''ve being fooling around with this and waiting for a victim... err
>beta tester to comfirm my findings.
> 
>  
>
>>I''ve followed the suggestions about using the following:
>>
>>/etc/shorewall/shorewall.conf
>>...
>>TC_ENABLED=Yes
>>...
>>
>>/etc/shorewall/provides
>>DSLNET  1       1       main  eth0     65.84.10.209 
>>track,balance=2 eth2
>>YAHOO   2       2       main  eth1     69.227.235.46 
>>track,balance   eth2
>>
>>    
>>
>add:
>mail  5       5       main  eth0     65.84.10.209 - eth2
>
>  
>
added to the beginning of providers file
before any other entries for providers
>>/etc/shorewall/tcrules
>># none of these seem to matter
>>1:P            $FW             0.0.0.0/0       tcp     25
>>1:P            eth2            0.0.0.0/0       tcp     25
>>
>>    
>>
>add:
>5       $FW     0.0.0.0/0       tcp     25      -       -
>
>  
>
  commented out the previous lines.  The new
tcrules only contains a single line (the one
starting with ''5'').  Should have i left the
original lines in ??? I don''t think that they
help...
>restart now.
>  
>
  restarted, but the tethereal still shows
SMTP traffic over eth2.

-- stanley




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

> Jerry,
> 
>   thanks for the quick answer... alas it is still
> passing email through eth2.... See comments below
> on my modifications...
> 
> -- stanley
Can I get a shorewall status please.

Jerry





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Jerry,

   attached is output of ''shorewall status''.  It seems
that this command hangs (does not return) and so I have
to use ^C to stop it.  Is this normal ?

thanks,
-- stanley

Jerry Vonau wrote:
> 
>>Jerry,
>>
>>  thanks for the quick answer... alas it is still
>>passing email through eth2.... See comments below
>>on my modifications...
>>
>>-- stanley
> 
> 
> Can I get a shorewall status please.
> 
> Jerry
> 
>

On Friday 23 September 2005 13:02, Stanley Gambarin
wrote:
> Jerry,
>
>    attached is output of ''shorewall status''.  It seems
> that this command hangs (does not return) and so I have
> to use ^C to stop it.  Is this normal ?
It is if your log file is enormous -- be patient -- it will finish (and what 
you sent is useless for diagnosing your problem). And you probably should 
review your log rotation policy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

Tom Eastep wrote:
> On Friday 23 September 2005 13:02, Stanley Gambarin wrote:
> 
>>Jerry,
>>
>>   attached is output of ''shorewall status''.  It seems
>>that this command hangs (does not return) and so I have
>>to use ^C to stop it.  Is this normal ?
> 
> 
> It is if your log file is enormous -- be patient -- it will finish (and
what
> you sent is useless for diagnosing your problem). And you probably should 
> review your log rotation policy.
   the firewall was only recently started, it''s just that we actually
use this website :)  New file with all of the output is attached.
Thanks for the help (i really appreciate it).

-- stanley

>    the firewall was only recently started, it''s just that we
actually
> use this website :)  New file with all of the output is attached.
> Thanks for the help (i really appreciate it).
> 
> -- stanley
> 
I''m bad, the eth2 would add that nic''s routing also. The
status showed
that in the "ip rules" the "from fwmarks" were listed after
the "from ip"
rules, first match wins, we want to have the fwmarks make the routing 
choice. The ''loose'' option in the providers file changes this
order, placing
the "fwmarks" before the "from ip" rules. 

DSLNET  1       1       main  eth0     65.84.10.209 loose,track,balance=2 eth2
YAHOO   2       2       main  eth1     69.227.235.46 loose,track,balance   eth2
mail  5       5       main  eth0     65.84.10.209 loose

Give this a test please.
Jerry





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

On Friday 23 September 2005 13:23, Stanley Gambarin wrote:
> Thanks for the help (i really appreciate it).
Looks like you haven''t set TC_ENABLED=Yes -- either that or your
tcrules file
is empty.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Jerry,

  wow, that was an interesting one....

Jerry Vonau wrote:
>I''m bad, the eth2 would add that nic''s routing also. The
status showed
>that in the "ip rules" the "from fwmarks" were listed
after the "from ip"
>rules, first match wins, we want to have the fwmarks make the routing 
>choice. The ''loose'' option in the providers file changes
this order, placing
>the "fwmarks" before the "from ip" rules. 
>
>DSLNET  1       1       main  eth0     65.84.10.209 loose,track,balance=2
eth2
>YAHOO   2       2       main  eth1     69.227.235.46 loose,track,balance  
eth2
>mail  5       5       main  eth0     65.84.10.209 loose
>
>  
>
  with the new change, i get the following:
root@mama:/etc/shorewall # ip ru
0:      from all lookup local
32723:  from all fwmark 0x5 lookup MAIL
32724:  from all fwmark 0x2 lookup YAHOO
32725:  from all fwmark 0x1 lookup DSLNET
32766:  from all lookup main
32767:  from all lookup default

NOTE: all entries that used to contain IP address
in them are now GONE !!!

- so with the above change, the email traffic started
going out on eth0 (which was good).  However, since all
ip rules for external IPs got dropped, i could not get
access (DNS resolution) from outside.
- we don''t run DNS server, so any DNS access from outside
would usually get rejected, and default www.apogee.com
(65.84.10.210) would get returned. I guess that since the
rules for 65.84.10.210 got dropped, DNS got confused???
and would not resolve www.apogee.com.

In any case, I''ve added the following lines to my
''start''
file:

ip ru add from 65.84.10.210 pref 32730 lookup MAIL
ip ru add from 65.84.10.210 pref 32731 lookup DLSNET
ip ru add from 69.227.235.45 pref 32732 lookup YAHOO

which seems to have fixed the above (and mail so far
seems to be going well).  I guess the semantics of
''loose'' directive were not what you expected.  Thanks
for all the help... if you want me to try a fix, just
email.  Unless something else breaks, I had a
wonderful experience.

thanks,
-- stanley






-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

>The ''loose'' option in the providers file changes this
order, placing
>the "fwmarks" before the "from ip" rules. 
The client application may still try to use the wrong interface, the 
workaround is to have a masq statement to make it look like it''s 
from the correct address. 

eth0    69.227.235.45    65.84.10.210 

Jerry
 



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

> Jerry,
> 
>   wow, that was an interesting one....
> 
> Jerry Vonau wrote:
> 
> >I''m bad, the eth2 would add that nic''s routing also.
The status showed
> >that in the "ip rules" the "from fwmarks" were
listed after the "from ip"
> >rules, first match wins, we want to have the fwmarks make the routing 
> >choice. The ''loose'' option in the providers file
changes this order, placing
> >the "fwmarks" before the "from ip" rules. 
> >
> >DSLNET  1       1       main  eth0     65.84.10.209
loose,track,balance=2 eth2
> >YAHOO   2       2       main  eth1     69.227.235.46
loose,track,balance   eth2
> >mail  5       5       main  eth0     65.84.10.209 loose
> >
> >  
> >
>   with the new change, i get the following:
> root@mama:/etc/shorewall # ip ru
> 0:      from all lookup local
> 32723:  from all fwmark 0x5 lookup MAIL
> 32724:  from all fwmark 0x2 lookup YAHOO
> 32725:  from all fwmark 0x1 lookup DSLNET
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> NOTE: all entries that used to contain IP address
> in them are now GONE !!!
Checking on the status of a patch that I thought was in the main release, this 
is not quite what I had expected either. The patch retains the "from
rules",
just places the fwmarks ahead of them.
 
> - so with the above change, the email traffic started
> going out on eth0 (which was good).  However, since all
> ip rules for external IPs got dropped, i could not get
> access (DNS resolution) from outside.
> - we don''t run DNS server, so any DNS access from outside
> would usually get rejected, and default www.apogee.com
> (65.84.10.210) would get returned. I guess that since the
> rules for 65.84.10.210 got dropped, DNS got confused???
> and would not resolve www.apogee.com.
> 
> In any case, I''ve added the following lines to my
''start''
> file:
> 
> ip ru add from 65.84.10.210 pref 32730 lookup MAIL
> ip ru add from 65.84.10.210 pref 32731 lookup DLSNET
> ip ru add from 69.227.235.45 pref 32732 lookup YAHOO
> 
> which seems to have fixed the above (and mail so far
> seems to be going well).  I guess the semantics of
> ''loose'' directive were not what you expected.  Thanks
> for all the help... if you want me to try a fix, just
> email.  Unless something else breaks, I had a
> wonderful experience.
> 
> thanks,
> -- stanley
Maybe don''t use loose, and just recreate the fwmark rules, 
that should place them ahead of the from ip ones.

Jerry








-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

>   wow, that was an interesting one....
>
> >I''m bad, the eth2 would add that nic''s routing also.
The status showed
> >that in the "ip rules" the "from fwmarks" were
listed after the "from ip"
> >rules, first match wins, we want to have the fwmarks make the routing 
> >choice. The ''loose'' option in the providers file
changes this order, placing
> >the "fwmarks" before the "from ip" rules. 
> >
> >DSLNET  1       1       main  eth0     65.84.10.209
loose,track,balance=2 eth2
> >YAHOO   2       2       main  eth1     69.227.235.46
loose,track,balance   eth2
> >mail  5       5       main  eth0     65.84.10.209 loose
In hind sight, with the above, the mail table would be a rehash of the main
table,
with both providers in it. That was really bad advice, sorry. The first example,
would not of had this issue, it had the"copy from", and would of
excluded the
other provider. Leaving the "duplicate" undefined (forgot you could do
that)
sets up the gateway the same way as the squid example. 
Could you try:

mail    5       5       -  eth0     65.84.10.209 
YAHOO   2       2       main  eth1     69.227.235.46 track,balance   eth2
DSLNET  1       1       main  eth0     65.84.10.209 track,balance=2 eth2

>>   with the new change, i get the following:
>> root@mama:/etc/shorewall # ip ru
>>0:      from all lookup local
>> 32723:  from all fwmark 0x5 lookup MAIL
>> 32724:  from all fwmark 0x2 lookup YAHOO
>> 32725:  from all fwmark 0x1 lookup DSLNET
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>> 
>>NOTE: all entries that used to contain IP address
>> in them are now GONE !!!
Yes, loose removes src rules sorry again, bad advice.
I promise not to play ''loose'' again. ;-) 
>Checking on the status of a patch that I thought was in the main release,
this
>is not quite what I had expected either. The patch retains the "from
rules",
>just places the fwmarks ahead of them.
Just looking for the best way to define an alternate routing table when using 
2 isps, and the src/fwmark/table relationship that is at work. I was under the 
inpression that you needed a source address in the alternate routing table, but 
that was incorrect, you just need a gateway.        
>> In any case, I''ve added the following lines to my
''start''
>> file:
>>
>> ip ru add from 65.84.10.210 pref 32730 lookup MAIL
>> ip ru add from 65.84.10.210 pref 32731 lookup DLSNET
>> ip ru add from 69.227.235.45 pref 32732 lookup YAHOO
>> 
>> which seems to have fixed the above (and mail so far
>> seems to be going well).  I guess the semantics of
>> ''loose'' directive were not what you expected.  Thanks
>> for all the help... if you want me to try a fix, just
>> email.  Unless something else breaks, I had a
>> wonderful experience.
>>
>Maybe don''t use loose, and just recreate the fwmark rules, 
>that should place them ahead of the from ip ones.
Sorry for leading you astray,  glad you were able to recover. Please 
see if the above works (it appears to here), just looking for the cleanest 
way of doing, so the info is available for others, in the archivies.

Jerry




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Jerry,

Jerry Vonau wrote:
> Could you try:
> 
> mail    5       5       -  eth0     65.84.10.209 
> YAHOO   2       2       main  eth1     69.227.235.46 track,balance   eth2
> DSLNET  1       1       main  eth0     65.84.10.209 track,balance=2 eth2
> 
> 
   with the above change, i get the following:

root@mama:/etc/shorewall # ip ru
0:      from all lookup local
32708:  from 69.227.235.45 lookup YAHOO
32709:  from all fwmark 0x2 lookup YAHOO
32710:  from 65.84.10.210 lookup DSLNET
32711:  from all fwmark 0x1 lookup DSLNET
32713:  from all fwmark 0x5 lookup MAIL
32716:  from 69.227.235.43 lookup YAHOO
32755:  from 69.227.235.44 lookup YAHOO
32766:  from all lookup main
32767:  from all lookup default

   and the mail still comes out from the eth1,
not eth2.  Some more information on the
configuration that I tried is listed below.
I am willing to try other options :)

thanks,
-- stanley


root@mama:/etc/shorewall #  tail providers
#
############################################################################################
#NAME   NUMBER  MARK    DUP   IF       GATEWAY          OPTIONS         COPY
MAIL   5       5       -     eth0     65.84.10.209
DSLNET  1      1       main  eth0     65.84.10.209     track,balance=2 eth2
YAHOO  2       2       main  eth1     69.227.235.46    track,balance   eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


root@mama:/etc/shorewall # tail masq
#               THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see 
http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE      SUBNET                  ADDRESS         PROTO   PORT(S) 
IPSEC
eth0            eth2
eth1            eth2
eth0            69.227.235.45           65.84.10.210
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

> Jerry,
> 
> Jerry Vonau wrote:
> > Could you try:
> > 
> > mail    5       5       -  eth0     65.84.10.209 
> > YAHOO   2       2       main  eth1     69.227.235.46 track,balance  
eth2
> > DSLNET  1       1       main  eth0     65.84.10.209 track,balance=2
eth2
> > 
> > 
>    with the above change, i get the following:
> 
> root@mama:/etc/shorewall # ip ru
> 0:      from all lookup local
> 32708:  from 69.227.235.45 lookup YAHOO
> 32709:  from all fwmark 0x2 lookup YAHOO
> 32710:  from 65.84.10.210 lookup DSLNET
> 32711:  from all fwmark 0x1 lookup DSLNET
> 32713:  from all fwmark 0x5 lookup MAIL
> 32716:  from 69.227.235.43 lookup YAHOO
> 32755:  from 69.227.235.44 lookup YAHOO
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
>    and the mail still comes out from the eth1,
> not eth2.  Some more information on the
> configuration that I tried is listed below.
> I am willing to try other options :)
> 
> thanks,
> -- stanley
> 
> 
> root@mama:/etc/shorewall #  tail providers
> #
>
############################################################################################
> #NAME   NUMBER  MARK    DUP   IF       GATEWAY          OPTIONS        
COPY
> MAIL   5       5       -     eth0     65.84.10.209
> DSLNET  1      1       main  eth0     65.84.10.209     track,balance=2 eth2
> YAHOO  2       2       main  eth1     69.227.235.46    track,balance   eth2
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> root@mama:/etc/shorewall # tail masq
> #               THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
> #
> # For additional information, see 
> http://shorewall.net/Documentation.htm#Masq
> #
>
###############################################################################
> #INTERFACE      SUBNET                  ADDRESS         PROTO   PORT(S) 
> IPSEC
> eth0            eth2
> eth1            eth2
> eth0            69.227.235.45           65.84.10.210
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
Can I have a status please, give a better overall picture.

Jerry




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Jerry Vonau wrote:
>>
> Can I have a status please, give a better overall picture.
> 
This looks like a real candidate for the ''noloose'' patch -- we
need to
be sure that patch is in 2.4.5.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> Jerry,
> 
> Jerry Vonau wrote:
> > Could you try:
> > 
> > mail    5       5       -  eth0     65.84.10.209 
> > YAHOO   2       2       main  eth1     69.227.235.46 track,balance  
eth2
> > DSLNET  1       1       main  eth0     65.84.10.209 track,balance=2
eth2
> > 
> > 
>    with the above change, i get the following:
> 
> root@mama:/etc/shorewall # ip ru
> 0:      from all lookup local
> 32708:  from 69.227.235.45 lookup YAHOO
> 32709:  from all fwmark 0x2 lookup YAHOO
> 32710:  from 65.84.10.210 lookup DSLNET
> 32711:  from all fwmark 0x1 lookup DSLNET
> 32713:  from all fwmark 0x5 lookup MAIL
> 32716:  from 69.227.235.43 lookup YAHOO
> 32755:  from 69.227.235.44 lookup YAHOO
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
>    and the mail still comes out from the eth1,
> not eth2.  Some more information on the
> configuration that I tried is listed below.
> I am willing to try other options :)
> 
> thanks,
Just to clarify that the mail traffic orginates with the firewall and not a host
that is in your local zone, right?

Jerry






-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Jerry,

    attached is the output of ''shorewall status''
with the suggested changes.  The firewall machine
is running a mail server.  My ''thunderbird'' is
configured to have ''Outgoing SMTP server'' to be
firewall machine.  I believe that that means that
email traffic is going from firewall (mail server
will queue messages for delivery, attempt to contact
final destination, deliver email); although my
understanding of networking leaves much to be
desired.

-- stanley


Jerry Vonau wrote:
> 
> 
>>Jerry,
>>
>>Jerry Vonau wrote:
>>
>>>Could you try:
>>>
>>>mail    5       5       -  eth0     65.84.10.209 
>>>YAHOO   2       2       main  eth1     69.227.235.46 track,balance  
eth2
>>>DSLNET  1       1       main  eth0     65.84.10.209 track,balance=2
eth2
>>>
>>>
>>
>>   with the above change, i get the following:
>>
>>root@mama:/etc/shorewall # ip ru
>>0:      from all lookup local
>>32708:  from 69.227.235.45 lookup YAHOO
>>32709:  from all fwmark 0x2 lookup YAHOO
>>32710:  from 65.84.10.210 lookup DSLNET
>>32711:  from all fwmark 0x1 lookup DSLNET
>>32713:  from all fwmark 0x5 lookup MAIL
>>32716:  from 69.227.235.43 lookup YAHOO
>>32755:  from 69.227.235.44 lookup YAHOO
>>32766:  from all lookup main
>>32767:  from all lookup default
>>
>>   and the mail still comes out from the eth1,
>>not eth2.  Some more information on the
>>configuration that I tried is listed below.
>>I am willing to try other options :)
>>
>>thanks,
> 
> Just to clarify that the mail traffic orginates with the firewall and not a
host
> that is in your local zone, right?
> 
> Jerry
>

> Jerry,
> 
>     attached is the output of ''shorewall status''
> with the suggested changes.  The firewall machine
> is running a mail server.  My ''thunderbird'' is
> configured to have ''Outgoing SMTP server'' to be
> firewall machine.  I believe that that means that
> email traffic is going from firewall (mail server
> will queue messages for delivery, attempt to contact
> final destination, deliver email); although my
> understanding of networking leaves much to be
> desired.
> 
> -- stanley
> 
> 
Well, the traffic is being marked:
Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination
   10   536 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
/
   tcp dpt:25 MARK set 0x5 

I wonder what source address is being used, could you change the tcrules file to
read:
5       $FW     0.0.0.0/0       tcp     25
5       $FW:69.227.235.45     0.0.0.0/0       tcp     25
5       $FW:204.247.208.1     0.0.0.0/0       tcp     25
5       $FW:65.84.10.210       0.0.0.0/0       tcp     25

This will list the connections by source address in the tcout chain, last match
gets to
mark the packet, but the below *should* work by itself. 

Restart Shorewall and then by hand do:

ip rule del fwmark 0x5 
ip rule add fwmark 0x5 table MAIL
ip route flush cache 

Retest please. 

It *should* work and that would confirm the need for the noloose patch that Tom
was
talking about.

Jerry




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Jerry Vonau wrote:
> 
> Restart Shorewall and then by hand do:
> 
> ip rule del fwmark 0x5 
> ip rule add fwmark 0x5 table MAIL
> ip route flush cache 
> 
Beware the above procedure -- it may insert to rule at the same
preference as the rule that was deleted. If so, use:

ip rule del fwmark 0x5
ip rule add fwmark 0x5 pref 100 table MAIL

This will insure that the fwmark rule precedes all of the other rules.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Jerry Vonau wrote:
> 
>> Restart Shorewall and then by hand do:
>>
>> ip rule del fwmark 0x5 
>> ip rule add fwmark 0x5 table MAIL
>> ip route flush cache 
>>
> 
> Beware the above procedure -- it may insert to rule at the same
s/to rule/the rule/

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Jerry, Tom,

   seems to be working as you would expect. I''ve
placed the ip rule/route lines in the ''start'' file,
so they will take care of themselves upon next
restart.

thanks,
-- stanley

Tom Eastep wrote:
> Jerry Vonau wrote:
> 
> 
>>Restart Shorewall and then by hand do:
>>
>>ip rule del fwmark 0x5 
>>ip rule add fwmark 0x5 table MAIL
>>ip route flush cache 
>>
> 
> 
> Beware the above procedure -- it may insert to rule at the same
> preference as the rule that was deleted. If so, use:
> 
> ip rule del fwmark 0x5
> ip rule add fwmark 0x5 pref 100 table MAIL
> 
> This will insure that the fwmark rule precedes all of the other rules.
> 
> -Tom


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Stanley Gambarin wrote:
> Jerry, Tom,
> 
>   seems to be working as you would expect. I''ve
> placed the ip rule/route lines in the ''start'' file,
> so they will take care of themselves upon next
> restart.
Thanks, Stanley

The ''firewall'' code in the current SHOREWALL-2_4 branch of CVS
should
create the routing rules in the correct order and allow you to configure
 proper email handling with just packet marking.

Unfortunately, the anonymous CVS server at Sourceforge is completely
broken at the moment but if you would like me to send you the
''firewall''
file, you could just copy it over /usr/share/shorewall/firewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

Tom Eastep wrote:
> The ''firewall'' code in the current SHOREWALL-2_4 branch
of CVS should
> create the routing rules in the correct order and allow you to configure
>  proper email handling with just packet marking.
> 
> Unfortunately, the anonymous CVS server at Sourceforge is completely
> broken at the moment but if you would like me to send you the
''firewall''
> file, you could just copy it over /usr/share/shorewall/firewall.
   sure, that would be great... and just so that I am clear on things...

- once i replace new ''shorewall'' file, I should contain the
following in
my config files:

providers:
MAIL    5       5       -     eth0     65.84.10.209
DSLNET  1       1       main  eth0     65.84.10.209     track,balance=2 eth2
YAHOO   2       2       main  eth1     69.227.235.46    track,balance   eth2

tcrules:
5               $FW                     0.0.0.0/0       tcp     25

start:
# empty

masq:
eth0            eth2
eth1            eth2
eth0            69.227.235.45           65.84.10.210  # do i still need this ?


thanks,
-- stanley

p.s. it''s been a pleasure.... if you guys ever near San Jose,
stop by, I''ll buy you a beer :)


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Stanley Gambarin wrote:
> 
> - once i replace new ''shorewall'' file, I should contain
the following in
> my config files:
> 
> providers:
> MAIL    5       5       -     eth0     65.84.10.209
> DSLNET  1       1       main  eth0     65.84.10.209     track,balance=2
> eth2
> YAHOO   2       2       main  eth1     69.227.235.46    track,balance  
> eth2
> 
> tcrules:
> 5               $FW                     0.0.0.0/0       tcp     25
> 
> start:
> # empty
> 
> masq:
> eth0            eth2
> eth1            eth2
> eth0            69.227.235.45           65.84.10.210  # do i still need
> this ?
> 
Looks good. You do still need the masq entry.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key