On 1/12/11 4:10 PM, Elio Tondo wrote:> I have a rather complex configuration (thanks Tom for the great flexibility
of
> Shorewall!) with three ISP connections, two separate LAN zones, a DMZ and a
> vpn zone (OpenVPN server for road warriors running on the firewall).
>
> Initially I tried to force the use of one of the ISPs for specific
protocols
> and / or source addresses in the loc zone, with limited success (maybe
> something wrong in my configuration files).
>
> Today I revised the configuration, following the "Complete Working
Example" of
> Tom''s network in early 2009
http://www.shorewall.net/MultiISP.html#Complete
> but I can''t find the tcrules file in the example and I''m
not sure that mine is
> correct.
That example only uses route_rules -- there were no entries in the
tcrules file.
>
> Specifically, I need a confirmation about the MARK field in providers: in
the
> example it''s above 0xFF (so I assume HIGH_ROUTE_MARKS=Yes in
shorewall.conf)
> and I can''t understand from the documentation if I need to use
0x100, 0x200
> and so on MARKs also in tcrules or not (in all the examples I found I
always
> see 1, 2 and similar low values).
Yes -- you need to use the same value in tcrules that is specified in
the providers file.
>
> Anyway, I decided not to use HIGH_ROUTE_MARKS (like in the "fall
2008"
> example) so that the MARKs are always 1, 2 and 3, and I am using
route_rules
> to force certain loc IP ranges to use provider 1, and tcrules (with MARK 1
> without :P or other chain specifiers) to force specific protocols on
provider
> 1. I have no specific need for shaping, so tcclasses is empty and tcdevices
> only specifies the out-banwidth.
If tcclasses is empty, then tcdevices should also be empty.
>
> Before going into more details (contents of the configuration files and
dumps)
> I would like to understand if what I did is reasonable.
>
Sounds like it.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl