Shorewall users - Mar 2004 - Three NIC Setup

I have shorewall runnig on my linux box which contains the nics.  They are
used as follows below:
Eth0: dsl modem
Eth1: connection to lan
Eth2: backup internet connection

My question is, Is it possible to configure shorewall to use eth2 only if
the connection on eth0 is unavailable?

If so, could anyone offer any tips? Thanks.

-- 
Aaron Axelsen 
AIM: aaak2 
Email: axelseaa@amadmax.com

On Friday 19 March 2004 11:47 pm, Aaron Axelsen wrote:
> I have shorewall runnig on my linux box which contains the nics.  They
> are used as follows below:
> Eth0: dsl modem
> Eth1: connection to lan
> Eth2: backup internet connection
>
> My question is, Is it possible to configure shorewall to use eth2 only
> if the connection on eth0 is unavailable?
>
> If so, could anyone offer any tips? Thanks.
Actually thats sort of what I have in my lap top, which spends 
a lot of time on a direct cat5 connection (eht0) and a lot of time
on a wireless (eth1) and everyonce in a while some time on
(ppp0),   not to mention running windows Virtual machines under vmware 
(vmnet8) which i need to protect from the net.

So my interfaces looks lke this 
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,routefilter,blacklist
loc     vmnet8          detect          dhcp,routefilter
dial    ppp0            detect          dhcp,routefilter
wire    eth1            detect          dhcp,routefilter

and my Zones like this:

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     VMware          Local Networks
dial    DialUP          Dial Up
wire    Wireless        Wireless Nic

My policies are farily open for outbound access:
#SOURCE         DEST            POLICY          LOG LEVEL       
LIMIT:BURST
loc             net             ACCEPT
loc             wire            ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw              net             ACCEPT
fw              dial            ACCEPT
fw              wire           ACCEPT
net             all             DROP
all              all             REJECT          info

And the only tricky bit is duplicating a few rules that 
allow inbound access such as:
# Accept SSH connections from the local network for administration
#
ACCEPT          net       fw            tcp     22
ACCEPT          wire     fw            tcp     22


When one interface is down I have access by one of 
the others without needing to make any changes.
I will occasionally have to restart sendmail when I
switch interfaces because it seems to get attached
to the one it started on.

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

Aaron Axelsen wrote:
> I have shorewall runnig on my linux box which contains the nics.  They are
> used as follows below:
> Eth0: dsl modem
> Eth1: connection to lan
> Eth2: backup internet connection
> 
> My question is, Is it possible to configure shorewall to use eth2 only if
> the connection on eth0 is unavailable?
For the most part, I don''t see this as a Shorewall problem. You should 
be able to configure Shorewall the same way as recommended in FAQ 32. I 
would avoid one-to-one NAT and Proxy ARP.
> 
> If so, could anyone offer any tips? Thanks.
> 
I would think that you could simply adjust your routing depending on 
whether eth0''s connection is available or not.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net