Shorewall users - Oct 2006 - Re: Tc rules Help with multiISP+ squid& squidguard...

Tom wrote :
>My advice to you is still the same -- you are going to have to use
tcpdump >or ethereal to see what is happening. You have the computer
there in front >of you
>-- we don''t. So only you are going to be able to solve this. We are
not.
>From the dump you sent, it looks like many SYN packets are being sent
on >ppp0
>and never replied to. So you need to confirm that they are actually
being >sent
>on ppp0 and not on eth0.
>Does ppp0 work if you configure it as your only Internet connection?
I have test with only eth0 : work perfectly
I have test with only ppp0 : work perfectly

I think the problem is in tcRules. I think that packet marking work when
no squid is present, but when the squid is present, the squid doesn''t
find or understand packet marking.

JFE  



-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Joffrey FLEURICE wrote:
> Tom wrote :
>> My advice to you is still the same -- you are going to have to use
> tcpdump >or ethereal to see what is happening. You have the computer
> there in front >of you
>> -- we don''t. So only you are going to be able to solve this.
We are
> not.
> 
>>From the dump you sent, it looks like many SYN packets are being sent
> on >ppp0
>> and never replied to. So you need to confirm that they are actually
> being >sent
>> on ppp0 and not on eth0.
> 
>> Does ppp0 work if you configure it as your only Internet connection?
> 
> I have test with only eth0 : work perfectly
> I have test with only ppp0 : work perfectly
> 
> I think the problem is in tcRules. I think that packet marking work when
> no squid is present, but when the squid is present, the squid
doesn''t
> find or understand packet marking.
Ignoring for a moment the fact that Squid itself has nothing to do with packet
marks, you are not currently marking any traffic generated by squid. Unlike your
previous dump, this last one does not show any marking of traffic from your
firewall to remote web servers (tcp port 80). Only tcp port 80 traffic that
enters our firewall through eth1 is being marked. And squid, being a proxy, will
generate brand new packets to send to the net -- these packets currently have no
mark.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Joffrey FLEURICE wrote:
> Tom wrote :
>> My advice to you is still the same -- you are going to have to use
> tcpdump >or ethereal to see what is happening. You have the computer
> there in front >of you
>> -- we don''t. So only you are going to be able to solve this.
We are
> not.
> 
>>From the dump you sent, it looks like many SYN packets are being sent
> on >ppp0
>> and never replied to. So you need to confirm that they are actually
> being >sent
>> on ppp0 and not on eth0.
> 
>> Does ppp0 work if you configure it as your only Internet connection?
> 
> I have test with only eth0 : work perfectly
> I have test with only ppp0 : work perfectly
> 
> I think the problem is in tcRules. I think that packet marking work when
> no squid is present, but when the squid is present, the squid
doesn''t
> find or understand packet marking.
Have you had any success in running this problem down? If not, you might check
the setting of CONFIG_IP_ROUTE_MULTIPATH_CACHED in your kernel''s
configuration.
Turning on that option is known to cause problems with Multi-ISP routing.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642