Hello,
I tried to find the answer to my problem already but
it is a specialised one I think because nothing was
found.
I previously have a ISP who was very fast ("extreme
speed" service from Cable Modem) but that blocked
SMTP port and some other for poor non-commercial
users... And it gives dynamic addresses so no DNS
at home without tricks...
So I went to another ISP that leave all ports open
and give a fixed address! But in reality it is a
tunnel through a normal ADSL line from the national
provider. This national provider gives dynamic
addresses but I don''t see it. But it is slower then
my Cable Modem connection.
My goals are:
+ Get a fast access to Internet to browse and
get misc. files from many services
+ Get a fast access from the office to my mails
and local network (IMAP, Remote Destop, ...)
+ Be able to send and receive mail without being
blocked!
So the configuration in Linux and Shorewall would be:
+ Default gateway to cable modem
+ "masq" from local network to both ISQs
+ Define rules to manage the access to my local
computers and services
+ Use the "opened ISP" to send and receive email
on port 25...
The last one is not working with the default route
to the "blocked" ISP.
I tried many configurations in "nat", "masq" and many
others but I didn''t succeeded.
I''m back the the ADSL slow connection to be able to
send and receive mails... :-(
Is there someone who can help me or explain how to
get a giving port number on a giving host to be
route to and from a specified ISP?
Thanks in advance.
Yves
Hello,
I tried to find the answer to my problem already but
it is a specialised one I think because nothing was
found.
I previously have a ISP who was very fast ("extreme
speed" service from Cable Modem) but that blocked
SMTP port and some other for poor non-commercial
users... And it gives dynamic addresses so no DNS
at home without tricks...
So I went to another ISP that leave all ports open
and give a fixed address! But in reality it is a
tunnel through a normal ADSL line from the national
provider. This national provider gives dynamic
addresses but I don''t see it. But it is slower then
my Cable Modem connection.
My goals are:
+ Get a fast access to Internet to browse and
get misc. files from many services
+ Get a fast access from the office to my mails
and local network (IMAP, Remote Destop, ...)
+ Be able to send and receive mail without being
blocked!
So the configuration in Linux and Shorewall would be:
+ Default gateway to cable modem
+ "masq" from local network to both ISQs
+ Define rules to manage the access to my local
computers and services
+ Use the "opened ISP" to send and receive email
on port 25...
The last one is not working with the default route
to the "blocked" ISP.
I tried many configurations in "nat", "masq" and many
others but I didn''t succeeded.
I''m back the the ADSL slow connection to be able to
send and receive mails... :-(
Is there someone who can help me or explain how to
get a giving port number on a giving host to be
route to and from a specified ISP?
Thanks in advance.
Yves
Please post your config and the output of shorewall status
Jerry Vonau
Can we get the shorewall status also.
/sbin/shorewall status > /tmp/status.txt
Then send the /tmp/status.txt file
You can compress it if you need to.
Please don''t post in html.
Jerry
----- Original Message -----
From: Yves Bélanger
To: jvonau@shaw.ca
Cc: shorewall-users@lists.shorewall.net ; Yves Bélanger
Sent: Monday, June 06, 2005 08:44
Subject: [Shorewall-users] 2 ISQs
It''s my first day here...
I will dend a tar.gz file in attachment but I don''t know
if it is a good idea!
It''s my first day here... I will send a tar.gz file in attachment but I don''t know if it is a good idea! Thanks. Yves
Here it is! Thanks. ----- Original Message ----- From: Jerry Vonau To: Yves Bélanger Cc: shorewall-users@lists.shorewall.net Sent: Monday, June 06, 2005 9:50 AM Subject: Re: [Shorewall-users] 2 ISQs Can we get the shorewall status also. /sbin/shorewall status > /tmp/status.txt Then send the /tmp/status.txt file You can compress it if you need to. Please don''t post in html. Jerry ----- Original Message ----- From: Yves Bélanger To: jvonau@shaw.ca Cc: shorewall-users@lists.shorewall.net ; Yves Bélanger Sent: Monday, June 06, 2005 08:44 Subject: [Shorewall-users] 2 ISQs It''s my first day here... I will dend a tar.gz file in attachment but I don''t know if it is a good idea!
And the routing table!
For now the default route is the ADSL to be
able to send email without being identified
as a open-relay because of the dynamic address
of the Cable Modem provider.
----- Original Message -----
From: Jerry Vonau
To: Yves Bélanger
Cc: shorewall-users@lists.shorewall.net
Sent: Monday, June 06, 2005 9:50 AM
Subject: Re: [Shorewall-users] 2 ISQs
Can we get the shorewall status also.
/sbin/shorewall status > /tmp/status.txt
Then send the /tmp/status.txt file
You can compress it if you need to.
Please don''t post in html.
Jerry
----- Original Message -----
From: Yves Bélanger
To: jvonau@shaw.ca
Cc: shorewall-users@lists.shorewall.net ; Yves Bélanger
Sent: Monday, June 06, 2005 08:44
Subject: [Shorewall-users] 2 ISQs
It''s my first day here...
I will dend a tar.gz file in attachment but I don''t know
if it is a good idea!
----- Original Message -----
From: "Yves Bélanger" <belanger@dariustech.qc.ca>
To: <shorewall-users@lists.shorewall.net>
Sent: Monday, June 06, 2005 00:23
Subject: [Shorewall-users] 2 ISQs
Hello,
I tried to find the answer to my problem already but
it is a specialised one I think because nothing was
found.
I previously have a ISP who was very fast ("extreme
speed" service from Cable Modem) but that blocked
SMTP port and some other for poor non-commercial
users... And it gives dynamic addresses so no DNS
at home without tricks...
So I went to another ISP that leave all ports open
and give a fixed address! But in reality it is a
tunnel through a normal ADSL line from the national
provider. This national provider gives dynamic
addresses but I don''t see it. But it is slower then
my Cable Modem connection.
My goals are:
+ Get a fast access to Internet to browse and
get misc. files from many services
+ Get a fast access from the office to my mails
and local network (IMAP, Remote Destop, ...)
+ Be able to send and receive mail without being
blocked!
So the configuration in Linux and Shorewall would be:
+ Default gateway to cable modem
+ "masq" from local network to both ISQs
+ Define rules to manage the access to my local
computers and services
+ Use the "opened ISP" to send and receive email
on port 25...
The last one is not working with the default route
to the "blocked" ISP.
I tried many configurations in "nat", "masq" and many
others but I didn''t succeeded.
I''m back the the ADSL slow connection to be able to
send and receive mails... :-(
Is there someone who can help me or explain how to
get a giving port number on a giving host to be
route to and from a specified ISP?
Thanks in advance.
Yves
I''m since you defined DNAT rule for cable, you want those also.
Well you were on the right track.
You must define both providers.
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
#ADSL 1 1 main $ADSL 72.0.207.1 track
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
ADSL 1 1 - $ADSL 72.0.207.1 track
CABLE 2 2 - $CABLE detect track
Don''t need to change the default route, just track inbound.
tcrules:
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
#1 192.168.100.200 - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Take the # out and make it look like:
1:P $HOST_AUGUSTE 0.0.0.0/0 tcp $PORT_SMTP
Using the params file, you want outbound from auguste to any machine
destination port 25
Restart the network before you restart shorewall, to clear out any
"iprules" that may be left.
Jerry
Thank you for the answer.
I put the lines you gave me.
1. with the default gateway on ADSL, the "providers"
processing tells me that the detection of the gateway
is impossible
Error: Unable to detect the gateway through interface
eth2
2. with the default gateway on CABLE, the "providers"
processing gives me a message from iptables
iptable v1.2.7a: couldn''t load match
''connmark'' ......
I can''t find this file in /lib/iptables. Is it because
iptable is not up-to-date? My kernel is still 2.4.20-8.
You''re very kind to help me like that.
Yves
----- Original Message -----
From: "Jerry Vonau" <jvonau@shaw.ca>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Monday, June 06, 2005 12:50 PM
Subject: Re: [Shorewall-users] 2 ISQs
>
> ----- Original Message -----
> From: "Yves Bélanger" <belanger@dariustech.qc.ca>
> To: <shorewall-users@lists.shorewall.net>
> Sent: Monday, June 06, 2005 00:23
> Subject: [Shorewall-users] 2 ISQs
>
>
>
> Hello,
>
> I tried to find the answer to my problem already but
> it is a specialised one I think because nothing was
> found.
>
> I previously have a ISP who was very fast ("extreme
> speed" service from Cable Modem) but that blocked
> SMTP port and some other for poor non-commercial
> users... And it gives dynamic addresses so no DNS
> at home without tricks...
>
> So I went to another ISP that leave all ports open
> and give a fixed address! But in reality it is a
> tunnel through a normal ADSL line from the national
> provider. This national provider gives dynamic
> addresses but I don''t see it. But it is slower then
> my Cable Modem connection.
>
> My goals are:
>
> + Get a fast access to Internet to browse and
> get misc. files from many services
> + Get a fast access from the office to my mails
> and local network (IMAP, Remote Destop, ...)
>
> + Be able to send and receive mail without being
> blocked!
>
> So the configuration in Linux and Shorewall would be:
>
> + Default gateway to cable modem
> + "masq" from local network to both ISQs
> + Define rules to manage the access to my local
> computers and services
> + Use the "opened ISP" to send and receive email
> on port 25...
>
> The last one is not working with the default route
> to the "blocked" ISP.
>
> I tried many configurations in "nat", "masq" and many
> others but I didn''t succeeded.
>
> I''m back the the ADSL slow connection to be able to
> send and receive mails... :-(
>
>
> Is there someone who can help me or explain how to
> get a giving port number on a giving host to be
> route to and from a specified ISP?
>
>
> Thanks in advance.
>
>
> Yves
>
> I''m since you defined DNAT rule for cable, you want those also.
>
> Well you were on the right track.
> You must define both providers.
>
> providers:
>
> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
> #ADSL 1 1 main $ADSL 72.0.207.1 track
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> ADSL 1 1 - $ADSL 72.0.207.1 track
> CABLE 2 2 - $CABLE detect track
>
> Don''t need to change the default route, just track inbound.
>
> tcrules:
>
> #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
> # PORT(S)
> #1 192.168.100.200 - tcp 25
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> Take the # out and make it look like:
> 1:P $HOST_AUGUSTE 0.0.0.0/0 tcp $PORT_SMTP
>
> Using the params file, you want outbound from auguste to any machine
> destination port 25
>
>
> Restart the network before you restart shorewall, to clear out any
> "iprules" that may be left.
>
> Jerry
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
2005/6/6, Yves Bélanger <belanger@dariustech.qc.ca>:> > Thank you for the answer. > > I put the lines you gave me. > > 1. with the default gateway on ADSL, the "providers" > processing tells me that the detection of the gateway > is impossible > > Error: Unable to detect the gateway through interface > eth2 > > 2. with the default gateway on CABLE, the "providers" > processing gives me a message from iptables > > iptable v1.2.7a: couldn''t load match ''connmark'' ...... > > I can''t find this file in /lib/iptables. Is it because > iptable is not up-to-date? My kernel is still 2.4.20-8. > > You''re very kind to help me like that. > > > Yves > >Your kernel and/or iptables version doesn''t have CONNMARK support recompile..,and try again ..
Hello Christian, I know Unix but more Solaris... :-) I succeeded to install iptables 1.2.8 and extension CONNMARK! But how to get the right module for my kernel 2.4.10-8? I just downloaded kernel-2.4.20-8.src.rpm... Thank you. Yves ----- Original Message ----- From: "Cristian Rodriguez" <judas.iscariote@gmail.com> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, June 06, 2005 2:09 PM Subject: Re: [Shorewall-users] 2 ISQs 2005/6/6, Yves Bélanger <belanger@dariustech.qc.ca>:> > Thank you for the answer. > > I put the lines you gave me. > > 1. with the default gateway on ADSL, the "providers" > processing tells me that the detection of the gateway > is impossible > > Error: Unable to detect the gateway through interface > eth2 > > 2. with the default gateway on CABLE, the "providers" > processing gives me a message from iptables > > iptable v1.2.7a: couldn''t load match ''connmark'' ...... > > I can''t find this file in /lib/iptables. Is it because > iptable is not up-to-date? My kernel is still 2.4.20-8. > > You''re very kind to help me like that. > > > Yves > >Your kernel and/or iptables version doesn''t have CONNMARK support recompile..,and try again .. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
I was wrong about the compilation of the extension... Here are the exact situation. ======= Hello Christian, I succeeded to install iptables 1.2.8 but not extension CONNMARK because it needs the KERNEL_DIR variable to be set properly! I just downloaded kernel-2.4.20-8.src.rpm and do a "rpm -i" but there''s is no *CONNMARK* file anywhere... Can someone tell me how to get module CONNMARK in kernel-2.4.20-8 and in iptables-1.2.8?? Thank you. Yves
> I was wrong about the compilation of the extension... > Here are the exact situation. > > > =======> > > Hello Christian, > > I succeeded to install iptables 1.2.8 but not extension > CONNMARK because it needs the KERNEL_DIR variable to be > set properly! > > I just downloaded kernel-2.4.20-8.src.rpm and do a > "rpm -i" but there''s is no *CONNMARK* file anywhere... > > Can someone tell me how to get module CONNMARK in > kernel-2.4.20-8 and in iptables-1.2.8?? > > Thank you. > > > Yves >There maybe a pre-compiled kernel rpm that you might be able to use, that has the required options enabled.You intalled the source, you now need to compile it. If your going to compile you will need to select some options have a look at: http://www.shorewall.net/kernel.htm http://www.shorewall.net/traffic_shaping.htm Jerry
Hello Christian,
Here is my (new) config:
RedHat 9.0
Kernel 2.4.20-8 from RPM a long time ago
iptable 1.2.8 from sources today
ShoreWall 2.4.0 from RPM today
Kernel 2.4.20-9 sources (I don''t know where
rpm -i installed it!)
And in attachments output of commands and directory
listings.
To use patch-o-matic-ng, I need to have the source
of the kernel I think... After many installation,
I can''t find it. /usr/src/redhat is almost empty...
Thank you.
----- Original Message -----
From: "Cristian Rodriguez" <judas.iscariote@gmail.com>
To: "Yves Bélanger" <belanger@dariustech.qc.ca>
Sent: Monday, June 06, 2005 4:56 PM
Subject: Re: Oupsss: [Shorewall-users] 2 ISQs
2005/6/6, Cristian Rodriguez
<judas.iscariote@gmail.com>:> 2005/6/6, Yves Bélanger <belanger@dariustech.qc.ca>:
> > I was wrong about the compilation of the extension...
> > Here are the exact situation.
> >
> > =======> >
> > Hello Christian,
> >
> > I succeeded to install iptables 1.2.8 but not extension
> > CONNMARK because it needs the KERNEL_DIR variable to be
> > set properly!
> >
> > I just downloaded kernel-2.4.20-8.src.rpm and do a
> > "rpm -i" but there''s is no *CONNMARK* file
anywhere...
> >
> > Can someone tell me how to get module CONNMARK in
> > kernel-2.4.20-8 and in iptables-1.2.8??
> >
> > Thank you.
> >
> >
> > Yves
> >
> >
> what distro are you using??
> RHEL 3 ?? or something?
>
kernel and iptables patch is available here:
http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20050605.tar.bz2
ps: Mine uses SUSE 9.2 and the needed modules are available by default.
Hello again,
It''s been a long time. I re-installed my shorewall
machine on CentOS 4.0 since then.
Good suggestionn Cristian Rodriguez. RH9 was very
old.
Now I have kernel 2.6.9-11.EL from CentOS update
service, and iptables-1.2.11 standard with this
OS, and Shorewall 2.4.
I transfert my configuration from my RH9 machine like
a charm.
But I still try to make my 2 ISPs works. I downloaded
the last patch-o-matic package from the ftp site but
when it tries to install CONNMARK, it says:
cannot apply (2 missing files)
Which one?
I attach the last message about my problem here.
Thank you.
Yves
The same "missing 2 files" using sources of
iptables-1.3.1 with "runme"...
Does I need a more recent kernel?
----- Original Message -----
From: "Yves Bélanger" <belanger@dariustech.qc.ca>
To: "Jerry Vonau" <jvonau@shaw.ca>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Sunday, June 19, 2005 3:28 PM
Subject: Re: [Shorewall-users] 2 ISQs
Hello again,
It''s been a long time. I re-installed my shorewall
machine on CentOS 4.0 since then.
Good suggestionn Cristian Rodriguez. RH9 was very
old.
Now I have kernel 2.6.9-11.EL from CentOS update
service, and iptables-1.2.11 standard with this
OS, and Shorewall 2.4.
I transfert my configuration from my RH9 machine like
a charm.
But I still try to make my 2 ISPs works. I downloaded
the last patch-o-matic package from the ftp site but
when it tries to install CONNMARK, it says:
cannot apply (2 missing files)
Which one?
I attach the last message about my problem here.
Thank you.
Yves
--------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
----- Original Message -----
From: "Yves Bélanger" <belanger@dariustech.qc.ca>
To: "Jerry Vonau" <jvonau@shaw.ca>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Sunday, June 19, 2005 14:28
Subject: Re: [Shorewall-users] 2 ISQs
Hello again,
It''s been a long time. I re-installed my shorewall
machine on CentOS 4.0 since then.
Good suggestionn Cristian Rodriguez. RH9 was very
old.
Now I have kernel 2.6.9-11.EL from CentOS update
service, and iptables-1.2.11 standard with this
OS, and Shorewall 2.4.
I transfert my configuration from my RH9 machine like
a charm.
But I still try to make my 2 ISPs works. I downloaded
the last patch-o-matic package from the ftp site but
when it tries to install CONNMARK, it says:
cannot apply (2 missing files)
Which one?
I attach the last message about my problem here.
Thank you.
Yves
Not Sure...Did you install the source rpm for both the kernel
and iptables? For what it''s worth, I run fedora, kernels < 2.6.10
have that module without patching.
Jerry
It''s me again! :-) Upgraded CentOS 4.0 (all updates from CentOS update mecanism applied should make it CentOS 4.1) kernel to 2.6.12 and iptables to 1.3.1. Shorewall still 2.4. In attachment the directory listings of both s/w modules, shorewall status and configuration. Note that the providers and tcrules are commented out for my firewall to work. I don''t understand why it is not working. All file seams to be there. Thanks. Yves
> > It''s me again! :-) > > Upgraded CentOS 4.0 (all updates from CentOS update > mecanism applied should make it CentOS 4.1) kernel > to 2.6.12 and iptables to 1.3.1. Shorewall still > 2.4. > > In attachment the directory listings of both s/w > modules, shorewall status and configuration. > > Note that the providers and tcrules are commented > out for my firewall to work. > > I don''t understand why it is not working. All file > seams to be there. > > Thanks. > > > Yves > >################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS #ADSL 1 1 - $ADSL 72.0.207.1 track #CABLE 2 2 - $CABLE 24.200.170.1 track Try: ADSL 1 1 - main 72.0.207.1 track CABLE 2 2 - main 24.200.170.1 track Without ''main'' you would have to add the local lan to the isp tables by hand. ######################################################## #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC $ADSL $LOC $CABLE $LOC Try: $ADSL $LOC 72.0.207.2 $CABLE $LOC 24.200.170.128 You have to use a "source nat (SNAT)" address here. and un-# the tcrules file *should* do it. Jerry
Not much succes here! :-) Here are the outputs with your suggestions and the same replacing "main" by the interfaces names as before. Is my shorewall "modules" file OK? Because it says that "Connmark Match", "CONNMARK Target" and "Extended MARK Target" are "Not available". Thanks. ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.shorewall.net> Sent: Monday, June 20, 2005 12:13 AM Subject: Re: [Shorewall-users] 2 ISQs> > >> >> It''s me again! :-) >> >> Upgraded CentOS 4.0 (all updates from CentOS update >> mecanism applied should make it CentOS 4.1) kernel >> to 2.6.12 and iptables to 1.3.1. Shorewall still >> 2.4. >> >> In attachment the directory listings of both s/w >> modules, shorewall status and configuration. >> >> Note that the providers and tcrules are commented >> out for my firewall to work. >> >> I don''t understand why it is not working. All file >> seams to be there. >> >> Thanks. >> >> >> Yves >> >> > > ################################################################ > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS > #ADSL 1 1 - $ADSL 72.0.207.1 track > #CABLE 2 2 - $CABLE 24.200.170.1 track > > Try: > > ADSL 1 1 - main 72.0.207.1 track > CABLE 2 2 - main 24.200.170.1 track > > Without ''main'' you would have to add the local lan to the isp tables by > hand. > > > ######################################################## > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > $ADSL $LOC > $CABLE $LOC > > Try: > > $ADSL $LOC 72.0.207.2 > $CABLE $LOC 24.200.170.128 > > You have to use a "source nat (SNAT)" address here. > > and un-# the tcrules file *should* do it. > > Jerry > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
> > Not much succes here! :-) > > Here are the outputs with your suggestions and > the same replacing "main" by the interfaces > names as before. >That was my mistake... Sorry ADSL 1 1 main $ADSL 72.0.207.1 track CABLE 2 2 main $CABLE 24.200.170.1 track> Is my shorewall "modules" file OK? Because it > says that "Connmark Match", "CONNMARK Target" > and "Extended MARK Target" are "Not available".Opps, I checked your _lib_iptables.txt and saw that the source was there, and glanced over the rest. Sorry you''ll have to recompile, ensuring you slect those options. Well at least you won''t have to patch... Jerry (going to recite must re-read before sending 100 times)> ----- Original Message ----- > From: "Jerry Vonau" <jvonau@shaw.ca> > To: <shorewall-users@lists.shorewall.net> > Sent: Monday, June 20, 2005 12:13 AM > Subject: Re: [Shorewall-users] 2 ISQs > > > > > > > >> > >> It''s me again! :-) > >> > >> Upgraded CentOS 4.0 (all updates from CentOS update > >> mecanism applied should make it CentOS 4.1) kernel > >> to 2.6.12 and iptables to 1.3.1. Shorewall still > >> 2.4. > >> > >> In attachment the directory listings of both s/w > >> modules, shorewall status and configuration. > >> > >> Note that the providers and tcrules are commented > >> out for my firewall to work. > >> > >> I don''t understand why it is not working. All file > >> seams to be there. > >> > >> Thanks. > >> > >> > >> Yves > >> > >> > > > > ################################################################ > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS > > #ADSL 1 1 - $ADSL 72.0.207.1 track > > #CABLE 2 2 - $CABLE 24.200.170.1 track > > > > Try: > > > > ADSL 1 1 - main 72.0.207.1 track > > CABLE 2 2 - main 24.200.170.1 track > > > > Without ''main'' you would have to add the local lan to the isp tables by > > hand. > > > > > > ######################################################## > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > > $ADSL $LOC > > $CABLE $LOC > > > > Try: > > > > $ADSL $LOC 72.0.207.2 > > $CABLE $LOC 24.200.170.128 > > > > You have to use a "source nat (SNAT)" address here. > > > > and un-# the tcrules file *should* do it. > > > > Jerry > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > >