Shorewall users - Jul 2005 - issues in tcrules

Hi Wong,
> Anyway, back to business. Apparently, after recompile using
Mandriva''s
> latest offiicial kernel (version 2.6.11-12mdk), the result was the
> same. At last, i tried to get source package of iptables v1.3.1 and
> install it on the box and i think it works now. I havent tried it on
> shorewall yet but based on Jerry''s quick test :--
I needed to upgrade the iptables package  on every Mandrake installation 
from 1.2.9-5 to 1.2.9.95 after each installation in order to have 
shorewall working.
> it seems to work fine without any error. But i didnt managed to get
> shorewall rpm to install though. It seems the package cant find the
> binary of iptables. Previously, it was located under /usr/sbin and
> after installed source package of iptables, the binary goes to
> /usr/local/sbin though :/ But anyway, i would install shorewall using
> the source package. A bit worried about upgrading it next time. It
> seems like source packages are always the best....
The dependencies from shorewall requires to have iptables rpm installed, 
since you installed from souce, the iptables entry wasn''t in the rpm 
database. You can overcome this using the rpm switch --nodeps

rpm -Uvh shorewall.rpm --nodeps

Regards,

Urivan A. Flores Saaib
CiberLinux Networking


-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

Hi! This is another thread of "setting gateway in interfaces file" and
while i dont want to create any confusion here, i have decided to open
a new thread.(which mean Diamond King no longer a subscriber to
shorewall-users)

Actually, i turned out not to be the MARK issues. Something is missing
and i got this error instead :-

Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Processing /etc/shorewall/providers...
   Provider tmnet1 1 1 main eth1 192.168.1.1 track,balance Added
   Default route  nexthop via 192.168.1.1 dev eth1 weight 1 Added.
iptables v1.2.9: Unknown arg `--mask''
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Command "/sbin/iptables -t mangle -A routemark -m mark !
--mark 0 -j CONNMARK --save-mark --mask 255" Failed


Here are my tcrules and providers file setup :-

/etc/shorewall/tcrules 
///
#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
#								PORT(S)
1		eth2		0.0.0.0/0	tcp	1863,5050,5190
2		eth3		0.0.0.0/0	tcp	1863,5050,5190
3		eth4		0.0.0.0/0	tcp	1863,5050,5190
///

/etc/shorewall/providers
///
#NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY		OPTIONS
tmnet2	1	1	main		eth1		192.168.1.1	track,balance
tmnet2	1	2	main		eth1		192.168.1.1	track,balance
tmnet2	1	3	main		eth1		192.168.1.1	track,balance
///

Im not very sure about what that duplicate means. So i just put in
"main". Anyway, where can i get this "mask" from?
patch-o-matic?

Regards,

Chee Chun

Wong Che Chun wrote on 05/07/2005 05:28:55:
[...]
> Setting up Accounting...
> Creating Interface Chains...
> Configuring Proxy ARP
> Processing /etc/shorewall/providers...
>    Provider tmnet1 1 1 main eth1 192.168.1.1 track,balance Added
>    Default route  nexthop via 192.168.1.1 dev eth1 weight 1 Added.
> iptables v1.2.9: Unknown arg `--mask''
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Command "/sbin/iptables -t mangle -A routemark -m mark !
> --mark 0 -j CONNMARK --save-mark --mask 255" Failed
> 
> 
what is the output of "shorewall show capabilities"? I think you
missed
some patch...

cheers,


--
Eduardo Ferreira
Icatu Holding S.A.

Here''s the reply from "shorewall show capabilities" :-

Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   ROUTE Target: Not available
   Extended MARK Target: Not available
   CONNMARK Target: Available
   Connmark Match: Available

Anything is wrong with it?

On 7/5/05, Eduardo Ferreira <duda@icatu.com.br>
wrote:
> Wong Che Chun wrote on 05/07/2005 05:28:55:
> [...]
> > Setting up Accounting...
> > Creating Interface Chains...
> > Configuring Proxy ARP
> > Processing /etc/shorewall/providers...
> >    Provider tmnet1 1 1 main eth1 192.168.1.1 track,balance Added
> >    Default route  nexthop via 192.168.1.1 dev eth1 weight 1 Added.
> > iptables v1.2.9: Unknown arg `--mask''
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Command "/sbin/iptables -t mangle -A routemark -m mark
!
> > --mark 0 -j CONNMARK --save-mark --mask 255" Failed
> >
> >
> what is the output of "shorewall show capabilities"? I think you
missed
> some patch...
> 
> cheers,
> 
> 
> --
> Eduardo Ferreira
> Icatu Holding S.A.
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

> Wong Che Chun wrote on 05/07/2005 05:28:55:
> [...]
> > Setting up Accounting...
> > Creating Interface Chains...
> > Configuring Proxy ARP
> > Processing /etc/shorewall/providers...
> >    Provider tmnet1 1 1 main eth1 192.168.1.1 track,balance Added
> >    Default route  nexthop via 192.168.1.1 dev eth1 weight 1 Added.
> > iptables v1.2.9: Unknown arg `--mask''
> > Try `iptables -h'' or ''iptables --help'' for
more information.
> >    ERROR: Command "/sbin/iptables -t mangle -A routemark -m mark
!
> > --mark 0 -j CONNMARK --save-mark --mask 255" Failed
> >
> >
> what is the output of "shorewall show capabilities"? I think you
missed
> some patch...
>
> cheers,
Wong:
For what its worth, the syntax works for me, with no errors. Fedora Core4
Noting that your iptables is at version 1.2.9.
For a quick test, I did:

/sbin/iptables -t mangle -N test
/sbin/iptables -t mangle -A test -m mark ! --mark 0 -j CONNMARK --save-mark
/
--mask 255

/sbin/iptables -v
iptables v1.3.0: no command specified

Did you re-compile iptables after you did your kernel? Think if you enable
some of the
advanced kernel modules, you need to recompile iptables to enable the new
modules.
Or is there an updated iptables rpm?

Jerry

Hmm...i think i would need to explain what is my current network
situation, Linux distro and iptables version before going further. The
network should looks like this :-

eth0 : ISP1
eth1 : ISP2
eth2 : subnet1
eth3 : subnet2
eth4 : subnet3

What i would like to do is to route certain ports( chatting
programs,ftp and etc) to ISP2 and for port 80, i would like to route
it to ISP1. FYI, im running Squid transparent proxying on the firewall
itself.

This is my masq file :-

#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
eth1		eth2	-	tcp	21,5190,5050,1863	-	
eth1		eth3	-	tcp	21,5190,5050,1863	-	
eth1		eth4	-	tcp	21,5190,5050,1863	-	
eth0		eth2	-	tcp	-
eth0		eth3	-	tcp	-
eth0		eth4	-	tcp	-
eth0		eth2	-	udp	-
eth0		eth3	-	udp	-
eth0		eth4	-	udp	-


tcrules file :-

1		eth2,eth3,eth4		0.0.0.0/0	tcp	21,1863,5050,5190	-	-	-
2		eth2,eth3,eth4		0.0.0.0/0	tcp	-	-	-	-
3		eth2,eth3,eth4		0.0.0.0/0	udp	-	-	-	-

providers file :-

#NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY		OPTIONS
tmnet1	1	2	main		eth0		192.168.100.1	track,balance
tmnet1	1  	3	main		eth0		192.168.100.1	track,balance
tmnet2	2	1	main		eth1		192.168.1.1	track,balance

Under provider file, is it possible to put two or more MARK in one
line? I need to put in MARK 2 and 3 under same ISP or is it any other
way around?

Meanwhile, Im running Mandriva 10.2 and iptables version 1.2.9. Both
this packages came with Mandriva itself, which means they are stock
packages. Yesterday, i installed Mandriva on a test machine and try to
recompile the kernel using mandriva''s latest source rpm. By default,
make menuconfig'' shows me that almost all netfilter modules that are
selected as ''M''. I cant find anywhere else to select more
modules. So,
i thought since all netfilter modules were selected, there is no need
to re-compile the kernel and i assumed that the current mandriva''s
official kernel does have the same kernel config as the source one. I
think this might be where i did my mistake. So, i should go back and
re-compile the kernel.



On 7/6/05, Jerry Vonau <jvonau@shaw.ca> wrote:
> 
> 
> 
> > Wong Che Chun wrote on 05/07/2005 05:28:55:
> > [...]
> > > Setting up Accounting...
> > > Creating Interface Chains...
> > > Configuring Proxy ARP
> > > Processing /etc/shorewall/providers...
> > >    Provider tmnet1 1 1 main eth1 192.168.1.1 track,balance Added
> > >    Default route  nexthop via 192.168.1.1 dev eth1 weight 1
Added.
> > > iptables v1.2.9: Unknown arg `--mask''
> > > Try `iptables -h'' or ''iptables --help''
for more information.
> > >    ERROR: Command "/sbin/iptables -t mangle -A routemark -m
mark !
> > > --mark 0 -j CONNMARK --save-mark --mask 255" Failed
> > >
> > >
> > what is the output of "shorewall show capabilities"? I think
you missed
> > some patch...
> >
> > cheers,
> Wong:
> For what its worth, the syntax works for me, with no errors. Fedora Core4
> Noting that your iptables is at version 1.2.9.
> For a quick test, I did:
> 
> /sbin/iptables -t mangle -N test
> /sbin/iptables -t mangle -A test -m mark ! --mark 0 -j CONNMARK --save-mark
> /
> --mask 255
> 
> /sbin/iptables -v
> iptables v1.3.0: no command specified
> 
> Did you re-compile iptables after you did your kernel? Think if you enable
> some of the
> advanced kernel modules, you need to recompile iptables to enable the new
> modules.
> Or is there an updated iptables rpm?
> 
> Jerry
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

well. i did recompile my kernel and the result stil the same. However,
im not sure how to recompile the iptables as im using the rpm package
from Mandriva. I`ve checked to development area of Mandriva but
couldnt find the 1.3.0 version. Is there any other way to do it or i
just need to get iptables from netfilter.org and recompile my own?


Regards,

chee chun

On 7/7/05, Wong Chee Chun <cheechun2005@gmail.com>
wrote:
> Hmm...i think i would need to explain what is my current network
> situation, Linux distro and iptables version before going further. The
> network should looks like this :-
> 
> eth0 : ISP1
> eth1 : ISP2
> eth2 : subnet1
> eth3 : subnet2
> eth4 : subnet3
> 
> What i would like to do is to route certain ports( chatting
> programs,ftp and etc) to ISP2 and for port 80, i would like to route
> it to ISP1. FYI, im running Squid transparent proxying on the firewall
> itself.
> 
> This is my masq file :-
> 
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
> eth1            eth2    -       tcp     21,5190,5050,1863       -
> eth1            eth3    -       tcp     21,5190,5050,1863       -
> eth1            eth4    -       tcp     21,5190,5050,1863       -
> eth0            eth2    -       tcp     -
> eth0            eth3    -       tcp     -
> eth0            eth4    -       tcp     -
> eth0            eth2    -       udp     -
> eth0            eth3    -       udp     -
> eth0            eth4    -       udp     -
> 
> 
> tcrules file :-
> 
> 1               eth2,eth3,eth4          0.0.0.0/0       tcp    
21,1863,5050,5190       -       -       -
> 2               eth2,eth3,eth4          0.0.0.0/0       tcp     -       -  
-       -
> 3               eth2,eth3,eth4          0.0.0.0/0       udp     -       -  
-       -
> 
> providers file :-
> 
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
OPTIONS
> tmnet1  1       2       main            eth0            192.168.100.1  
track,balance
> tmnet1  1       3       main            eth0            192.168.100.1  
track,balance
> tmnet2  2       1       main            eth1            192.168.1.1    
track,balance
> 
> Under provider file, is it possible to put two or more MARK in one
> line? I need to put in MARK 2 and 3 under same ISP or is it any other
> way around?
> 
> Meanwhile, Im running Mandriva 10.2 and iptables version 1.2.9. Both
> this packages came with Mandriva itself, which means they are stock
> packages. Yesterday, i installed Mandriva on a test machine and try to
> recompile the kernel using mandriva''s latest source rpm. By
default,
> make menuconfig'' shows me that almost all netfilter modules that
are
> selected as ''M''. I cant find anywhere else to select more
modules. So,
> i thought since all netfilter modules were selected, there is no need
> to re-compile the kernel and i assumed that the current mandriva''s
> official kernel does have the same kernel config as the source one. I
> think this might be where i did my mistake. So, i should go back and
> re-compile the kernel.
> 
> 
> 
> On 7/6/05, Jerry Vonau <jvonau@shaw.ca> wrote:
> >
> >
> >
> > > Wong Che Chun wrote on 05/07/2005 05:28:55:
> > > [...]
> > > > Setting up Accounting...
> > > > Creating Interface Chains...
> > > > Configuring Proxy ARP
> > > > Processing /etc/shorewall/providers...
> > > >    Provider tmnet1 1 1 main eth1 192.168.1.1 track,balance
Added
> > > >    Default route  nexthop via 192.168.1.1 dev eth1 weight 1
Added.
> > > > iptables v1.2.9: Unknown arg `--mask''
> > > > Try `iptables -h'' or ''iptables
--help'' for more information.
> > > >    ERROR: Command "/sbin/iptables -t mangle -A
routemark -m mark !
> > > > --mark 0 -j CONNMARK --save-mark --mask 255" Failed
> > > >
> > > >
> > > what is the output of "shorewall show capabilities"? I
think you missed
> > > some patch...
> > >
> > > cheers,
> > Wong:
> > For what its worth, the syntax works for me, with no errors. Fedora
Core4
> > Noting that your iptables is at version 1.2.9.
> > For a quick test, I did:
> >
> > /sbin/iptables -t mangle -N test
> > /sbin/iptables -t mangle -A test -m mark ! --mark 0 -j CONNMARK
--save-mark
> > /
> > --mask 255
> >
> > /sbin/iptables -v
> > iptables v1.3.0: no command specified
> >
> > Did you re-compile iptables after you did your kernel? Think if you
enable
> > some of the
> > advanced kernel modules, you need to recompile iptables to enable the
new
> > modules.
> > Or is there an updated iptables rpm?
> >
> > Jerry
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> >
>

Wong Chee Chun wrote on 07/07/2005 01:21:08:
> well. i did recompile my kernel and the result stil the same. However,
> im not sure how to recompile the iptables as im using the rpm package
> from Mandriva. I`ve checked to development area of Mandriva but
> couldnt find the 1.3.0 version. Is there any other way to do it or i
> just need to get iptables from netfilter.org and recompile my own?
> 
> 
Wong,

you need to patch your kernel with some netfilter patches to get all 
shorewall capabilities.  In short, your next steps are:
1) get a kernel source of your distribution;
2) grab in netfilter.org the latest iptables source and patch-o-matic 
latest tarbal.
3) untar/unzip everything
4) enter your kernel source dir and run ''make menuconfig''. do
not compile
the kernel yet.
5) enter your patch-o-matic source dir and run ''./runme
<name-of-patch>''
(I don''t remember the patch to get what you need. someone?)
6) back to your kernel, ''make menuconfig'' again, should have a
new module
to you there (again, I don''t remember which).
7) compile, install and boot your new kernel and modules.
8) go to your iptables source dir, compile, install.

BTW, Isn''t there someone in the same time zone (or nearer) of Wong who 
could help? when I answer, he is sleeping and vice-versa ;.) 



regards,

--
Eduardo Ferreira

hehe..you are correct indeed. Im on GMT +8 country and most of you
guys were sleeping while im on my duty. If i just get my home Internet
fixed, i could join you all as well :)

Anyway, back to business. Apparently, after recompile using Mandriva''s
latest offiicial kernel (version 2.6.11-12mdk), the result was the
same. At last, i tried to get source package of iptables v1.3.1 and
install it on the box and i think it works now. I havent tried it on
shorewall yet but based on Jerry''s quick test :--

---

/sbin/iptables -t mangle -N test
/sbin/iptables -t mangle -A test -m mark ! --mark 0 -j CONNMARK --save-mark
/
--mask 255

---

it seems to work fine without any error. But i didnt managed to get
shorewall rpm to install though. It seems the package cant find the
binary of iptables. Previously, it was located under /usr/sbin and
after installed source package of iptables, the binary goes to
/usr/local/sbin though :/ But anyway, i would install shorewall using
the source package. A bit worried about upgrading it next time. It
seems like source packages are always the best....



On 7/7/05, Eduardo Ferreira <duda@icatu.com.br>
wrote:
>  
> Wong Chee Chun wrote on 07/07/2005 01:21:08:
>  
>  > well. i did recompile my kernel and the result stil the same.
However,
>  > im not sure how to recompile the iptables as im using the rpm package
>  > from Mandriva. I`ve checked to development area of Mandriva but
>  > couldnt find the 1.3.0 version. Is there any other way to do it or i
>  > just need to get iptables from netfilter.org and recompile my own?
>  > 
>  > 
>  Wong, 
>  
> you need to patch your kernel with some netfilter patches to get all
> shorewall capabilities.  In short, your next steps are: 
> 1) get a kernel source of your distribution; 
> 2) grab in netfilter.org the latest iptables source and patch-o-matic
latest
> tarbal. 
> 3) untar/unzip everything 
> 4) enter your kernel source dir and run ''make
menuconfig''. do not compile
> the kernel yet. 
> 5) enter your patch-o-matic source dir and run ''./runme
<name-of-patch>'' (I
> don''t remember the patch to get what you need. someone?) 
> 6) back to your kernel, ''make menuconfig'' again, should
have a new module to
> you there (again, I don''t remember which). 
> 7) compile, install and boot your new kernel and modules. 
> 8) go to your iptables source dir, compile, install. 
>  
> BTW, Isn''t there someone in the same time zone (or nearer) of Wong
who could
> help? when I answer, he is sleeping and vice-versa ;.) 
>  
>  
>  
> regards, 
>  
> -- 
> Eduardo Ferreira 
>

-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

alright. gonna give it a try next monday. :)

On 6/9/05, Urivan Alyasid Flores Saaib <saaib@ciberlinux.net>
wrote:
> Hi Wong,
> 
> > Anyway, back to business. Apparently, after recompile using
Mandriva''s
> > latest offiicial kernel (version 2.6.11-12mdk), the result was the
> > same. At last, i tried to get source package of iptables v1.3.1 and
> > install it on the box and i think it works now. I havent tried it on
> > shorewall yet but based on Jerry''s quick test :--
> 
> I needed to upgrade the iptables package  on every Mandrake installation
> from 1.2.9-5 to 1.2.9.95 after each installation in order to have
> shorewall working.
> 
> > it seems to work fine without any error. But i didnt managed to get
> > shorewall rpm to install though. It seems the package cant find the
> > binary of iptables. Previously, it was located under /usr/sbin and
> > after installed source package of iptables, the binary goes to
> > /usr/local/sbin though :/ But anyway, i would install shorewall using
> > the source package. A bit worried about upgrading it next time. It
> > seems like source packages are always the best....
> 
> The dependencies from shorewall requires to have iptables rpm installed,
> since you installed from souce, the iptables entry wasn''t in the
rpm
> database. You can overcome this using the rpm switch --nodeps
> 
> rpm -Uvh shorewall.rpm --nodeps
> 
> Regards,
> 
> Urivan A. Flores Saaib
> CiberLinux Networking
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the ''Do More With
Dual!'' webinar happening
> July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
> core and dual graphics technology at this free one hour event hosted by HP,
> AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

> > it seems to work fine without any error. But i didnt managed to get
> > shorewall rpm to install though. It seems the package cant find the
> > binary of iptables. Previously, it was located under /usr/sbin and
> > after installed source package of iptables, the binary goes to
> > /usr/local/sbin though :/ But anyway, i would install shorewall using
> > the source package. A bit worried about upgrading it next time. It
> > seems like source packages are always the best....
> 
> The dependencies from shorewall requires to have iptables rpm installed,
> since you installed from souce, the iptables entry wasn''t in the
rpm
> database. You can overcome this using the rpm switch --nodeps
> 
> rpm -Uvh shorewall.rpm --nodeps
> 
Remember to change the IPTABLES= variable in the shorewall.conf, to be the
path to your new iptables binary.

Jerry 



-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

at last, im on right GMT and perfert timing to use shorewall list. I
need coffee to get through midnight here. Anyway, thanks again. Really
hope that multiple ISP works!

By the way, can someone answer with the problem i asked before? :-

#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS
tmnet1  1       2       main            eth0            192.168.100.1 
 track,balance
tmnet1  1       3       main            eth0            192.168.100.1 
 track,balance
tmnet2  2       1       main            eth1            192.168.1.1   
 track,balance

Under provider file, is it possible to put two or more MARK in one
line? I need to put in MARK 2 and 3 under same ISP or is it any other
way around?


Regards,

Chee Chun

On 7/9/05, Jerry Vonau <jvonau@shaw.ca> wrote:
> 
> 
> > > it seems to work fine without any error. But i didnt managed to
get
> > > shorewall rpm to install though. It seems the package cant find
the
> > > binary of iptables. Previously, it was located under /usr/sbin
and
> > > after installed source package of iptables, the binary goes to
> > > /usr/local/sbin though :/ But anyway, i would install shorewall
using
> > > the source package. A bit worried about upgrading it next time.
It
> > > seems like source packages are always the best....
> >
> > The dependencies from shorewall requires to have iptables rpm
installed,
> > since you installed from souce, the iptables entry wasn''t in
the rpm
> > database. You can overcome this using the rpm switch --nodeps
> >
> > rpm -Uvh shorewall.rpm --nodeps
> >
> 
> Remember to change the IPTABLES= variable in the shorewall.conf, to be the
> path to your new iptables binary.
> 
> Jerry
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the ''Do More With
Dual!'' webinar happening
> July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
> core and dual graphics technology at this free one hour event hosted by HP,
> AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

at last, im on right GMT and perfert timing to use shorewall list. I
need coffee to get through midnight here. Anyway, thanks again. Really
hope that multiple ISP works!

By the way, can someone answer with the problem i asked before? :-

#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
OPTIONS
tmnet1  1       2       main            eth0            192.168.100.1
 track,balance
tmnet1  1       3       main            eth0            192.168.100.1
 track,balance
tmnet2  2       1       main            eth1            192.168.1.1
 track,balance

Under provider file, is it possible to put two or more MARK in one
line? I need to put in MARK 2 and 3 under same ISP or is it any other
way around?


Regards,

Chee Chun

What''s the problem with using 2 lines?

Jerry



-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

> at last, im on right GMT and perfert timing to use shorewall list. I
> need coffee to get through midnight here. Anyway, thanks again. Really
> hope that multiple ISP works!
>
> By the way, can someone answer with the problem i asked before? :-
>
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
> OPTIONS
> tmnet1  1       2       main            eth0            192.168.100.1
>  track,balance
> tmnet1  1       3       main            eth0            192.168.100.1
>  track,balance
> tmnet2  2       1       main            eth1            192.168.1.1
>  track,balance
>
> Under provider file, is it possible to put two or more MARK in one
> line? I need to put in MARK 2 and 3 under same ISP or is it any other
> way around?
>
>
> Regards,
>
> Chee Chun
>
> What''s the problem with using 2 lines?
>
> Jerry
OK let me restate that.... What is wrong with using only 2 marks in the
tcrules file,
one for each provider.

1               eth2,eth3,eth4          0.0.0.0/0       tcp
21,1863,5050,5190       -       -       -
2               eth2,eth3,eth4          0.0.0.0/0
tcp     -       -       -       -
2               eth2,eth3,eth4          0.0.0.0/0
udp    -       -       -       -

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar

Errm....apologizes to all. I was so concentrated on tcrules and multi
ISP issues until i thought that MARK cannot be duplicated. I just
re-read the tcrules file and noted that there isnt anything wrong with
duplication of MARK values. Sincerely sorry about that. :)

On 7/9/05, Jerry Vonau <jvonau@shaw.ca> wrote:
> 
> 
> > at last, im on right GMT and perfert timing to use shorewall list. I
> > need coffee to get through midnight here. Anyway, thanks again. Really
> > hope that multiple ISP works!
> >
> > By the way, can someone answer with the problem i asked before? :-
> >
> > #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
> > OPTIONS
> > tmnet1  1       2       main            eth0            192.168.100.1
> >  track,balance
> > tmnet1  1       3       main            eth0            192.168.100.1
> >  track,balance
> > tmnet2  2       1       main            eth1            192.168.1.1
> >  track,balance
> >
> > Under provider file, is it possible to put two or more MARK in one
> > line? I need to put in MARK 2 and 3 under same ISP or is it any other
> > way around?
> >
> >
> > Regards,
> >
> > Chee Chun
> >
> > What''s the problem with using 2 lines?
> >
> > Jerry
> 
> OK let me restate that.... What is wrong with using only 2 marks in the
> tcrules file,
> one for each provider.
> 
> 1               eth2,eth3,eth4          0.0.0.0/0       tcp
> 21,1863,5050,5190       -       -       -
> 2               eth2,eth3,eth4          0.0.0.0/0
> tcp     -       -       -       -
> 2               eth2,eth3,eth4          0.0.0.0/0
> udp    -       -       -       -
> 
> Jerry
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the ''Do More With
Dual!'' webinar happening
> July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
> core and dual graphics technology at this free one hour event hosted by HP,
> AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

-- 
Regards,

Wong Chee Chun
Network Engineer
Softmy Co. Ltd
(http://www.softmy.com)


-------------------------------------------------------
This SF.Net email is sponsored by the ''Do More With Dual!''
webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar