Shorewall users - Oct 2005 - can't redirect udp traffic to other ISP in tcrules

Hello.

 

I have 2 ISP''s (eht1 and eth3) and I want to redirect all upd traffic
with
the port 11782 to ISP2 (mark2).

 

This is the traffic grabbed by tcpdump in the external interface:

 

19:21:15.527642 IP 195.215.8.153.50855 > 192.168.0.254.11728: UDP, length
115

19:21:15.564605 IP 192.168.0.254.11728 > 195.215.8.153.50855: UDP, length 87

 

My problem is: I can''t redirect this traffic tho mark2 (eth3).

This traffic is generated from skype. I want to redirect all skype voip
traffic to isp2.

 

What is the problem? 

 

Thanks

Wilson

Wilson A. Galafassi Jr. wrote:
> 
> What is the problem?
> 
Please forward the information requested at
http://www.shorewall.net/support.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hello.
I''m using the latest version of shorewall with fc4.

My route ip command says:

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254 
192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.254 
169.254.0.0/16 dev eth3  scope link 
10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
10.0.0.0/8 dev eth2  proto kernel  scope link  src 10.1.1.253 
default 
        nexthop via 10.1.1.1  dev eth1 weight 1
        nexthop via 192.168.0.1  dev eth3 weight 1

I have 4 nics:
Eth0: local
Eth1: net adsl1
Eth2: dmz
Eth3: net adsl2

tcrules:
2               0.0.0.0/0       0.0.0.0/0       tcp     25
2               0.0.0.0/0       0.0.0.0/0       tcp     110
2               0.0.0.0/0       0.0.0.0/0       tcp     80

interfaces:
loc     eth0            detect
net     eth1            detect
dmz     eth2            detect
net     eth3            detect

providers:
ISP1    1       1       main            eth1            10.1.1.1
track,balance   eth0
ISP2    2       2       main            eth3            192.168.0.1
track,balance   eth0

masq:
eth1                    eth0
eth1                    eth2
eth3                    eth0
eth3                    eth2

my problem is: I want to create a rule to route all udp traffic port 11728
to ISP2. how to create that rule?

I have another question: my ip route command it''s ok? It''s
correct to have
this part:
        nexthop via 10.1.1.1  dev eth1 weight 1
        nexthop via 192.168.0.1  dev eth3 weight 1

excuse my bad English...

thanks for your help
ps. I have read the faq and others files... but I''m still having
problems.

Wilson
 


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: sábado, 15 de outubro de 2005 19:44
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Wilson A. Galafassi Jr. wrote:
> 
> What is the problem?
> 
Please forward the information requested at
http://www.shorewall.net/support.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Wilson A. Galafassi Jr. escribió:
> Hello.
> I''m using the latest version of shorewall with fc4.
>
that''s not a complete problem report.

Wilson A. Galafassi Jr. wrote:

Apparently English is difficult for you. I want you to:

a) shorewall restart
b) Try to use skype
c) "shorewall status > /tmp/trace"
d) Send us the /tmp/trace file (compressed).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom.

Skype works fine for me. The problem is... sometimes the rule in tclrules (2
0.0.0.0/0       0.0.0.0/0       udp     11728)    works... sometimes
don''t
works.
I''m sending trace.gz to you.
In tcpdump of eth1 (ISP1) i have this:
02:25:27.066970 IP 66.36.229.236.51253 > 10.1.1.254.11728: UDP, length 190
02:25:27.098482 IP 66.36.229.236.51253 > 10.1.1.254.2742: P 1198:1216(18)
ack 1675 win 8514

Very thanks for you help and again excuse my difficult to write.

Thanks
Wilson


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: domingo, 16 de outubro de 2005 00:53
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Wilson A. Galafassi Jr. wrote:

Apparently English is difficult for you. I want you to:

a) shorewall restart
b) Try to use skype
c) "shorewall status > /tmp/trace"
d) Send us the /tmp/trace file (compressed).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I''m using this script to create my routings.

#!/bin/sh
#----
# Variaveis de sistema
#----
IP="/sbin/ip"
#
#----
# ENTRADA DE LINKS
#----
IF1=''eth1''
IF2=''eth3''
#
#----
# Declara as redes
#----
P1_NET=''10.1.1.0/24''
P2_NET=''192.168.0.0/24''
#
#----
# Declara IPs
#----
IP1=''10.1.1.254''
IP2=''192.168.0.254''
#
#----
# Declara gateway das conexoes
#----
P1=''10.1.1.1''
P2=''192.168.0.1''
#
#----
# Declaracao de rotas padrao para os links
#----
$IP route add $P1_NET dev $IF1 src $IP1 table ISP1
$IP route add default via $P1 table ISP1
$IP route add $P2_NET dev $IF2 src $IP2 table ISP2
$IP route add default via $P1 table ISP2
#
#$IP route add $P1_NET dev $IF1 src $IP1
#$IP route add $P2_NET dev $IF2 src $IP2
#
$IP route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop
via $P2 dev $IF2 weight 1
#
$IP rule add from $IP1 table ISP1
$IP rule add from $IP2 table ISP2
#

I hope this help to view my problem... thanks
Wilson




-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Wilson A.
Galafassi Jr.
Sent: domingo, 16 de outubro de 2005 01:32
To: shorewall-users@lists.sourceforge.net
Subject: RE: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Tom.

Skype works fine for me. The problem is... sometimes the rule in tclrules (2
0.0.0.0/0       0.0.0.0/0       udp     11728)    works... sometimes
don''t
works.
I''m sending trace.gz to you.
In tcpdump of eth1 (ISP1) i have this:
02:25:27.066970 IP 66.36.229.236.51253 > 10.1.1.254.11728: UDP, length 190
02:25:27.098482 IP 66.36.229.236.51253 > 10.1.1.254.2742: P 1198:1216(18)
ack 1675 win 8514

Very thanks for you help and again excuse my difficult to write.

Thanks
Wilson


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: domingo, 16 de outubro de 2005 00:53
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Wilson A. Galafassi Jr. wrote:

Apparently English is difficult for you. I want you to:

a) shorewall restart
b) Try to use skype
c) "shorewall status > /tmp/trace"
d) Send us the /tmp/trace file (compressed).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Wilson A. Galafassi Jr. wrote:
> Tom.
> 
> Skype works fine for me. The problem is... sometimes the rule in tclrules
(2
> 0.0.0.0/0       0.0.0.0/0       udp     11728)    works... sometimes
don''t
> works.
> I''m sending trace.gz to you.
> In tcpdump of eth1 (ISP1) i have this:
> 02:25:27.066970 IP 66.36.229.236.51253 > 10.1.1.254.11728: UDP, length
190
> 02:25:27.098482 IP 66.36.229.236.51253 > 10.1.1.254.2742: P
1198:1216(18)
> ack 1675 win 8514
> 
> Very thanks for you help and again excuse my difficult to write.
> 
Looks like you need to select by both source and destination ports. Here
is a connection that was marked according to your rule:

udp      17 16 src=192.168.1.200 dst=217.77.17.31 sport=11728
dport=10077 packets=1 bytes=46 src=217.77.17.31 dst=192.168.0.254
sport=10077 dport=11728 packets=1 bytes=54 mark=2 use=1
                                           ------

Here is one that was not:

udp      17 16 src=192.168.1.200 dst=203.73.233.95 sport=11728
dport=2936 packets=1 bytes=46 src=203.73.233.95 dst=10.1.1.254
sport=2936 dport=11728 packets=1 bytes=54 mark=1 use=1
                                          ------

Note that sport=11728 but dport=2936 which means that this connection
won''t get marked.

So it looks like you need to add:

2	0.0.0.0/0	0.0.0.0/0	udp	-	11728

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Wilson A. Galafassi Jr. wrote:
> I''m using this script to create my routings.
> 
Shorewall will do that for you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Very thanks Tom
Now works perfectly.

I have other question: If one of two adsl connection goes down it''s
normal
to all internet traffic stop to work or only the traffic redirected by
tcrules?

Thanks
Wilson


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: domingo, 16 de outubro de 2005 13:30
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Wilson A. Galafassi Jr. wrote:
> Tom.
> 
> Skype works fine for me. The problem is... sometimes the rule in tclrules
(2
> 0.0.0.0/0       0.0.0.0/0       udp     11728)    works... sometimes
don''t
> works.
> I''m sending trace.gz to you.
> In tcpdump of eth1 (ISP1) i have this:
> 02:25:27.066970 IP 66.36.229.236.51253 > 10.1.1.254.11728: UDP, length
190
> 02:25:27.098482 IP 66.36.229.236.51253 > 10.1.1.254.2742: P
1198:1216(18)
> ack 1675 win 8514
> 
> Very thanks for you help and again excuse my difficult to write.
> 
Looks like you need to select by both source and destination ports. Here
is a connection that was marked according to your rule:

udp      17 16 src=192.168.1.200 dst=217.77.17.31 sport=11728
dport=10077 packets=1 bytes=46 src=217.77.17.31 dst=192.168.0.254
sport=10077 dport=11728 packets=1 bytes=54 mark=2 use=1
                                           ------

Here is one that was not:

udp      17 16 src=192.168.1.200 dst=203.73.233.95 sport=11728
dport=2936 packets=1 bytes=46 src=203.73.233.95 dst=10.1.1.254
sport=2936 dport=11728 packets=1 bytes=54 mark=1 use=1
                                          ------

Note that sport=11728 but dport=2936 which means that this connection
won''t get marked.

So it looks like you need to add:

2	0.0.0.0/0	0.0.0.0/0	udp	-	11728

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Wilson A. Galafassi Jr. wrote:
> Very thanks Tom
> Now works perfectly.
> 
> I have other question: If one of two adsl connection goes down
it''s normal
> to all internet traffic stop to work or only the traffic redirected by
> tcrules?
> 
There was a shell program posted on this recently by John Hill that
monitors the connections and alters the configuration if one of them
goes down. Jerry Voneau also posted some instructions for adjusting the
kernel''s routing parameters to make failure of one connection less
painful.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Very tahnks again for you patience and support.

I have a "last" problem... hehe

I have eth2 (dmz) and this connect to 10.1.1.16 using a crossover cable. In
10.1.1.16 I have a webserver running at port 8080.

When I try to redirect incoming connections to 10.1.1.16 I have this
message:

Oct 16 17:07:14 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth1
OUT=eth1 SRC=xxx.xxx.xxx.xxx DST=10.1.1.16 LEN=60 TOS=0x00 PREC=0x00 TTL=60
ID=46296 DF PROTO=TCP SPT=50364 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0

I have created that rules:
ACCEPT          net:xxx.xxx.xxx  fw            tcp     8080
DNAT            net: xxx.xxx.xxx dmz:10.1.1.16 tcp     8080

Ps. I want to permit connections only from xxx.xxx.xxx.xxx

My file masq:
eth1                    eth0
eth1                    eth2
eth3                    eth0
eth3                    eth2

interfaces:
loc     eth0            detect
net     eth1            detect
dmz     eth2            detect
net     eth3            detect

my file nat is empty.


Very big thanks.

Wilson

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: domingo, 16 de outubro de 2005 16:37
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Wilson A. Galafassi Jr. wrote:
> Very thanks Tom
> Now works perfectly.
> 
> I have other question: If one of two adsl connection goes down
it''s normal
> to all internet traffic stop to work or only the traffic redirected by
> tcrules?
> 
There was a shell program posted on this recently by John Hill that
monitors the connections and alters the configuration if one of them
goes down. Jerry Voneau also posted some instructions for adjusting the
kernel''s routing parameters to make failure of one connection less
painful.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

----- Original Message ----- 
From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
To: <shorewall-users@lists.sourceforge.net>
Sent: Sunday, October 16, 2005 14:25
Subject: RE: [Shorewall-users] can''t redirect udp traffic to other ISP
in tcrules

> Very tahnks again for you patience and support.
> 
> I have a "last" problem... hehe
> 
> I have eth2 (dmz) and this connect to 10.1.1.16 using a crossover cable. In
> 10.1.1.16 I have a webserver running at port 8080.
> 
> When I try to redirect incoming connections to 10.1.1.16 I have this
> message:
> 
> Oct 16 17:07:14 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth1
> OUT=eth1 SRC=xxx.xxx.xxx.xxx DST=10.1.1.16 LEN=60 TOS=0x00 PREC=0x00 TTL=60
> ID=46296 DF PROTO=TCP SPT=50364 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0
From your earlier status:
 
10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
10.0.0.0/8 dev eth2  proto kernel  scope link  src 10.1.1.253 

Note, that the in and out interfaces are the same in the above log snip, 
I think you may need to have a host route present to 10.1.1.16 on eth2.

You may also need to add eth2 to the providers file.
providers:
ISP1    1       1       main            eth1            10.1.1.1         
track,balance   eth0,eth2
ISP2    2       2       main            eth3            192.168.0.1   
track,balance   eth0
> 
> I have created that rules:
> ACCEPT          net:xxx.xxx.xxx  fw            tcp     8080
> DNAT            net: xxx.xxx.xxx dmz:10.1.1.16 tcp     8080
> 
> Ps. I want to permit connections only from xxx.xxx.xxx.xxx
If the web server is in the dmz, why do you have an accept rule for the
firewall? Get rid of it.
> 
> My file masq:
> eth1                    eth0
> eth1                    eth2
> eth3                    eth0
> eth3                    eth2
> 
> interfaces:
> loc     eth0            detect
> net     eth1            detect
> dmz     eth2            detect
> net     eth3            detect
> 
> my file nat is empty.
> 
Jerry



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Jerry Vonau wrote:
> ----- Original Message ----- 
> From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
> To: <shorewall-users@lists.sourceforge.net>
> Sent: Sunday, October 16, 2005 14:25
> Subject: RE: [Shorewall-users] can''t redirect udp traffic to other
ISP in tcrules
> 
> 
>> Very tahnks again for you patience and support.
>>
>> I have a "last" problem... hehe
>>
>> I have eth2 (dmz) and this connect to 10.1.1.16 using a crossover
cable. In
>> 10.1.1.16 I have a webserver running at port 8080.
>>
>> When I try to redirect incoming connections to 10.1.1.16 I have this
>> message:
>>
>> Oct 16 17:07:14 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth1
>> OUT=eth1 SRC=xxx.xxx.xxx.xxx DST=10.1.1.16 LEN=60 TOS=0x00 PREC=0x00
TTL=60
>> ID=46296 DF PROTO=TCP SPT=50364 DPT=8080 WINDOW=5840 RES=0x00 SYN
URGP=0
> 
> From your earlier status:
>  
> 10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
> 10.0.0.0/8 dev eth2  proto kernel  scope link  src 10.1.1.253 
> 
> Note, that the in and out interfaces are the same in the above log snip, 
> I think you may need to have a host route present to 10.1.1.16 on eth2.
> 
> You may also need to add eth2 to the providers file.
> providers:
> ISP1    1       1       main            eth1            10.1.1.1         
track,balance   eth0,eth2
> ISP2    2       2       main            eth3            192.168.0.1   
track,balance   eth0
> 
>> I have created that rules:
>> ACCEPT          net:xxx.xxx.xxx  fw            tcp     8080
>> DNAT            net: xxx.xxx.xxx dmz:10.1.1.16 tcp     8080
>>
>> Ps. I want to permit connections only from xxx.xxx.xxx.xxx
> 
> If the web server is in the dmz, why do you have an accept rule for the
firewall? Get rid of it.
> 
There''s more here -- eth1 and eth2 are configured with exactly the same
network! I suspect that what Wilson really wants is Proxy ARP (see
http://www.shorewall.net/ProxyARP.htm and
http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP). As you
will see in the second article, using Proxy ARP allows you to use a
simple ACCEPT rule:

ACCEPT    net      dmz    tcp     8080

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks for you help.
when I insert the eth2 in providers file I have and error:

IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/service: line 68:  1883 Terminated              env -i LANG=$LANG
PATH=$PATH TERM=$TERM "${SERVICEDIR}/${SERVICE}" ${OPTIONS}
And shorewall don''t start.


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry
Vonau
Sent: domingo, 16 de outubro de 2005 18:13
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules


----- Original Message ----- 
From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
To: <shorewall-users@lists.sourceforge.net>
Sent: Sunday, October 16, 2005 14:25
Subject: RE: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

> Very tahnks again for you patience and support.
> 
> I have a "last" problem... hehe
> 
> I have eth2 (dmz) and this connect to 10.1.1.16 using a crossover cable.
In
> 10.1.1.16 I have a webserver running at port 8080.
> 
> When I try to redirect incoming connections to 10.1.1.16 I have this
> message:
> 
> Oct 16 17:07:14 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth1
> OUT=eth1 SRC=xxx.xxx.xxx.xxx DST=10.1.1.16 LEN=60 TOS=0x00 PREC=0x00
TTL=60
> ID=46296 DF PROTO=TCP SPT=50364 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0
>From your earlier status:
 
10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
10.0.0.0/8 dev eth2  proto kernel  scope link  src 10.1.1.253 

Note, that the in and out interfaces are the same in the above log snip, 
I think you may need to have a host route present to 10.1.1.16 on eth2.

You may also need to add eth2 to the providers file.
providers:
ISP1    1       1       main            eth1            10.1.1.1
track,balance   eth0,eth2
ISP2    2       2       main            eth3            192.168.0.1
track,balance   eth0
> 
> I have created that rules:
> ACCEPT          net:xxx.xxx.xxx  fw            tcp     8080
> DNAT            net: xxx.xxx.xxx dmz:10.1.1.16 tcp     8080
> 
> Ps. I want to permit connections only from xxx.xxx.xxx.xxx
If the web server is in the dmz, why do you have an accept rule for the
firewall? Get rid of it.
> 
> My file masq:
> eth1                    eth0
> eth1                    eth2
> eth3                    eth0
> eth3                    eth2
> 
> interfaces:
> loc     eth0            detect
> net     eth1            detect
> dmz     eth2            detect
> net     eth3            detect
> 
> my file nat is empty.
> 
Jerry



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Wilson A. Galafassi Jr. escribió:
> Thanks for you help.
> when I insert the eth2 in providers file I have and error:
> 
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> /sbin/service: line 68:  1883 Terminated              env -i LANG=$LANG
> PATH=$PATH TERM=$TERM "${SERVICEDIR}/${SERVICE}" ${OPTIONS}
> And shorewall don''t start.
>
gee.. please show me _one_ place in the docs where we mention "service 
shorewall restart"

please use shorewall restart and post the error message .

Thanks to all.

Here my network configuration:

Eth0: 10.1.1.254 (loc)
Eth1: 192.168.1.243 (net) ISP1
Eht2: 10.1.1.253 (dmz) -> connected to 10.1.1.16 (webserver port 8080) with
a crossover cable
Eth3: 192.168.0.254 (net) ISP2

What I want is to port forwarding to 10.1.1.16 all requests from net (eth1)
directed to port 8080. only this.
I have create a route to 10.1.1.16: route add -host 10.1.1.16 eth2

thanks



-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: domingo, 16 de outubro de 2005 18:24
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Jerry Vonau wrote:
> ----- Original Message ----- 
> From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
> To: <shorewall-users@lists.sourceforge.net>
> Sent: Sunday, October 16, 2005 14:25
> Subject: RE: [Shorewall-users] can''t redirect udp traffic to other
ISP in
tcrules
> 
> 
>> Very tahnks again for you patience and support.
>>
>> I have a "last" problem... hehe
>>
>> I have eth2 (dmz) and this connect to 10.1.1.16 using a crossover
cable.
In
>> 10.1.1.16 I have a webserver running at port 8080.
>>
>> When I try to redirect incoming connections to 10.1.1.16 I have this
>> message:
>>
>> Oct 16 17:07:14 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth1
>> OUT=eth1 SRC=xxx.xxx.xxx.xxx DST=10.1.1.16 LEN=60 TOS=0x00 PREC=0x00
TTL=60
>> ID=46296 DF PROTO=TCP SPT=50364 DPT=8080 WINDOW=5840 RES=0x00 SYN
URGP=0
> 
> From your earlier status:
>  
> 10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
> 10.0.0.0/8 dev eth2  proto kernel  scope link  src 10.1.1.253 
> 
> Note, that the in and out interfaces are the same in the above log snip, 
> I think you may need to have a host route present to 10.1.1.16 on eth2.
> 
> You may also need to add eth2 to the providers file.
> providers:
> ISP1    1       1       main            eth1            10.1.1.1
track,balance   eth0,eth2
> ISP2    2       2       main            eth3            192.168.0.1
track,balance   eth0
> 
>> I have created that rules:
>> ACCEPT          net:xxx.xxx.xxx  fw            tcp     8080
>> DNAT            net: xxx.xxx.xxx dmz:10.1.1.16 tcp     8080
>>
>> Ps. I want to permit connections only from xxx.xxx.xxx.xxx
> 
> If the web server is in the dmz, why do you have an accept rule for the
firewall? Get rid of it.
> 
There''s more here -- eth1 and eth2 are configured with exactly the same
network! I suspect that what Wilson really wants is Proxy ARP (see
http://www.shorewall.net/ProxyARP.htm and
http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP). As you
will see in the second article, using Proxy ARP allows you to use a
simple ACCEPT rule:

ACCEPT    net      dmz    tcp     8080

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Wilson A. Galafassi Jr. wrote:
> Thanks to all.
> 
> Here my network configuration:
> 
> Eth0: 10.1.1.254 (loc)
> Eth1: 192.168.1.243 (net) ISP1
> Eht2: 10.1.1.253 (dmz) -> connected to 10.1.1.16 (webserver port 8080)
with
> a crossover cable
> Eth3: 192.168.0.254 (net) ISP2
> 
> What I want is to port forwarding to 10.1.1.16 all requests from net (eth1)
> directed to port 8080. only this.
> I have create a route to 10.1.1.16: route add -host 10.1.1.16 eth2
Very silly configuration...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

----- Original Message ----- 
From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
To: <shorewall-users@lists.sourceforge.net>
Sent: Sunday, October 16, 2005 15:44
Subject: RE: [Shorewall-users] can''t redirect udp traffic to other ISP
in tcrules

> Thanks to all.
> 
> Here my network configuration:
> 
> Eth0: 10.1.1.254 (loc)
> Eth1: 192.168.1.243 (net) ISP1
> Eht2: 10.1.1.253 (dmz) -> connected to 10.1.1.16 (webserver port 8080)
with
> a crossover cable
> Eth3: 192.168.0.254 (net) ISP2
> 
> What I want is to port forwarding to 10.1.1.16 all requests from net (eth1)
> directed to port 8080. only this.
> I have create a route to 10.1.1.16: route add -host 10.1.1.16 eth2
> 
> thanks
> 
>
OK, let''s backup a second, when you do a "shorewall clear"
can you ping this
ip from the firewall? Just to have a clearer picture here... more below..
 
> 
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net
> [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom
Eastep
> Sent: domingo, 16 de outubro de 2005 18:24
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] can''t redirect udp traffic to other
ISP in
> tcrules
> 
> Jerry Vonau wrote:
> > ----- Original Message ----- 
> > From: "Wilson A. Galafassi Jr."
<linux@galafassi.com.br>
> > To: <shorewall-users@lists.sourceforge.net>
> > Sent: Sunday, October 16, 2005 14:25
> > Subject: RE: [Shorewall-users] can''t redirect udp traffic to
other ISP in
> tcrules
> > 
> > 
> >> Very tahnks again for you patience and support.
> >>
> >> I have a "last" problem... hehe
> >>
> >> I have eth2 (dmz) and this connect to 10.1.1.16 using a crossover
cable.
> In
> >> 10.1.1.16 I have a webserver running at port 8080.
> >>
> >> When I try to redirect incoming connections to 10.1.1.16 I have
this
> >> message:
> >>
> >> Oct 16 17:07:14 farroupilha kernel:
Shorewall:FORWARD:REJECT:IN=eth1
> >> OUT=eth1 SRC=xxx.xxx.xxx.xxx DST=10.1.1.16 LEN=60 TOS=0x00
PREC=0x00
> TTL=60
> >> ID=46296 DF PROTO=TCP SPT=50364 DPT=8080 WINDOW=5840 RES=0x00 SYN
URGP=0
> > 
> > From your earlier status:
> >  
> > 10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
> > 10.0.0.0/8 dev eth2  proto kernel  scope link  src 10.1.1.253 
> > 
> > Note, that the in and out interfaces are the same in the above log
snip,
> > I think you may need to have a host route present to 10.1.1.16 on
eth2.
> > 
> > You may also need to add eth2 to the providers file.
> > providers:
> > ISP1    1       1       main            eth1            10.1.1.1
> track,balance   eth0,eth2
> > ISP2    2       2       main            eth3            192.168.0.1
> track,balance   eth0
> > 
In hind sight, that was bad advice, with eth1 and eth2 sharing the same network,
sorry.
Let remove eth2 from here.
> >> I have created that rules:
> >> ACCEPT          net:xxx.xxx.xxx  fw            tcp     8080
> >> DNAT            net: xxx.xxx.xxx dmz:10.1.1.16 tcp     8080
> >>
> >> Ps. I want to permit connections only from xxx.xxx.xxx.xxx
> > 
> > If the web server is in the dmz, why do you have an accept rule for
the
> firewall? Get rid of it.
> > 
> 
> There''s more here -- eth1 and eth2 are configured with exactly the
same
> network! I suspect that what Wilson really wants is Proxy ARP (see
> http://www.shorewall.net/ProxyARP.htm and
> http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP). As you
> will see in the second article, using Proxy ARP allows you to use a
> simple ACCEPT rule:
> 
> ACCEPT    net      dmz    tcp     8080
> 
> -Tom
Do you want to use the same ip (10.1.1.254) from isp1, for dnat to the dmz? 
Or do you have a second ip to use? You didn''t mention if your
loc''s clients
need to access the dmz, if so would that be using the private ip address,or
public?

Tom is right about the 2 interfaces using the same network/netmask, that can
cause issues,
before shorewall is involved. That is why I want to see if the above test fails.
I''m just not
fond of running the same network/netmask on two interfaces, like you have. I
reuse the
same ip for both interfaces and a /32 for the mask on the second interface, not
saying that
is wrong, just different from what I do. Hum... Just thinking... Well,
you''d have to use
proxyarp for the loc to dmz access, that will set a host route to it... Which is
run before
the providers file, that then picks up the host route created by proxyarp...
(Thanks Tom)
You could then just deny traffic bound from loc to dmz if that is not wanted.
Think I might
have an idea. So lets clear up the above questions, please use
"/sbin/shorewall <command>"
and not service.

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Hello.

After I add to the providers file:
> You may also need to add eth2 to the providers file.
> providers:
> ISP1    1       1       main            eth1            10.1.1.1
track,balance   eth0,eth2
> ISP2    2       2       main            eth3            192.168.0.1
track,balance   eth0

Shorewall can''t start.
How i can send to you debug info...?

Ps. I only sucefully ping 10.1.1.16 if I create the route manually to the
host.

Thanks
Wilson


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: domingo, 16 de outubro de 2005 18:24
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Jerry Vonau wrote:
> ----- Original Message ----- 
> From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
> To: <shorewall-users@lists.sourceforge.net>
> Sent: Sunday, October 16, 2005 14:25
> Subject: RE: [Shorewall-users] can''t redirect udp traffic to other
ISP in
tcrules
> 
> 
>> Very tahnks again for you patience and support.
>>
>> I have a "last" problem... hehe
>>
>> I have eth2 (dmz) and this connect to 10.1.1.16 using a crossover
cable.
In
>> 10.1.1.16 I have a webserver running at port 8080.
>>
>> When I try to redirect incoming connections to 10.1.1.16 I have this
>> message:
>>
>> Oct 16 17:07:14 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth1
>> OUT=eth1 SRC=xxx.xxx.xxx.xxx DST=10.1.1.16 LEN=60 TOS=0x00 PREC=0x00
TTL=60
>> ID=46296 DF PROTO=TCP SPT=50364 DPT=8080 WINDOW=5840 RES=0x00 SYN
URGP=0
> 
> From your earlier status:
>  
> 10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
> 10.0.0.0/8 dev eth2  proto kernel  scope link  src 10.1.1.253 
> 
> Note, that the in and out interfaces are the same in the above log snip, 
> I think you may need to have a host route present to 10.1.1.16 on eth2.
> 
> You may also need to add eth2 to the providers file.
> providers:
> ISP1    1       1       main            eth1            10.1.1.1
track,balance   eth0,eth2
> ISP2    2       2       main            eth3            192.168.0.1
track,balance   eth0
> 
>> I have created that rules:
>> ACCEPT          net:xxx.xxx.xxx  fw            tcp     8080
>> DNAT            net: xxx.xxx.xxx dmz:10.1.1.16 tcp     8080
>>
>> Ps. I want to permit connections only from xxx.xxx.xxx.xxx
> 
> If the web server is in the dmz, why do you have an accept rule for the
firewall? Get rid of it.
> 
There''s more here -- eth1 and eth2 are configured with exactly the same
network! I suspect that what Wilson really wants is Proxy ARP (see
http://www.shorewall.net/ProxyARP.htm and
http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP). As you
will see in the second article, using Proxy ARP allows you to use a
simple ACCEPT rule:

ACCEPT    net      dmz    tcp     8080

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

----- Original Message ----- 
From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
To: <shorewall-users@lists.sourceforge.net>
Sent: Monday, October 17, 2005 11:12
Subject: RE: [Shorewall-users] can''t redirect udp traffic to other ISP
in tcrules

> Hello.
> 
> After I add to the providers file:
> > You may also need to add eth2 to the providers file.
> > providers:
> > ISP1    1       1       main            eth1            10.1.1.1
> track,balance   eth0,eth2
> > ISP2    2       2       main            eth3            192.168.0.1
> track,balance   eth0
> 
> Shorewall can''t start.
> How i can send to you debug info...?
Remove eth2. 
> Ps. I only sucefully ping 10.1.1.16 if I create the route manually to the
> host.
> 
You have a routing issue to solve.

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Wilson A. Galafassi Jr. wrote:
> Hello.
> 
> After I add to the providers file:
>> You may also need to add eth2 to the providers file.
>> providers:
>> ISP1    1       1       main            eth1            10.1.1.1
> track,balance   eth0,eth2
>> ISP2    2       2       main            eth3            192.168.0.1
> track,balance   eth0
> 
> Shorewall can''t start.
> How i can send to you debug info...?
> 
One more time -- please read http://www.shorewall.net/support.htm -- it
gives you explicit instructions for sending debugging information when
Shorewall doesn''t start.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Its because I have eth0 10.1.1.254 and eth2 10.1.1.253? it''s necessary
to
change the ip or use a subnet for eth2?
how to solve this?
Thanks
wilson

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry
Vonau
Sent: segunda-feira, 17 de outubro de 2005 14:19
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules


----- Original Message ----- 
From: "Wilson A. Galafassi Jr." <linux@galafassi.com.br>
To: <shorewall-users@lists.sourceforge.net>
Sent: Monday, October 17, 2005 11:12
Subject: RE: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

> Hello.
> 
> After I add to the providers file:
> > You may also need to add eth2 to the providers file.
> > providers:
> > ISP1    1       1       main            eth1            10.1.1.1
> track,balance   eth0,eth2
> > ISP2    2       2       main            eth3            192.168.0.1
> track,balance   eth0
> 
> Shorewall can''t start.
> How i can send to you debug info...?
Remove eth2. 
> Ps. I only sucefully ping 10.1.1.16 if I create the route manually to the
> host.
> 
You have a routing issue to solve.

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

----- Original Message ----- 
> Its because I have eth0 10.1.1.254 and eth2 10.1.1.253?
More or less yes.. I try to avoid doing that at all costs, wastes an ip, 
but should be workable, but not without issues that may crop up.
> it''s necessary to
> change the ip or use a subnet for eth2?
Maybe, but lets try something else first, I up for a bit of a challange.
> how to solve this?
From the only status that I''ve seen so far, your provider table for
that isp:

Table ISP1:

10.1.1.1 dev eth1  scope link 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254 
10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.254 
default via 10.1.1.1 dev eth1 

There is no route to 10.1.1.16 on eth2, based on the netmask, the kernel will 
look to use eth1 then. Based on your confirmation that you can ping that ip 
address only with the host route in place, you need to have shorewall add that
route for you. You could write your own start/stop addins, but lets see if this 
works first. If you were to add an entry to the proxyarp file for 10.1.1.16 to 
appear to be on eth1, it is part of that network also anyways, that would add 
the host route that the kernel needs to find 10.1.1.16 on eth2 in both the main 
routing table and the providers routing table. What I''m not sure about
is if the
arp entry that is created would have any ill effects. 

proxyarp:
#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
10.1.1.16               eth2                        eth1                     no 
yes

You may still need to change the ip addresses on the interfaces involved, but 
lets give this a shot first. Remember to remove eth2 from the provider file, use
/sbin/shorewall <command>, and please sumit a status.

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Ok. Sorry.

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: segunda-feira, 17 de outubro de 2005 14:30
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Wilson A. Galafassi Jr. wrote:
> Hello.
> 
> After I add to the providers file:
>> You may also need to add eth2 to the providers file.
>> providers:
>> ISP1    1       1       main            eth1            10.1.1.1
> track,balance   eth0,eth2
>> ISP2    2       2       main            eth3            192.168.0.1
> track,balance   eth0
> 
> Shorewall can''t start.
> How i can send to you debug info...?
> 
One more time -- please read http://www.shorewall.net/support.htm -- it
gives you explicit instructions for sending debugging information when
Shorewall doesn''t start.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Jerry Vonau wrote:
> 
> proxyarp:
> #ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
> 10.1.1.16               eth2                        eth1                   
no                             yes
> 
> You may still need to change the ip addresses on the interfaces involved,
but
> lets give this a shot first. Remember to remove eth2 from the provider
file, use
> /sbin/shorewall <command>, and please sumit a status.
Jerry -- I suspect that you will still need eth2 in the providers file
to get the host route to 10.1.1.16 copied into the ISP''s routing table.
We need to get a trace from Wilson and find out why Shorewall is
crashing with eth2 in the file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Problem Solved.

I have changed my eth1 ip address and added eth2 to providers.

Thanks to all.
Wilson


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: segunda-feira, 17 de outubro de 2005 20:21
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] can''t redirect udp traffic to other ISP
in
tcrules

Jerry Vonau wrote:
> 
> proxyarp:
> #ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
> 10.1.1.16               eth2                        eth1
no                             yes
> 
> You may still need to change the ip addresses on the interfaces involved,
but 
> lets give this a shot first. Remember to remove eth2 from the provider
file, use
> /sbin/shorewall <command>, and please sumit a status.
Jerry -- I suspect that you will still need eth2 in the providers file
to get the host route to 10.1.1.16 copied into the ISP''s routing table.
We need to get a trace from Wilson and find out why Shorewall is
crashing with eth2 in the file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl