I haven''t tried it yet, but is it possible to have two internet connections on a single firewall? I currently have a DSL connection into the firewall that I would like to keep for company use and add a cable modem for a remote backup service I will be providing to my customers. I believe this is possible, but would like input/suggestions before I take everything down. Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
(FAQ 32) My firewall has two connections to the internet from two different ISPs. How do I set this up in Shorewall? http://www.shorewall.net/FAQ.htm#faq32 - Matt ________________________________________ From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Bryan K. Staggs Sent: Thursday, July 14, 2005 10:27 AM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] Dual internet connections I havent tried it yet, but is it possible to have two internet connections on a single firewall? I currently have a DSL connection into the firewall that I would like to keep for company use and add a cable modem for a remote backup service I will be providing to my customers. I believe this is possible, but would like input/suggestions before I take everything down. Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
2005/7/14, Bryan K. Staggs <bryan.staggs@lcgis.com>:> > > > I haven''t tried it yet, but is it possible to have two internet connections > on a single firewall? I currently have a DSL connection into the firewall > that I would like to keep for company use and add a cable modem for a remote > backup service I will be providing to my customers. I believe this is > possible, but would like input/suggestions before I take everything down. >Hi Bryan_: the article in the FAQ is outdated, now with shorewall you can configure two ISP''s using the /etc/shorewall/providers file please read the documentation : http://www.shorewall.net/Shorewall_and_Routing.html#id2959173 you need to install shorewall 2.3.2 or later ( 2.3.x is unsupported though..please install the latest version (at this time 2.4.1). take care. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Dear all, I went through the documentation mentioned below. I have a question related to sharing multiple ISP connections. Is it possible for shorewall to be configured in such a way that if ISP1 link fails automatically traffic is routed through ISP2 ? And can shorewall be configured to automatically switch back to ISP1 as sooon as the link recovers? - sree Hi Bryan_: the article in the FAQ is outdated, now with shorewall you can configure two ISP''s using the /etc/shorewall/providers file please read the documentation : http://www.shorewall.net/Shorewall_and_Routing.html#id2959173 you need to install shorewall 2.3.2 or later ( 2.3.x is unsupported though..please install the latest version (at this time 2.4.1). ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Fri, Jul 15, 2005 at 05:20:18PM +0530, sreekanth s rameshaiah wrote:> Dear all, > > I went through the documentation mentioned below. I have a question related > to sharing multiple ISP connections. > Is it possible for shorewall to be configured in such a way that if ISP1 > link fails automatically traffic is routed through ISP2 ? > And can shorewall be configured to automatically switch back to ISP1 as > sooon as the link recovers?If you configure shorewall to handle both routes you can write a script that can test the connections and adjust the routing table accordingly. I once wrote such a script for a proxy server in python which might help you. You will have to adapt it for your circumstances or write you own: =========================================================#! /usr/bin/python import commands, os, urllib tenet_address = ''146.232.129.118'' list_of_urls=[''http://google.com'', ''http://news24.co.za'', ''http://www.cnn.com'', ''http://www.microsoft.com'', ''http://www.ananzi.co.za'', ''http://www.debian.org''] tenet_route = '' 146.232.65.2'' uunet_route = ''196.31.70.1'' def toets_of_gateway1_weer_herstel_is(list_of_urls): count = 0 for adres in list_of_urls: try: urllib.urlopen(adres).geturl() count=count+1 except: pass return count >3 def switch_gateway(remove, replace_with): #Determine to which version of default route the symlink refers #If already the correct one, do nothing, uunetwise, delete #the symlink and create one referring to the correct file. os.sys(''/sbin/route add default gw &s'' %replace_with) os.sys(''/sbin/route del default gw %s'' %remove) print ''%s is now active'' % replace_with def test_tenet(tenet_address): # Get the exit code of the unix process "ping". # 0 indicates success. return commands.getstatusoutput(''ping -c 1 %s'' % tenet_address,)[0]==0 def loop(): while 1: if not test_tenet(tenet_address): switch_gateway(tenet_route, uunet_route) if toets_of_gateway1_weer_herstel_is : switch_gateway(uunet_route, tenet_route) pause (60) loop() ========================================= Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "I have been young, and now am old; yet I have not seen the righteous forsaken, nor his children begging bread." Psalms 37:25 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Dear Johann, Thanks for the script. Will try the same. Regards, - sree -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Johann Spies Sent: Friday, July 15, 2005 6:23 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections On Fri, Jul 15, 2005 at 05:20:18PM +0530, sreekanth s rameshaiah wrote:> Dear all, > > I went through the documentation mentioned below. I have a questionrelated> to sharing multiple ISP connections. > Is it possible for shorewall to be configured in such a way that if ISP1 > link fails automatically traffic is routed through ISP2 ? > And can shorewall be configured to automatically switch back to ISP1 as > sooon as the link recovers?If you configure shorewall to handle both routes you can write a script that can test the connections and adjust the routing table accordingly. I once wrote such a script for a proxy server in python which might help you. You will have to adapt it for your circumstances or write you own: =========================================================#! /usr/bin/python import commands, os, urllib tenet_address = ''146.232.129.118'' list_of_urls=[''http://google.com'', ''http://news24.co.za'', ''http://www.cnn.com'', ''http://www.microsoft.com'', ''http://www.ananzi.co.za'', ''http://www.debian.org''] tenet_route = '' 146.232.65.2'' uunet_route = ''196.31.70.1'' def toets_of_gateway1_weer_herstel_is(list_of_urls): count = 0 for adres in list_of_urls: try: urllib.urlopen(adres).geturl() count=count+1 except: pass return count >3 def switch_gateway(remove, replace_with): #Determine to which version of default route the symlink refers #If already the correct one, do nothing, uunetwise, delete #the symlink and create one referring to the correct file. os.sys(''/sbin/route add default gw &s'' %replace_with) os.sys(''/sbin/route del default gw %s'' %remove) print ''%s is now active'' % replace_with def test_tenet(tenet_address): # Get the exit code of the unix process "ping". # 0 indicates success. return commands.getstatusoutput(''ping -c 1 %s'' % tenet_address,)[0]==0 def loop(): while 1: if not test_tenet(tenet_address): switch_gateway(tenet_route, uunet_route) if toets_of_gateway1_weer_herstel_is : switch_gateway(uunet_route, tenet_route) pause (60) loop() ========================================= Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "I have been young, and now am old; yet I have not seen the righteous forsaken, nor his children begging bread." Psalms 37:25 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Thanks for the reply... I have read the article and understand the process. Is it this involved if I have two internal subnets, 192.168.1.0 and 192.168.2.0 and want the 1.0 subnet to use ISP 1 and the 2.0 subnet to use ISP 2? Each ISP has a specific use and the internal subnets will never use the other ISP. Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Cristian Rodriguez Sent: Thursday, July 14, 2005 2:15 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections 2005/7/14, Bryan K. Staggs <bryan.staggs@lcgis.com>:> > > > I haven''t tried it yet, but is it possible to have two internetconnections> on a single firewall? I currently have a DSL connection into thefirewall> that I would like to keep for company use and add a cable modem for aremote> backup service I will be providing to my customers. I believe this is > possible, but would like input/suggestions before I take everythingdown.>Hi Bryan_: the article in the FAQ is outdated, now with shorewall you can configure two ISP''s using the /etc/shorewall/providers file please read the documentation : http://www.shorewall.net/Shorewall_and_Routing.html#id2959173 you need to install shorewall 2.3.2 or later ( 2.3.x is unsupported though..please install the latest version (at this time 2.4.1). take care. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>Thanks for the reply...>I have read the article and understand the process. Is it this involved >if I have two internal subnets, 192.168.1.0 and 192.168.2.0 and want the >1.0 subnet to use ISP 1 and the 2.0 subnet to use ISP 2?Just a little....>Each ISP has a specific use and the internal subnets will never use the >other ISP.Are both 192.168.1.0 and 192.168.2.0 on the same nic? If they''re seperate, use the copy column of the providers file, to state which lan belongs with what isp. ie: two 2 2 main eth1 detect track eth2 one 1 1 main eth0 detect track eth3 Providers are on eth0&1 and lans are eth2&3 The routing tables for each provider will only have their routes and whatever routes that attached to the interface stated in the copy column. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Hello, i have the linux with vpn connected ok, my vpn interface is tun0, but i create the following rule in my rules file: ACCEPT fw net tcp 53,22,80,123,5000,25,110,443 ACCEPT fw tun0 tcp 22 ACCEPT all all tcp 22,443,110,22,137,138,53 ACCEPT tun0 fw tcp 22 ACCEPT tun0 loc tcp 22 ACCEPT loc tun0 tcp 22 But when i try connect with vpn i have the following error: Aug 2 13:08:28 fw kernel: Shorewall:INPUT:REJECT:IN=tun0 OUT= MAC= SRC=192.168.0.5 DST=192.168.10.12 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62091 DF PROTO=TCP SPT=55292 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 How i do to allow the ssh? tks ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
I forgot the tun0 in interfaces file. sorry all ----- Original Message ----- From: "Marcelo Leão Caffaro" <leao@employer.com.br> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, August 02, 2005 1:09 PM Subject: [Shorewall-users] REJECT?> Hello, i have the linux with vpn connected ok, my vpn interface is tun0, > but i create the following rule in my rules file: > ACCEPT fw net tcp > 53,22,80,123,5000,25,110,443 > ACCEPT fw tun0 tcp 22 > ACCEPT all all tcp > 22,443,110,22,137,138,53 > ACCEPT tun0 fw tcp 22 > ACCEPT tun0 loc tcp 22 > ACCEPT loc tun0 tcp 22 > > But when i try connect with vpn i have the following error: > Aug 2 13:08:28 fw kernel: Shorewall:INPUT:REJECT:IN=tun0 OUT= MAC= > SRC=192.168.0.5 DST=192.168.10.12 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > ID=62091 DF PROTO=TCP SPT=55292 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > How i do to allow the ssh? > > tks > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> Hello, i have the linux with vpn connected ok, my vpn interface is tun0, but > i create the following rule in my rules file: > ACCEPT fw net tcp > 53,22,80,123,5000,25,110,443 > ACCEPT fw tun0 tcp 22 > ACCEPT all all tcp > 22,443,110,22,137,138,53 > ACCEPT tun0 fw tcp 22 > ACCEPT tun0 loc tcp 22 > ACCEPT loc tun0 tcp 22 > > But when i try connect with vpn i have the following error: > Aug 2 13:08:28 fw kernel: Shorewall:INPUT:REJECT:IN=tun0 OUT= MAC= > SRC=192.168.0.5 DST=192.168.10.12 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62091 > DF PROTO=TCP SPT=55292 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > How i do to allow the ssh? > > tksIs tun0 an interface name or a zone name? It''s hard to tell since you didn''t include all the config files. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Marcelo Leão Caffaro wrote:> I forgot the tun0 in interfaces file. > > sorry allIt is also risky to name a zone with the same name as an interface -- I cannot guarantee that odd things won''t happen when that is done. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Jerry, Thanks for getting back. I have 4 NIC''s in the system, one for each ISP and one for each subnet. eth0 = ISP1 eth1 = ISP2 eth2 = lan1 eth3 = lan2 Please let me know if I have missed anything. Here are my config files that I will be testing: Providers: ISP1 1 1 main eth0 detect track eth2 ISP2 2 2 main eth1 detect track eth3 Interfaces: Net1 eth0 detect - Net2 eth1 detect - Policy: Net1 net2 DROP Net2 net1 DROP Masq: eth0 eth2 71.22.x.x eth1 eth3 68.34.x.x Thanks again... Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Tuesday, August 02, 2005 10:19 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections>Thanks for the reply...>I have read the article and understand the process. Is it this involved >if I have two internal subnets, 192.168.1.0 and 192.168.2.0 and wantthe>1.0 subnet to use ISP 1 and the 2.0 subnet to use ISP 2?Just a little....>Each ISP has a specific use and the internal subnets will never use the >other ISP.Are both 192.168.1.0 and 192.168.2.0 on the same nic? If they''re seperate, use the copy column of the providers file, to state which lan belongs with what isp. ie: two 2 2 main eth1 detect track eth2 one 1 1 main eth0 detect track eth3 Providers are on eth0&1 and lans are eth2&3 The routing tables for each provider will only have their routes and whatever routes that attached to the interface stated in the copy column. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>Jerry, > >Thanks for getting back. I have 4 NIC''s in the system, one for each ISP >and one for each subnet. > >eth0 = ISP1 >eth1 = ISP2 >eth2 = lan1 >eth3 = lan2 > >Please let me know if I have missed anything. > >Here are my config files that I will be testing: > >Providers: >ISP1 1 1 main eth0 detect track eth2 >ISP2 2 2 main eth1 detect track eth3 > >Interfaces: >Net1 eth0 detect - >Net2 eth1 detect - > >Policy: >Net1 net2 DROP >Net2 net1 DROP > >Masq: >eth0 eth2 71.22.x.x >eth1 eth3 68.34.x.xLooks ok to me, I''d like to see a shorewall status when it''s up. Jerry If this doesn''t work as is, since you not balancing accross both isps, you may have use the tcrules file to mark the outbound traffic. example: 1:P 192.168.1.0/24 0.0.0.0/0 all - - - 2:P 192.168.2.0/24 0.0.0.0/0 all - - - Check the local lan to isp relationship. The other question, does lan1 and lan2 need to communicate? If so, the above rules would need to be tweeked, replace 0.0.0.0/0 with !<otherlan/24> I''d like to know what worked for you. This is like having 2 boxes in one. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Marcelo Leão Caffaro wrote:> Hello, i have the linux with vpn connected ok, my vpn interface is tun0, > but i create the following rule in my rules file: > ACCEPT fw net tcp > 53,22,80,123,5000,25,110,443 > ACCEPT fw tun0 tcp 22 > ACCEPT all all tcp > 22,443,110,22,137,138,53 > ACCEPT tun0 fw tcp 22 > ACCEPT tun0 loc tcp 22 > ACCEPT loc tun0 tcp 22 > > But when i try connect with vpn i have the following error: > Aug 2 13:08:28 fw kernel: Shorewall:INPUT:REJECT:IN=tun0 OUT= MAC> SRC=192.168.0.5 DST=192.168.10.12 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > ID=62091 DF PROTO=TCP SPT=55292 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0I would also strongly recommend you: 1. Don''t use all2all rules (especially for services like SMB) 2. Include all zone2zone combinations in your policy file, so you get more meaningful log messages on rejected packets. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Jerry, **The attached file is a .zip with a .txt extension so I can forward.** I think I am very close on this. Everything looks good with the exception of forwarded traffic getting rejected from the internet to internal IP''s and not being able to get to the internet from the inside. I am getting FORWARD:REJECT SRC=eth0 DES=eth0 I think I might need to have routeback in interfaces, is this correct? The other issue is that outbound traffic is either getting dropped or rejected. I have attached my config files to look at. I have also commented out lines for NET2 since I needed the firewall operational during the day. I will give it another go tonight. Thanks again.... Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Tuesday, August 02, 2005 7:26 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections>Jerry, > >Thanks for getting back. I have 4 NIC''s in the system, one for each ISP >and one for each subnet. > >eth0 = ISP1 >eth1 = ISP2 >eth2 = lan1 >eth3 = lan2 > >Please let me know if I have missed anything. > >Here are my config files that I will be testing: > >Providers: >ISP1 1 1 main eth0 detect track eth2 >ISP2 2 2 main eth1 detect track eth3 > >Interfaces: >Net1 eth0 detect - >Net2 eth1 detect - > >Policy: >Net1 net2 DROP >Net2 net1 DROP > >Masq: >eth0 eth2 71.22.x.x >eth1 eth3 68.34.x.xLooks ok to me, I''d like to see a shorewall status when it''s up. Jerry If this doesn''t work as is, since you not balancing accross both isps, you may have use the tcrules file to mark the outbound traffic. example: 1:P 192.168.1.0/24 0.0.0.0/0 all - - - 2:P 192.168.2.0/24 0.0.0.0/0 all - - - Check the local lan to isp relationship. The other question, does lan1 and lan2 need to communicate? If so, the above rules would need to be tweeked, replace 0.0.0.0/0 with !<otherlan/24> I''d like to know what worked for you. This is like having 2 boxes in one. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Jerry, I''m not sure if you received my last email since it had an attachment. I have half of it working as of right now. On ISP1/LOC1, internal users can browse the web, and the servers I currently have can be accessed just fine from the outside. The issue is on ISP2 and LOC2, traffic is not getting routed out or forwarded to the internal systems. If I run a tcpdump on eth1(ISP2) and one on eth3(LOC2) and try to browse the web from an internal system, I see the traffic hit eth3 and then out eth1. I then see responses come back on eth1, but are never routed back through eth3. Likewise, I can access the firewall just fine from an external system but can''t get to systems on the LOC2 subnet. The odd thing is that if I change the default route from the ISP1 gw to the ISP2 gw everything works fine with ISP2/LOC2 but ISP1/LOC1 start having the same problem. I tried the routeback on both of the interfaces, but no luck. I know it is just a routing issue, but I can''t seem to put my finger on it any hale on getting this figured out would be greatly appreciated. Thanks again for all the help. Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Tuesday, August 02, 2005 7:26 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections>Jerry, > >Thanks for getting back. I have 4 NIC''s in the system, one for each ISP >and one for each subnet. > >eth0 = ISP1 >eth1 = ISP2 >eth2 = lan1 >eth3 = lan2 > >Please let me know if I have missed anything. > >Here are my config files that I will be testing: > >Providers: >ISP1 1 1 main eth0 detect track eth2 >ISP2 2 2 main eth1 detect track eth3 > >Interfaces: >Net1 eth0 detect - >Net2 eth1 detect - > >Policy: >Net1 net2 DROP >Net2 net1 DROP > >Masq: >eth0 eth2 71.22.x.x >eth1 eth3 68.34.x.xLooks ok to me, I''d like to see a shorewall status when it''s up. Jerry If this doesn''t work as is, since you not balancing accross both isps, you may have use the tcrules file to mark the outbound traffic. example: 1:P 192.168.1.0/24 0.0.0.0/0 all - - - 2:P 192.168.2.0/24 0.0.0.0/0 all - - - Check the local lan to isp relationship. The other question, does lan1 and lan2 need to communicate? If so, the above rules would need to be tweeked, replace 0.0.0.0/0 with !<otherlan/24> I''d like to know what worked for you. This is like having 2 boxes in one. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Bryan: Need a shorewall status, just to see where your at. On a hunch in providers, add balance as an option for both. making coffee Jerry ----- Original Message ----- From: "Bryan K. Staggs" <bryan.staggs@lcgis.com> To: <shorewall-users@lists.sourceforge.net> Sent: Thursday, August 04, 2005 01:09 Subject: RE: [Shorewall-users] Dual internet connections Jerry, I''m not sure if you received my last email since it had an attachment. I have half of it working as of right now. On ISP1/LOC1, internal users can browse the web, and the servers I currently have can be accessed just fine from the outside. The issue is on ISP2 and LOC2, traffic is not getting routed out or forwarded to the internal systems. If I run a tcpdump on eth1(ISP2) and one on eth3(LOC2) and try to browse the web from an internal system, I see the traffic hit eth3 and then out eth1. I then see responses come back on eth1, but are never routed back through eth3. Likewise, I can access the firewall just fine from an external system but can''t get to systems on the LOC2 subnet. The odd thing is that if I change the default route from the ISP1 gw to the ISP2 gw everything works fine with ISP2/LOC2 but ISP1/LOC1 start having the same problem. I tried the routeback on both of the interfaces, but no luck. I know it is just a routing issue, but I can''t seem to put my finger on it any hale on getting this figured out would be greatly appreciated. Thanks again for all the help. Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Tuesday, August 02, 2005 7:26 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections>Jerry, > >Thanks for getting back. I have 4 NIC''s in the system, one for each ISP >and one for each subnet. > >eth0 = ISP1 >eth1 = ISP2 >eth2 = lan1 >eth3 = lan2 > >Please let me know if I have missed anything. > >Here are my config files that I will be testing: > >Providers: >ISP1 1 1 main eth0 detect track eth2 >ISP2 2 2 main eth1 detect track eth3 > >Interfaces: >Net1 eth0 detect - >Net2 eth1 detect - > >Policy: >Net1 net2 DROP >Net2 net1 DROP > >Masq: >eth0 eth2 71.22.x.x >eth1 eth3 68.34.x.xLooks ok to me, I''d like to see a shorewall status when it''s up. Jerry If this doesn''t work as is, since you not balancing accross both isps, you may have use the tcrules file to mark the outbound traffic. example: 1:P 192.168.1.0/24 0.0.0.0/0 all - - - 2:P 192.168.2.0/24 0.0.0.0/0 all - - - Check the local lan to isp relationship. The other question, does lan1 and lan2 need to communicate? If so, the above rules would need to be tweeked, replace 0.0.0.0/0 with !<otherlan/24> I''d like to know what worked for you. This is like having 2 boxes in one. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
in the zip: #ISP1 1 1 - eth0 162.xx.xx.1 track - #ISP2 2 2 - eth1 70.xxx.xxx.225 track Why is this different from what you said you''d run below? Jerry ----- Original Message ----- From: "Bryan K. Staggs" <bryan.staggs@lcgis.com> To: <shorewall-users@lists.sourceforge.net> Sent: Wednesday, August 03, 2005 10:58 Subject: RE: [Shorewall-users] Dual internet connections Jerry, **The attached file is a .zip with a .txt extension so I can forward.** I think I am very close on this. Everything looks good with the exception of forwarded traffic getting rejected from the internet to internal IP''s and not being able to get to the internet from the inside. I am getting FORWARD:REJECT SRC=eth0 DES=eth0 I think I might need to have routeback in interfaces, is this correct? The other issue is that outbound traffic is either getting dropped or rejected. I have attached my config files to look at. I have also commented out lines for NET2 since I needed the firewall operational during the day. I will give it another go tonight. Thanks again.... Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Tuesday, August 02, 2005 7:26 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections>Jerry, > >Thanks for getting back. I have 4 NIC''s in the system, one for each ISP >and one for each subnet. > >eth0 = ISP1 >eth1 = ISP2 >eth2 = lan1 >eth3 = lan2 > >Please let me know if I have missed anything. > >Here are my config files that I will be testing: > >Providers: >ISP1 1 1 main eth0 detect track eth2 >ISP2 2 2 main eth1 detect track eth3 > >Interfaces: >Net1 eth0 detect - >Net2 eth1 detect - > >Policy: >Net1 net2 DROP >Net2 net1 DROP > >Masq: >eth0 eth2 71.22.x.x >eth1 eth3 68.34.x.xLooks ok to me, I''d like to see a shorewall status when it''s up. Jerry If this doesn''t work as is, since you not balancing accross both isps, you may have use the tcrules file to mark the outbound traffic. example: 1:P 192.168.1.0/24 0.0.0.0/0 all - - - 2:P 192.168.2.0/24 0.0.0.0/0 all - - - Check the local lan to isp relationship. The other question, does lan1 and lan2 need to communicate? If so, the above rules would need to be tweeked, replace 0.0.0.0/0 with !<otherlan/24> I''d like to know what worked for you. This is like having 2 boxes in one. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Jerry, My mistake. I had changed this to see if I could get it working it is as it appears below. As requested, I have attached a shorewall status. Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Thursday, August 04, 2005 8:10 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections in the zip: #ISP1 1 1 - eth0 162.xx.xx.1 track - #ISP2 2 2 - eth1 70.xxx.xxx.225 track Why is this different from what you said you''d run below? Jerry ----- Original Message ----- From: "Bryan K. Staggs" <bryan.staggs@lcgis.com> To: <shorewall-users@lists.sourceforge.net> Sent: Wednesday, August 03, 2005 10:58 Subject: RE: [Shorewall-users] Dual internet connections Jerry, **The attached file is a .zip with a .txt extension so I can forward.** I think I am very close on this. Everything looks good with the exception of forwarded traffic getting rejected from the internet to internal IP''s and not being able to get to the internet from the inside. I am getting FORWARD:REJECT SRC=eth0 DES=eth0 I think I might need to have routeback in interfaces, is this correct? The other issue is that outbound traffic is either getting dropped or rejected. I have attached my config files to look at. I have also commented out lines for NET2 since I needed the firewall operational during the day. I will give it another go tonight. Thanks again.... Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Tuesday, August 02, 2005 7:26 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Dual internet connections>Jerry, > >Thanks for getting back. I have 4 NIC''s in the system, one for each ISP >and one for each subnet. > >eth0 = ISP1 >eth1 = ISP2 >eth2 = lan1 >eth3 = lan2 > >Please let me know if I have missed anything. > >Here are my config files that I will be testing: > >Providers: >ISP1 1 1 main eth0 detect track eth2 >ISP2 2 2 main eth1 detect track eth3 > >Interfaces: >Net1 eth0 detect - >Net2 eth1 detect - > >Policy: >Net1 net2 DROP >Net2 net1 DROP > >Masq: >eth0 eth2 71.22.x.x >eth1 eth3 68.34.x.xLooks ok to me, I''d like to see a shorewall status when it''s up. Jerry If this doesn''t work as is, since you not balancing accross both isps, you may have use the tcrules file to mark the outbound traffic. example: 1:P 192.168.1.0/24 0.0.0.0/0 all - - - 2:P 192.168.2.0/24 0.0.0.0/0 all - - - Check the local lan to isp relationship. The other question, does lan1 and lan2 need to communicate? If so, the above rules would need to be tweeked, replace 0.0.0.0/0 with !<otherlan/24> I''d like to know what worked for you. This is like having 2 boxes in one. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Jerry, I just wanted to follow up with you. I added balance and it all started working just fine. I initially did not enable this as I didn''t want to balance between the ISP. But, after you mentioned it I began to ponder the obvious. When I configure the providers, if I "DUPLICATE" "main" and only "COPY" the interface I want routed out the NET1 interface, LOC1 in this case, LOC2 will never be routed out NET1 and vise versa since there aren''t entries in the alternate routing tables. I think I am correct on this, but if not, OH well its working... Finally. I have also attached my most recent shorewall status if you are interested in looking at it. Thanks again for all of your input and guidance. Here is my current "working" setup: Interfaces: NET1 eth0 detect norfc1918,arp_filter,routefilter,logmartians,blacklist,tcpflags,nosmurfs NET2 eth1 detect norfc1918,arp_filter,routefilter,logmartians,blacklist,tcpflags,nosmurfs LOC1 eth2 detect dhcp LOC2 eth3 detect dhcp Providers: ISP1 1 1 main eth0 162.xx.xx.xx track,balance eth2 ISP2 2 2 main eth1 70.xx.xx.xx track,balance eth3 TcRules: 1:P eth2 0.0.0.0/0 all 2:P eth3 0.0.0.0/0 all 3:P $FW 0.0.0.0/0 all Zones: NET1 InternetDSL Internet DSL NET2 InternetCABLE Internet Cable Modem LOC1 Internal81 Internal Network 192.168.1.0 LOC2 Internal80 Internal Network 192.168.0.1 Policy: fw NET1 ACCEPT fw NET2 ACCEPT LOC1 NET1 ACCEPT LOC2 NET2 ACCEPT NET1 all DROP info NET2 all DROP info all all REJECT info Respectfully, Bryan Staggs This transmission (including any attachments) may contain confidential information, privileged material, or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
Thank you very much for the feed back.>I just wanted to follow up with you. I added balance and it all started >working just fine. I initially did not enable this as I didn''t want to >balance between the ISP. But, after you mentioned it I began to ponder >the obvious. When I configure the providers, if I "DUPLICATE" "main" and >only "COPY" the interface I want routed out the NET1 interface, LOC1 in >this case, LOC2 will never be routed out NET1 and vise versa since there >aren''t entries in the alternate routing tables. I think I am correct on >this, but if not, OH well its working... Finally.That is the way, it''s intended too work. I''m running a patched version, the difference is the ordering of the "ip rules" that are created, I was able to create this without "balance". Should be part of the 2.4.3 release, might want to try it, and see if you get the same behavior.>I have also attached my most recent shorewall status if you are >interested in looking at it.Thanks again. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Jerry Vonau wrote:> Thank you very much for the feed back. > >>I just wanted to follow up with you. I added balance and it all started >>working just fine. I initially did not enable this as I didn''t want to >>balance between the ISP. But, after you mentioned it I began to ponder >>the obvious. When I configure the providers, if I "DUPLICATE" "main" and >>only "COPY" the interface I want routed out the NET1 interface, LOC1 in >>this case, LOC2 will never be routed out NET1 and vise versa since there >>aren''t entries in the alternate routing tables. I think I am correct on >>this, but if not, OH well its working... Finally. > > That is the way, it''s intended too work. I''m running a patched version, the > difference is the ordering of the "ip rules" that are created, I was able to > create this without "balance". Should be part of the 2.4.3 release, might > want to try it, and see if you get the same behavior. >The code that Jerry is talking about is available in the SHOREWALL_2_4 branch in CVS. You will want: shorewall - Place in /sbin firewall functions - Place both in /usr/share/shorewall -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key