I''m just starting to experiment with multi-isp configuration and at the
part of the doc (http://www.shorewall.net/MultiISP.html) that specifies:
Regardless of whether you have masqueraded hosts or not, YOU
MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq:
#INTERFACE SUBNET ADDRESS
eth0 130.252.99.27 206.124.146.176
eth1 206.124.146.176 130.252.99.27
If this is a MUST requirement for all multi-isp set ups, then can
shorewall not figure this out for itself and install it without the user
having to specify it?
Just trying to reduce steps required to set this up in order to reduce
possible points of erroneous configuration.
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> I''m just starting to experiment with multi-isp configuration and at the > part of the doc (http://www.shorewall.net/MultiISP.html) that specifies: > > Regardless of whether you have masqueraded hosts or not, YOU > MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS > eth0 130.252.99.27 206.124.146.176 > eth1 206.124.146.176 130.252.99.27 > > If this is a MUST requirement for all multi-isp set ups, then can > shorewall not figure this out for itself and install it without the user > having to specify it?Not really. a) Shorewall couldn''t determine where to put them in the masq file and the file is order-sensitive. b) Shorewall could redundantly add them, not realizing that the same traffic is adequately covered by other masq rules such as: eth0 0.0.0.0/0 206.124.146.177 #The different ADDRESS is #intentional -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Shorewall isn''t psychic. In the absolute simplest circumstances, yes a script could figure out what you probably want based on how your interfaces are configured. But those are trivial to set up anyhow. What if you have multiple subnets on your local network? What if you have multiple IP addresses on your Internet facing interfaces? There is no way a script could accurately guess what you want in those situations. Thank you, Bryan Vukich On Wed, 2007-01-31 at 15:24 -0500, Brian J. Murrell wrote:> I''m just starting to experiment with multi-isp configuration and at the > part of the doc (http://www.shorewall.net/MultiISP.html) that specifies: > > Regardless of whether you have masqueraded hosts or not, YOU > MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS > eth0 130.252.99.27 206.124.146.176 > eth1 206.124.146.176 130.252.99.27 > > If this is a MUST requirement for all multi-isp set ups, then can > shorewall not figure this out for itself and install it without the user > having to specify it? > > Just trying to reduce steps required to set this up in order to reduce > possible points of erroneous configuration. > > b. > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Wed, 2007-01-31 at 13:12 -0800, Tom Eastep wrote:> Brian J. Murrell wrote: > > I''m just starting to experiment with multi-isp configuration and at the > > part of the doc (http://www.shorewall.net/MultiISP.html) that specifies: > > > > Regardless of whether you have masqueraded hosts or not, YOU > > MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq: > > > > #INTERFACE SUBNET ADDRESS > > eth0 130.252.99.27 206.124.146.176 > > eth1 206.124.146.176 130.252.99.27 > > > > If this is a MUST requirement for all multi-isp set ups, then can > > shorewall not figure this out for itself and install it without the user > > having to specify it? > > Not really. > > a) Shorewall couldn''t determine where to put them in the masq file and the > file is order-sensitive.OK. That brings up a question then: where should they go normally? It seems that they are just a safety check that a locally generated packet has the right source address for the interface it''s bound for. Does order really matter in this case? Given the configuration at hand at http://www.shorewall.net/MultiISP.html: #INTERFACE SUBNET ADDRESS eth0 eth2 206.124.146.176 eth1 eth2 130.252.99.27 and the need to add: eth0 130.252.99.27 206.124.146.176 eth1 206.124.146.176 130.252.99.27 It doesn''t seem to matter what order those go in since they don''t overlap at all.> b) Shorewall could redundantly add them, not realizing that the same traffic > is adequately covered by other masq rules such as: > > eth0 0.0.0.0/0 206.124.146.177 #The different ADDRESS is > #intentionalIf the "don''t use the other known interface source addresses" rules were put right at the end, would that not suffice? i.e: * if no other masq rules match and * the source address for the destined interface is known to be for another outbound interface * then masq it to the right address In any case, I am sure you understand the issues better than I, so if my logic above is still flawed, I will just accept that it cannot be made automatic. I have some thoughts on dealing with dead ISPs and multi-ISP configurations. Shall I start a thread about it or are you really not interested in Shorewall dealing with this situation? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Brian J. Murrell wrote:> > Given the configuration at hand at > http://www.shorewall.net/MultiISP.html: > > #INTERFACE SUBNET ADDRESS > eth0 eth2 206.124.146.176 > eth1 eth2 130.252.99.27 > > and the need to add: > > eth0 130.252.99.27 206.124.146.176 > eth1 206.124.146.176 130.252.99.27 > > It doesn''t seem to matter what order those go in since they don''t > overlap at all.So you don''t believe it matters whether you put your frequently-matched rules before the ones that are not matched very often? Shorewall certainly can''t tell which rules are going to be matched more heavily.> >> b) Shorewall could redundantly add them, not realizing that the same traffic >> is adequately covered by other masq rules such as: >> >> eth0 0.0.0.0/0 206.124.146.177 #The different ADDRESS is >> #intentional > > If the "don''t use the other known interface source addresses" rules were > put right at the end, would that not suffice? i.e: > * if no other masq rules match and > * the source address for the destined interface is known to be for > another outbound interface > * then masq it to the right addressIt would suffice -- but again, it still takes CPU cycles to add the rules and it still consumes CPU cycles at run-time to send packets through these rules -- if they are redundant, then those CPU cycles are basically wasted.> > In any case, I am sure you understand the issues better than I, so if my > logic above is still flawed, I will just accept that it cannot be made > automatic.It isn''t case of whether it can be made automatic -- of course it can. The question is rather "Is making it automatic the right thing to do?". I''m not convinced that it is.> > I have some thoughts on dealing with dead ISPs and multi-ISP > configurations. Shall I start a thread about it or are you really not > interested in Shorewall dealing with this situation?Sure -- start a thread. It might be best though to start the thread on the development list rather than on the users list. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642