Hi to the list, I configured a multi-provider setup with /etc/shorewall/providers: Orange 1 1 main eth1 81.255.74.150 track,balance=1 eth0 Free 2 2 main eth2 88.180.116.254 track,balance=3 eth0 and /etc/shorewall/tcrules: 2:P 192.168.2.0/24 0.0.0.0/0 tcp 143 2:P 192.168.2.0/24 0.0.0.0/0 tcp 80,443 1:P 192.168.2.0/24 0.0.0.0/0 tcp 25 The load balancing trafic work as it should with 1/3 ratio on provider 2 but I would like route ALL smtp trafic on provider 1 without balance on provider 2 how to configure ? Thanks in advance. Sam. ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers'' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
On 1/10/11 10:08 AM, Sam Przyswa wrote:> Hi to the list, > > I configured a multi-provider setup with /etc/shorewall/providers: > > Orange 1 1 main eth1 81.255.74.150 > track,balance=1 eth0 > Free 2 2 main eth2 88.180.116.254 > track,balance=3 eth0 > > and /etc/shorewall/tcrules: > > 2:P 192.168.2.0/24 0.0.0.0/0 > tcp 143 > 2:P 192.168.2.0/24 0.0.0.0/0 > tcp 80,443 > 1:P 192.168.2.0/24 0.0.0.0/0 > tcp 25 > > The load balancing trafic work as it should with 1/3 ratio on provider 2 > but I would like route ALL smtp trafic on provider 1 without balance on > provider 2 how to configure ?There are explicit instructions at http://www.shorewall.net/MultiISP.html#Applications -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers'' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
Le 10/01/2011 20:08, Tom Eastep a écrit :> On 1/10/11 10:08 AM, Sam Przyswa wrote: >> Hi to the list, >> >> I configured a multi-provider setup with /etc/shorewall/providers: >> >> Orange 1 1 main eth1 81.255.74.150 >> track,balance=1 eth0 >> Free 2 2 main eth2 88.180.116.254 >> track,balance=3 eth0 >> >> and /etc/shorewall/tcrules: >> >> 2:P 192.168.2.0/24 0.0.0.0/0 >> tcp 143 >> 2:P 192.168.2.0/24 0.0.0.0/0 >> tcp 80,443 >> 1:P 192.168.2.0/24 0.0.0.0/0 >> tcp 25 >> >> The load balancing trafic work as it should with 1/3 ratio on provider 2 >> but I would like route ALL smtp trafic on provider 1 without balance on >> provider 2 how to configure ? > There are explicit instructions at > http://www.shorewall.net/MultiISP.html#ApplicationsI configure as it explained on this page with a line in /etc/shorewall/tcrules: 1 $FW 0.0.0.0/0 tcp 25 to force the smtp traffic on provider 1 but with the "balance" option in /etc/shorewall/providers some smtp traffic go on provider 2 !? Thanks for your help. Sam. ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers'' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
On 1/11/11 2:26 AM, Sam Przyswa wrote:> Le 10/01/2011 20:08, Tom Eastep a écrit :>> There are explicit instructions at >> http://www.shorewall.net/MultiISP.html#Applications > > I configure as it explained on this page with a line in > /etc/shorewall/tcrules: > > 1 $FW 0.0.0.0/0 tcp 25 > > to force the smtp traffic on provider 1 but with the "balance" option in > /etc/shorewall/providers some smtp traffic go on provider 2 !?http://www.shorewall.net/MultiISP.html#Local -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers'' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
Le 11/01/2011 15:38, Tom Eastep a écrit :> On 1/11/11 2:26 AM, Sam Przyswa wrote: >> Le 10/01/2011 20:08, Tom Eastep a écrit : >>> There are explicit instructions at >>> http://www.shorewall.net/MultiISP.html#Applications >> I configure as it explained on this page with a line in >> /etc/shorewall/tcrules: >> >> 1 $FW 0.0.0.0/0 tcp 25 >> >> to force the smtp traffic on provider 1 but with the "balance" option in >> /etc/shorewall/providers some smtp traffic go on provider 2 !? > http://www.shorewall.net/MultiISP.html#LocalOk I know this page but if I set HIGH_ROUTE_MARKS=Yes I got an error: Checking /etc/shorewall/providers... ERROR: Invalid Mark Value (1) : /etc/shorewall/providers (line 10) The providers file: # # Shorewall version 4 - Providers File # # For information about entries in this file, type "man shorewall-providers" # # For additional information, see http://shorewall.net/MultiISP.html # ############################################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY Orange 1 1 main eth1 81.255.74.150 track,balance=1 eth0 Free 2 2 main eth2 88.180.116.254 track,balance=3 eth0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE If I set route_rules as this page said: # # Shorewall version 4 - route_rules File # # For information about entries in this file, type "man shorewall-route_rules" # # For additional information, see http://www.shorewall.net/MultiISP.html ############################################################################## #SOURCE DEST PROVIDER PRIORITY lo - Orange 1000 ALL traffic go on provider 1 and the tcrules file setting is no more active. My tcrules file is: 2:P 192.168.2.0/24 0.0.0.0/0 tcp 143 2:P 81.255.74.148 0.0.0.0/0 tcp 143 2:P 88.180.116.54 0.0.0.0/0 tcp 143 1:P 192.168.2.0/24 0.0.0.0/0 tcp 25 1:P 81.255.74.148 0.0.0.0/0 tcp 25 1:P 88.180.116.54 0.0.0.0/0 tcp 25 1 $FW 0.0.0.0/0 tcp 25 2:P 192.168.2.0/24 0.0.0.0/0 tcp 80,443 2:P 172.16.0.0/24 0.0.0.0/0 tcp 80,443 2:P 172.16.1.0/24 0.0.0.0/0 tcp 80,443 2:P 81.255.74.148 0.0.0.0/0 tcp 80,443 #2:P 88.180.116.54 0.0.0.0/0 tcp 80,443 SAME:P 0.0.0.0/0 0.0.0.0/0 tcp 143 SAME:P 192.168.2.0/24 0.0.0.0/0 tcp 80,443 SAME:P 172.16.0.0/24 0.0.0.0/0 tcp 80,443 SAME:P 172.16.1.0/24 0.0.0.0/0 tcp 80,443 SAME:P 81.255.74.148 0.0.0.0/0 tcp 80,443 SAME:P 88.180.116.54 0.0.0.0/0 tcp 80,443 So please let me know how to set ALL traffic on port 25 on provider 1 and ALL traffic on port 143 on provider 2 at this time with my providers file I only have balanced traffic with 3/1 ratio. Thanks for your help. Sam. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
On 1/12/11 9:51 AM, Sam Przyswa wrote:> Le 11/01/2011 15:38, Tom Eastep a écrit : >> On 1/11/11 2:26 AM, Sam Przyswa wrote: >>> Le 10/01/2011 20:08, Tom Eastep a écrit : >>>> There are explicit instructions at >>>> http://www.shorewall.net/MultiISP.html#Applications >>> I configure as it explained on this page with a line in >>> /etc/shorewall/tcrules: >>> >>> 1 $FW 0.0.0.0/0 tcp 25 >>> >>> to force the smtp traffic on provider 1 but with the "balance" option in >>> /etc/shorewall/providers some smtp traffic go on provider 2 !? >> http://www.shorewall.net/MultiISP.html#Local > > Ok I know this page but if I set HIGH_ROUTE_MARKS=Yes I got an error: > > Checking /etc/shorewall/providers... > ERROR: Invalid Mark Value (1) : /etc/shorewall/providers (line 10) >That section does not mention HIGH_ROUTE_MARKS!!! Why would you set that? The section does mention: a) Configuring your applications to bind to a specific local IP address. b) It mentions a route_rule entry with SOURCE ''lo''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
Le 12/01/2011 19:10, Tom Eastep a écrit :> On 1/12/11 9:51 AM, Sam Przyswa wrote: >> Le 11/01/2011 15:38, Tom Eastep a écrit : >>> On 1/11/11 2:26 AM, Sam Przyswa wrote: >>>> Le 10/01/2011 20:08, Tom Eastep a écrit : >>>>> There are explicit instructions at >>>>> http://www.shorewall.net/MultiISP.html#Applications >>>> I configure as it explained on this page with a line in >>>> /etc/shorewall/tcrules: >>>> >>>> 1 $FW 0.0.0.0/0 tcp 25 >>>> >>>> to force the smtp traffic on provider 1 but with the "balance" option in >>>> /etc/shorewall/providers some smtp traffic go on provider 2 !? >>> http://www.shorewall.net/MultiISP.html#Local >> Ok I know this page but if I set HIGH_ROUTE_MARKS=Yes I got an error: >> >> Checking /etc/shorewall/providers... >> ERROR: Invalid Mark Value (1) : /etc/shorewall/providers (line 10) >> > That section does not mention HIGH_ROUTE_MARKS!!! Why would you set that? > > The section does mention: > > a) Configuring your applications to bind to a specific local IP address. > b) It mentions a route_rule entry with SOURCE ''lo''.Ok but as I said in my previous message with ''lo'' in route_rules file all the tcrules setting become inactive. Please let me know (if it''s possible) how to route ALL the port x traffic on the desired provider. Thanks in advance. Sam. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
On 1/12/11 12:46 PM, Sam Przyswa wrote:> Please let me know (if it''s possible) how to route ALL the port x > traffic on the desired provider.Configure your applications to bind to a specific local IP address. ================================================================== -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
Le 12/01/2011 21:52, Tom Eastep a écrit :> On 1/12/11 12:46 PM, Sam Przyswa wrote: > >> Please let me know (if it''s possible) how to route ALL the port x >> traffic on the desired provider. > Configure your applications to bind to a specific local IP address. > ==================================================================I don''t really understand what you mean because the shorewall machine is a default *gateway* for LAN machines and LAN machines sand mails on SMTP port on external mail server via the gateway that I want go on provider 1, and LAN machines request inbound mails on IMAP2 port on the same mail server that I want go on provider 2. For 80 and 443 requests the load balancing 3/1 it''s ok for me. There is +/- 200 LAN machines. Thanks for your help. Sam. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
On 1/12/11 1:27 PM, Sam Przyswa wrote:> Le 12/01/2011 21:52, Tom Eastep a écrit : >> On 1/12/11 12:46 PM, Sam Przyswa wrote: >> >>> Please let me know (if it''s possible) how to route ALL the port >>> x traffic on the desired provider. >> Configure your applications to bind to a specific local IP >> address. >> ==================================================================> >> > I don''t really understand what you mean because the shorewall machine > is a default *gateway* for LAN machines and LAN machines sand mails > on SMTP port on external mail server via the gateway that I want go > on provider 1, and LAN machines request inbound mails on IMAP2 port > on the same mail server that I want go on provider 2. For 80 and 443 > requests the load balancing 3/1 it''s ok for me. There is +/- 200 LAN > machines.Yesterday, you said:> I configure as it explained on this page with a line in > /etc/shorewall/tcrules: > > 1 $FW 0.0.0.0/0 tcp 25 > > to force the smtp traffic on provider 1 but with the "balance" option > in /etc/shorewall/providers some smtp traffic go on provider 2 !?So I foolishly assumed that the problem was occurring on traffic originating on the firewall. Sorry for the misunderstanding. From another earlier post, you included:> 1:P 192.168.2.0/24 0.0.0.0/0 tcp 25 > 1:P 81.255.74.148 0.0.0.0/0 tcp 25 > 1:P 88.180.116.54 0.0.0.0/0 tcp 25That should mark packets from those IP addresses to be marked with mark 1 so that they will go out of the Orange provider. If you have evidence that such connections are going out of the other provider (Free), then please send me (privately) the output of ''shorewall dump''. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
On 1/13/11 2:42 PM, Sam Przyswa wrote:>> That should mark packets from those IP addresses to be marked with mark >> 1 so that they will go out of the Orange provider. If you have evidence >> that such connections are going out of the other provider (Free), then >> please send me (privately) the output of ''shorewall dump''. > > You will find in attachment my shorewall dump. >Okay. These two entries in tcrules are useless:> 1:P 81.255.74.148 0.0.0.0/0 tcp 25 > 1:P 88.180.116.54 0.0.0.0/0 tcp 2588.255.74.148 and 88.180.116.54 are addresses on the Shorewall box and traffic originating from there never goes through the prerouting chain. The SMTP traffic that you see going out of the Free provider; is this traffic originating on the firewall or is it from the 192.68.2.0/24 network? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
Le 14/01/2011 01:08, Tom Eastep a écrit :> On 1/13/11 3:43 PM, Sam Przyswa wrote: >> Le 14/01/2011 00:22, Tom Eastep a écrit : >> From these addresses I don''t need to suffix with '':P'' ? > You don''t want those rules at all. They are completely useless. > >> Both, some users (192.168.2.0/24) send mail directly on external SMTP >> server and others send on firewall as mail relay (Postfix) and I want >> ALL the SMTP traffic go ONLY on provider 1 (Orange). > I know what you want -- I''m asking whether it is the Postfix traffic or > the traffic sent directly from local hosts that is going out of the > wrong provider. If it is Posxfix, in your /etc/postfix/main.cf file, add > this: > > smtp_bind_address = 81.255.74.148 > > and restart Postfix.I don''t really understand but what is the right way in multi-provider to force particular dest port to be sent ONLY on particular provider ? Thanks for your help. Sam. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
On 1/18/11 8:32 AM, Sam Przyswa wrote:>> I know what you want -- I''m asking whether it is the Postfix >> traffic or the traffic sent directly from local hosts that is going >> out of the wrong provider.Please answer this question.>> If it is Posxfix, in your /etc/postfix/main.cf file, add this: >> >> smtp_bind_address = 81.255.74.148 >> >> and restart Postfix. > > I don''t really understand but what is the right way in multi-provider > to force particular dest port to be sent ONLY on particular provider > ? >Please: a) Answer my question above. b) Tell me if setting the smtp_bind_address fixed the problem with email relayed via postfix on the Shorewall system. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl