Hi all, I have just upgraded to a new satellite internet provider. I have two network cards - one with a public IP connected to my satellite router, and the second network card with private IP into my switch for the LAN. Shorewall firewall My old satellite system is not being used. Would it be possible/feasable to install a third network card into my Fedora Core 2 server, and then direct all known P2P traffic coming from the LAN down the old satellite system? Could this be done? How can I do it? Thanks, David.
David T. Thomas wrote:> > Would it be possible/feasable to install a third network card into my > Fedora Core 2 server, and then direct all known P2P traffic coming > from the LAN down the old satellite system? Could this be done? > How can I do it? >This is a routing problem, not a Shorewall problem. See http://shorewall.net/Shorewall_and_Routing.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> David T. Thomas wrote: > >>Would it be possible/feasable to install a third network card into my >>Fedora Core 2 server, and then direct all known P2P traffic coming >>from the LAN down the old satellite system? Could this be done? >>How can I do it? >> > > This is a routing problem, not a Shorewall problem. See > http://shorewall.net/Shorewall_and_Routing.html >That having been said, it is NOT possible to move an existing connection from one interface to the other after it is discovered that the connection has P2P content. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''ve seen a few commercial products do what you are asking. At the low end, this linksys can shove traffic out a different wan interface based on port / service. http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=589 On Wed, 2005-04-27 at 22:24 +0300, David T. Thomas wrote:> Hi all, > > I have just upgraded to a new satellite internet provider. I have two network cards - one with a public IP connected to my satellite router, and the second network card with private IP into my switch for the LAN. Shorewall firewall > > My old satellite system is not being used. > > Would it be possible/feasable to install a third network card into my Fedora Core 2 server, and then direct all known P2P traffic coming from the LAN down the old satellite system? Could this be done? How can I do it? > > Thanks, > > David. > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
ryan wrote:> I''ve seen a few commercial products do what you are asking. At the low > end, this linksys can shove traffic out a different wan interface based > on port / service.The point that I was trying to make earlier is that P2P may use a wide variety of ports including a standard port such as TCP/80 so it is only by analyzing the data stream that the connection may be recognized as "P2P". This is the principle behind Netfilter extensions such as ipp2p and layer7. These P2P recognizers can not be used effectively to route traffic over multiple links if there is source address filtering on either of those links. For example, if the original connection is made through ISP-A, switching the connection over to ISP-B won''t work in general (even in the outbound direction) because ISP-B is likely to drop outbound traffic with a source address belonging to ISP-A. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yes, I understand this is only truly workable when you own your IP block, and have two ISPs willing to route your numbers on their backbones. On Wed, 2005-04-27 at 15:09 -0700, Tom Eastep wrote:> ryan wrote: > > I''ve seen a few commercial products do what you are asking. At the low > > end, this linksys can shove traffic out a different wan interface based > > on port / service. > > The point that I was trying to make earlier is that P2P may use a wide > variety of ports including a standard port such as TCP/80 so it is only > by analyzing the data stream that the connection may be recognized as > "P2P". This is the principle behind Netfilter extensions such as ipp2p > and layer7. These P2P recognizers can not be used effectively to route > traffic over multiple links if there is source address filtering on > either of those links. For example, if the original connection is made > through ISP-A, switching the connection over to ISP-B won''t work in > general (even in the outbound direction) because ISP-B is likely to drop > outbound traffic with a source address belonging to ISP-A. > > -Tom