Hi, I''m currently (happily) using shorewall 2.0.17, and have been on the 2.0.x versions for a while (prior to that the 1.4.x versions). I just recently starting looking at upgrading to the latest shorewall 2.4.x series, and checking out the "Upgrade issues" area of the shorewall website to see what''s involved in the upgrade. I use RPM versions of shorewall. Anyway, I was pleasantly surprised to see the latest 2.4.2 supports multiple ISP''s. I have been looking for a solution such as this for ages, as I have multiple broadband links which I''d like to utilise together. Is anyone using this feature with any success? If one of the links go down, does it "just work" and continue using the other link for all traffic? (or is a network restart required due to the routing table entries shorewall places in there?) Thanks. Michael. ____________________________________________________ Do you Yahoo!? The New Yahoo! Movies: Check out the Latest Trailers, Premiere Photos and full Actor Database. http://au.movies.yahoo.com ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> Is anyone using this feature with any success? >For my case, yes. I was able to use this feature but in different situation that yours. I divided certain ports to multiple ISPs link and it works beautifully.> If one of the links go down, does it "just work" and > continue using the other link for all traffic? (or is > a network restart required due to the routing table > entries shorewall places in there?)never tried this before but i think it can be done. Maybe u can set the "balance" option in providers file.> > Thanks. > > Michael. > > > > > > > > ____________________________________________________ > Do you Yahoo!? > The New Yahoo! Movies: Check out the Latest Trailers, Premiere Photos and full Actor Database. > http://au.movies.yahoo.com > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Regards, Wong Chee Chun Network Engineer Softmy Co. Ltd (http://www.softmy.com) ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Michael Mansour escribió:> Anyway, I was pleasantly surprised to see the latest > 2.4.2 supports multiple ISP''s. I have been looking for > a solution such as this for ages, as I have multiple > broadband links which I''d like to utilise together. > > Is anyone using this feature with any success?yes, and it''s working fine :-)> If one of the links go down, does it "just work" and > continue using the other link for all traffic?ee.No . Shorewall can''t do that. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
Cristian Rodriguez wrote:> Michael Mansour escribió: > >> If one of the links go down, does it "just work" and >> continue using the other link for all traffic? > > ee.No . Shorewall can''t do that. >Cristian is correct. One must remember that Shorewall doesn''t run continuously in the system -- it only runs when you or the system (cron, for example) asks it to. It therefore cannot react automatically to events such as the failure of an internet connection. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>One must remember that Shorewall doesn''t run continuously in the system >-- it only runs when you or the system (cron, for example) asks it to. >It therefore cannot react automatically to events such as the failure of >an internet connection.Hello, Running this kind of setup here, the only thing you can do is adding a script in the "ip-down.d" to do what ever you need to in case you loose one of the lines. Manuel ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep wrote:> One must remember that Shorewall doesn''t run continuously in the system > >-- it only runs when you or the system (cron, for example) asks it to. >It therefore cannot react automatically to events such as the failure of >an internet connection. >In theory, it seems like you could use monitoring daemon to watch for events that indicate that a link has failed. ifplugd can react to link state failures (cables unplugged, for instance), and I don''t think it would be too hard to write a shell script that continuously pings an upstream router, and executes an arbitrary command if a certain number of pings fail. That command could be ''shorewall clear'' or ''shorewall stop'', followed by a ''shorewall start'' using an alternate set of config files that set the system up to deal with the failed link (all traffic uses the other link). I have a somewhat more primitive version of this running on my shorewall machines, but all it does is alert the administrator to the problem. I haven''t had time to implement and test anything more interesting. So, Tom, if someone were to give you proof-of-concept scripts that can detect and handle simple failure conditions like this, do you have any ideas about how they could be integrated into shorewall? It''s a little outside the realm of what shorewall has traditionally been, I guess, but it would be a heck of a nice feature. -Ryan ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
On Monday 12 September 2005 14:01, Ryan B. Lynch wrote:> Tom Eastep wrote: > > One must remember that Shorewall doesn''t run continuously in the system > > > >-- it only runs when you or the system (cron, for example) asks it to. > >It therefore cannot react automatically to events such as the failure of > >an internet connection. > > In theory, it seems like you could use monitoring daemon to watch for > events that indicate that a link has failed.Routing daemons have been doing this for years -- unfortunately, most Shorewall users with two or more Internet connections are using consumer-grade (or SOHO) Internet services which don''t offer routing protocol support.> ifplugd can react to link > state failures (cables unplugged, for instance), and I don''t think it > would be too hard to write a shell script that continuously pings an > upstream router, and executes an arbitrary command if a certain number > of pings fail. That command could be ''shorewall clear'' or ''shorewall > stop'', followed by a ''shorewall start'' using an alternate set of config > files that set the system up to deal with the failed link (all traffic > uses the other link).or "shorewall restore <alternate saved config>"> > I have a somewhat more primitive version of this running on my shorewall > machines, but all it does is alert the administrator to the problem. I > haven''t had time to implement and test anything more interesting. > > So, Tom, if someone were to give you proof-of-concept scripts that can > detect and handle simple failure conditions like this, do you have any > ideas about how they could be integrated into shorewall? It''s a little > outside the realm of what shorewall has traditionally been, I guess, but > it would be a heck of a nice feature.I believe that Open Source works best when people who have both a need for a solution and the talent to create the solution volunteer their time and effort to create, document and support that solution. In that spirit, I think that a daemon that does auto-failover would be an excellent companion/add-on for Shorewall but I am reluctant to make it an integral part of Shorewall. a) I could test such a solution only through simulation. I did that with the multi-ISP support and I spent more time working around problems with my test environment than I did fixing real problems in the code. b) Currently, Shorewall is strictly a configuration tool. Problems that occur some time after "shorewall [re]start" are clearly not Shorewall problems. Once Shorewall includes a daemon that can alter the system''s networking configuration, any connection problem encountered at any time by Shorewall users will be a potential ''Shorewall problem''. That would increase the support load. c) Ongoing maintenance, documentation and support account for the bulk of software cost. So being handed a ''proof of concept'' script to integrate and maintain isn''t such a bargin in the long run. On the other hand, I think that Shorewall includes all of the necessary hooks today to allow a daemon like what you describe to work seamlessly with it (and if not, I''m happy to add what is missing). If the daemon supports user exits (like Shorewall extension scripts), the daemon could be used with other firewall solutions besides Shorewall. As always, I''m happy to include links from the Shorewall site to other sites that offer Shorewall-friendly tools. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key