Shorewall users - Dec 2005 - $FW own trafic - tcrules ain't MARKing

Hi all.
I need a hint pls!

I got a basic configuration, with 3 interfaces

PPP0 = ISP1
ETH2 = ISP2
ETH0 = LAN

In the /etc/shorewall/providers heres what I got:

#NAME       NUMBER      MARK    DUPLICATE       INTERFACE       GATEWAY      
    OPTIONS         COPY
ISP1          1           1       main           ppp0            detect      
    loose           none
ISP2          2           2       main           eth2            detect      
    loose           none

And in my /etc/shorewall/tcrules I made a simple rule to test two things:

- If I can direct diffent traffic from ETH0 to eighter ISP1 ou ISP2
- If the FW own traffic ALWAYS pass trough ISP2

Heres my tcrules:

#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
#                                                       PORT(S)
1      $FW             0.0.0.0/0                   #Packet FROM fw MARK 1, 
for ISP1
2:P    eth0            0.0.0.0/0                   #Packet FROM eth0 MARK 2, 
for ISP2 in PREROUTING (nat)
1:P    eth0            0.0.0.0/0       tcp     555 #TEST TCP 555 TROUGH ISP1
2:P    eth0            0.0.0.0/0       tcp     777 #TEST TCP 777 TROUGH ISP2





What I did, ONLY to validate that I could direct diffent traffic from ETH0 
to eighter ISP1 ou ISP2, I modified my /etc/shorewall/rules file to get LOG 
events on TCP 555 and TCP 666.

DROP:info lan1:10.10.10.2     all   tcp   555
DROP:info lan1:10.10.10.2     all   tcp   777



Then I did a "tail -f /var/log/messages" and wath my first test like
so:

[Test from ehto (10.10.10.2) to ISP1 = Works perfect]
Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0xC0 TTL=255 ID=0 DF 
PROTO=TCP SPT=7766 DPT=555 LEN=54
Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF 
PROTO=TCP SPT=7766 DPT=555 LEN=54
Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=1 DF 
PROTO=TCP SPT=7766 DPT=555 LEN=54

[Test from ehto (10.10.10.2) to ISP2 = Works perfect]
Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=43027 
DF PROTO=TCP SPT=32984 DPT=777 LEN=37
Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=43027 
DF PROTO=TCP SPT=32984 DPT=777 LEN=37
Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=43027 
DF PROTO=TCP SPT=32984 DPT=777 LEN=37


Then I did my second test, witch is to make sure the FW tafic goes out 
trough ISP1.
My problem is that it dosent !  It always goes trough ISP2, nomather what.  
(BTW ISP2 provides the Default Gateway)


My impression is that the $FW variable in the tcrules is simply ignored.
Even worst, all trafic ORIGINATING from the FW itself aint affected by the 
TC stuff.

Heres part of a "shorewall dump"

Traffic Control

Device eth0:
qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 3058128 bytes 4081 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

Device eth1:
qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 196553 bytes 1296 pkt (dropped 0, overlimits 0 requeues 1)
rate 0bit 0pps backlog 0b 0p requeues 1

Device eth2:
qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 2898 bytes 15 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

Device ppp0:
qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 166931 bytes 1198 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

Traffic Filters

Device eth0:

Device eth1:

Device eth2:

Device ppp0:



Instead of $FW I tried 127.0.0.0.  not better.
I strongly beleive the FW originating traffic aint affected at all by all 
the TC rules, and is simply
routed trough the default gateway, witch is provided by ISP2.


PLS help me, any tips would be appresheated.

Thx alot for your help !

SiO




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Child from KoRn wrote:
> Hi all.
> I need a hint pls!
> 
> I got a basic configuration, with 3 interfaces
> 
> PPP0 = ISP1
> ETH2 = ISP2
> ETH0 = LAN
> 
> In the /etc/shorewall/providers heres what I got:
> 
> #NAME       NUMBER      MARK    DUPLICATE       INTERFACE       
> GATEWAY         OPTIONS         COPY
> ISP1          1           1       main           ppp0            
> detect         loose           none
> ISP2          2           2       main           eth2            
> detect         loose           none
>
You need to have "balance" as an option, to set the multi-hop gateway.
In order to see this gateway you need to use "ip" as in "ip route
ls",
ifconfig and route are a bit dated and don''t really show the whole 
picture. "loose" is a bad idea to use here, and you need to state
the local lan(s) in the "copy from" column, not none.
> And in my /etc/shorewall/tcrules I made a simple rule to test two things:
> 
> - If I can direct diffent traffic from ETH0 to eighter ISP1 ou ISP2
> - If the FW own traffic ALWAYS pass trough ISP2
> 
> Heres my tcrules:
> 
> #MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    
> TEST
> #                                                       PORT(S)
> 1      $FW             0.0.0.0/0                   #Packet FROM fw MARK 
> 1, for ISP1
> 2:P    eth0            0.0.0.0/0                   #Packet FROM eth0 
> MARK 2, for ISP2 in PREROUTING (nat)
> 1:P    eth0            0.0.0.0/0       tcp     555 #TEST TCP 555 TROUGH 
> ISP1
> 2:P    eth0            0.0.0.0/0       tcp     777 #TEST TCP 777 TROUGH 
> ISP2
> 
> 
> 
> 
> 
> What I did, ONLY to validate that I could direct diffent traffic from 
> ETH0 to eighter ISP1 ou ISP2, I modified my /etc/shorewall/rules file to 
> get LOG events on TCP 555 and TCP 666.
> 
> DROP:info lan1:10.10.10.2     all   tcp   555
> DROP:info lan1:10.10.10.2     all   tcp   777
> 
> 
> 
> Then I did a "tail -f /var/log/messages" and wath my first test
like so:
> 
> [Test from ehto (10.10.10.2) to ISP1 = Works perfect]
> Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
> SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0xC0 TTL=255 ID=0 
> DF PROTO=TCP SPT=7766 DPT=555 LEN=54
> Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
> SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0 
> DF PROTO=TCP SPT=7766 DPT=555 LEN=54
> Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
> SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=1 
> DF PROTO=TCP SPT=7766 DPT=555 LEN=54
> 
> [Test from ehto (10.10.10.2) to ISP2 = Works perfect]
> Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
> SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64 
> ID=43027 DF PROTO=TCP SPT=32984 DPT=777 LEN=37
> Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
> SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64 
> ID=43027 DF PROTO=TCP SPT=32984 DPT=777 LEN=37
> Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
> SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64 
> ID=43027 DF PROTO=TCP SPT=32984 DPT=777 LEN=37
> 
> 
> Then I did my second test, witch is to make sure the FW tafic goes out 
> trough ISP1.
> My problem is that it dosent !  It always goes trough ISP2, nomather 
> what.  (BTW ISP2 provides the Default Gateway)
> 
>
> My impression is that the $FW variable in the tcrules is simply ignored.
> Even worst, all trafic ORIGINATING from the FW itself aint affected by 
> the TC stuff.
>
When your setup is correct, (read use balance) the firewall should
''see''
the second gateway and begin to use it. You may need additional masq 
rules, to change the source address to work with the preferred gateway.
> Heres part of a "shorewall dump"
> 
Part of a "shorewall dump" is not that helpful, if you don''t
know what
is needed from it.

Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Hi and Thx for the reply.

I just want to clear things up a little.

You say:
>You need to have "balance" as an option, to set the multi-hop
gateway.
If I understand, even if BALANCE is there as an option, it wont BALANCE 
between my two ISP if I specify a rule in my TCRULES that directs specific 
traffic towards a peticular ISP.

Example: (my two ISP are BALANCE)

tcrules

1      $FW             0.0.0.0/0                   #Packet FROM fw MARK 1, 
for ISP1
2:P    eth0            0.0.0.0/0     tcp   777 #TEST TCP 777 TROUGH ISP2

So am I right to say that in this case, (Balance option ON on both 
providers), my FW trafic would ALWAYS go to ISP1 cause it has been mark with 
1.  TCP 777 from eth0 would alway go to ISP2 cause it was mark2 ?

Then I guess that all othe trafic not mentioned in the tcrules (ex: TCP 80 
from eth0) would be BALANCE between the 2 ISP, right ?
>In order to see this gateway you need to use "ip" as in "ip
route ls"
Thanks for that !

And last thing:
>you need to state the local lan(s) in the "copy from" column, not
none.
This is usefull for the balance, if I intend to balance between the two 
ISPs.
But if I include all possible traffic in the TCRULES so that every type of 
traffic is eighter to ISP1 or ISP2 (no balancing), is this COPY field still 
important ?

Thx alot for your help !
You guys are great !
Ive been using shorewall for about 3 years now, and I just joined the 
mailing list.
Its very nice.  I dont wanna abuse of it tough, but lately with this setup I 
got stuck.  And trust me I dont write you guys before I did everything I 
could.  I spent14 hours yesterday on this sigle problem.

Once again thanx alot ! All try this tonight and give you a feedback !

Have a nice day !
And HAPPY NEW YEAR to you !!

SiO



>
>Child from KoRn wrote:
>>Hi all.
>>I need a hint pls!
>>
>>I got a basic configuration, with 3 interfaces
>>
>>PPP0 = ISP1
>>ETH2 = ISP2
>>ETH0 = LAN
>>
>>In the /etc/shorewall/providers heres what I got:
>>
>>#NAME       NUMBER      MARK    DUPLICATE       INTERFACE       GATEWAY
>>      OPTIONS         COPY
>>ISP1          1           1       main           ppp0            detect
>>      loose           none
>>ISP2          2           2       main           eth2            detect
>>      loose           none
>>
>
>You need to have "balance" as an option, to set the multi-hop
gateway. In
>order to see this gateway you need to use "ip" as in "ip
route ls",
>ifconfig and route are a bit dated and don''t really show the whole
picture.
>"loose" is a bad idea to use here, and you need to state
>the local lan(s) in the "copy from" column, not none.
>
>>And in my /etc/shorewall/tcrules I made a simple rule to test two
things:
>>
>>- If I can direct diffent traffic from ETH0 to eighter ISP1 ou ISP2
>>- If the FW own traffic ALWAYS pass trough ISP2
>>
>>Heres my tcrules:
>>
>>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    
>>TEST
>>#                                                       PORT(S)
>>1      $FW             0.0.0.0/0                   #Packet FROM fw MARK
1,
>>for ISP1
>>2:P    eth0            0.0.0.0/0                   #Packet FROM eth0
MARK
>>2, for ISP2 in PREROUTING (nat)
>>1:P    eth0            0.0.0.0/0       tcp     555 #TEST TCP 555 TROUGH 
>>ISP1
>>2:P    eth0            0.0.0.0/0       tcp     777 #TEST TCP 777 TROUGH 
>>ISP2
>>
>>
>>
>>
>>
>>What I did, ONLY to validate that I could direct diffent traffic from
ETH0
>>to eighter ISP1 ou ISP2, I modified my /etc/shorewall/rules file to get 
>>LOG events on TCP 555 and TCP 666.
>>
>>DROP:info lan1:10.10.10.2     all   tcp   555
>>DROP:info lan1:10.10.10.2     all   tcp   777
>>
>>
>>
>>Then I did a "tail -f /var/log/messages" and wath my first
test like so:
>>
>>[Test from ehto (10.10.10.2) to ISP1 = Works perfect]
>>Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
>>SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0xC0 TTL=255 ID=0
DF
>>PROTO=TCP SPT=7766 DPT=555 LEN=54
>>Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
>>SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=0
DF
>>PROTO=TCP SPT=7766 DPT=555 LEN=54
>>Dec 31 05:56:49 MyComp kernel: Shorewall:all2isp1:DROP:IN= OUT=ppp0 
>>SRC=10.10.10.2 DST=142.126.22.1 LEN=74 TOS=0x00 PREC=0x00 TTL=255 ID=1
DF
>>PROTO=TCP SPT=7766 DPT=555 LEN=54
>>
>>[Test from ehto (10.10.10.2) to ISP2 = Works perfect]
>>Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
>>SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64
ID=43027
>>DF PROTO=TCP SPT=32984 DPT=777 LEN=37
>>Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
>>SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64
ID=43027
>>DF PROTO=TCP SPT=32984 DPT=777 LEN=37
>>Dec 31 04:03:32 abrams kernel: Shorewall:all2isp2:DROP:IN= OUT=eth2 
>>SRC=10.10.10.2 DST=206.47.244.42 LEN=57 TOS=0x00 PREC=0x00 TTL=64
ID=43027
>>DF PROTO=TCP SPT=32984 DPT=777 LEN=37
>>
>>
>>Then I did my second test, witch is to make sure the FW tafic goes out 
>>trough ISP1.
>>My problem is that it dosent !  It always goes trough ISP2, nomather
what.
>>  (BTW ISP2 provides the Default Gateway)
>>
>>
>>My impression is that the $FW variable in the tcrules is simply ignored.
>>Even worst, all trafic ORIGINATING from the FW itself aint affected by
the
>>TC stuff.
>>
>
>When your setup is correct, (read use balance) the firewall should
''see''
>the second gateway and begin to use it. You may need additional masq rules, 
>to change the source address to work with the preferred gateway.
>
>>Heres part of a "shorewall dump"
>>
>
>Part of a "shorewall dump" is not that helpful, if you
don''t know what is
>needed from it.
>
>Jerry
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Child from KoRn wrote:
> 
> Hi and Thx for the reply.
> 
> I just want to clear things up a little.
> 
> You say:
> 
>> You need to have "balance" as an option, to set the multi-hop
gateway.
> 
> 
> If I understand, even if BALANCE is there as an option, it wont BALANCE 
> between my two ISP if I specify a rule in my TCRULES that directs 
> specific traffic towards a peticular ISP.
> 
> Example: (my two ISP are BALANCE)
> 
> tcrules
> 
> 1      $FW             0.0.0.0/0                   #Packet FROM fw MARK 
Think you need to state a proto/port here, ''all'' maybe?
> 1, for ISP1
> 2:P    eth0            0.0.0.0/0     tcp   777 #TEST TCP 777 TROUGH ISP2
>
> So am I right to say that in this case, (Balance option ON on both 
> providers), my FW trafic would ALWAYS go to ISP1 cause it has been mark 
> with 1.  TCP 777 from eth0 would alway go to ISP2 cause it was mark2 ?
> 
> Then I guess that all othe trafic not mentioned in the tcrules (ex: TCP 
> 80 from eth0) would be BALANCE between the 2 ISP, right ?
> 
That should be the case, once you have the marking working. The one snag 
with forcing traffic from the firewall into a provider''s table is the 
client program may still bind to an incorrect ip address for the 
outbound connection, that source address would then need to be masq''ed,
with something like:
ethX(or pppX)	<incorrect-ip>  <correct-pub-ip>
in the masq file.
>> In order to see this gateway you need to use "ip" as in
"ip route ls"
> 
> 
> Thanks for that !
> 
> And last thing:
> 
>> you need to state the local lan(s) in the "copy from" column,
not none.
> 
> 
> This is usefull for the balance, if I intend to balance between the two 
> ISPs.
> But if I include all possible traffic in the TCRULES so that every type 
> of traffic is eighter to ISP1 or ISP2 (no balancing), is this COPY field 
> still important ?
> 
More so if your using ''track'' as an option with inbound
DNAT''ed
connections. I''ve never tried to setup ''balance" without
including the
local lan in the copy column, based on other examples on the internet 
that deal with 2 isp support.

Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

hi all.

Thx Jerry for your nmputs, but I still have the same problems.
Again, all traffic from eth0 can be MARK and steered to eighter ISP1 or ISP2 
without a problem.
If there is no entry to do so in tcrules, il just BALANCEs between ISP1 and 
ISP2. Works well.
I also MASQ all traffic from eth0 to ppp0(ISP1).  Works great.

The problem is only for the traffic originating from the firewall itself 
($FW).

I did some modifications to my files.  (now I have 2 Gateways in the ip 
route ls)


Providers:
#NAME    NUMBER      MARK    DUPLICATE       INTERFACE       GATEWAY         
OPTIONS      COPY
ISP1     1          1         main           ppp0           detect         
balance,track   eth0
ISP2     2          2        main           eth2           detect          
balance,track   eth0


Tcrules:
#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
#                                                       PORT(S)
1       $FW             0.0.0.0/0        all        #Packet FROM fw MARK 1, 
to ISP1
2:P     eth0            0.0.0.0/0        all        #Packet FROM eth0 MARK 
2, to ISP2

Masq:
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) 
IPSEC
eth2                         eth0


Ip route ls:
XX.230.323.84 dev ppp0  proto kernel  scope link  src XX.68.89.5
XXX.200.89.0/24 dev eth2  proto kernel  scope link  src XX.200.89.15
10.10.10.0/24 dev eth0  proto kernel  scope link  src 10.1.1.7
XX.254.0.0/16 dev eth2  scope link
default
        nexthop via XX.230.197.84  dev ppp0 weight 1
        nexthop via XXX.200.89.1  dev eth2 weight 1


Shorewall Restart:
Setting up Traffic Control Rules...
   TC Rule "1 fw 0.0.0.0/0 all    " added
   TC Rule "2:P eth0 0.0.0.0/0 all    " added


Pls, do you have any Ideas ?

In shorewall.conf, what should MARK_IN_FORWARD_CHAIN set at ?  Mine is YES.


I would like to use the shorewall show ??? but witch ones could I use.
The Mangle one looks good, but I would need a briefing on how to interpret 
what I see.

Thanks alot.
Hope you can still help !

SiO
>From: Jerry Vonau <jvonau@shaw.ca>
>Reply-To: shorewall-users@lists.sourceforge.net
>To: shorewall-users@lists.sourceforge.net
>Subject: Re: [Shorewall-users] $FW own trafic - tcrules ain''t
MARKing
>Date: Sat, 31 Dec 2005 15:33:16 -0600
>
>Child from KoRn wrote:
>>
>>Hi and Thx for the reply.
>>
>>I just want to clear things up a little.
>>
>>You say:
>>
>>>You need to have "balance" as an option, to set the
multi-hop gateway.
>>
>>
>>If I understand, even if BALANCE is there as an option, it wont BALANCE 
>>between my two ISP if I specify a rule in my TCRULES that directs
specific
>>traffic towards a peticular ISP.
>>
>>Example: (my two ISP are BALANCE)
>>
>>tcrules
>>
>>1      $FW             0.0.0.0/0                   #Packet FROM fw MARK
>
>Think you need to state a proto/port here, ''all'' maybe?
>
>>1, for ISP1
>>2:P    eth0            0.0.0.0/0     tcp   777 #TEST TCP 777 TROUGH ISP2
>>
>>So am I right to say that in this case, (Balance option ON on both 
>>providers), my FW trafic would ALWAYS go to ISP1 cause it has been mark 
>>with 1.  TCP 777 from eth0 would alway go to ISP2 cause it was mark2 ?
>>
>>Then I guess that all othe trafic not mentioned in the tcrules (ex: TCP
80
>>from eth0) would be BALANCE between the 2 ISP, right ?
>>
>
>That should be the case, once you have the marking working. The one snag 
>with forcing traffic from the firewall into a provider''s table is
the
>client program may still bind to an incorrect ip address for the outbound 
>connection, that source address would then need to be masq''ed, with
>something like:
>ethX(or pppX)	<incorrect-ip>  <correct-pub-ip>
>in the masq file.
>
>>>In order to see this gateway you need to use "ip" as in
"ip route ls"
>>
>>
>>Thanks for that !
>>
>>And last thing:
>>
>>>you need to state the local lan(s) in the "copy from"
column, not none.
>>
>>
>>This is usefull for the balance, if I intend to balance between the two 
>>ISPs.
>>But if I include all possible traffic in the TCRULES so that every type
of
>>traffic is eighter to ISP1 or ISP2 (no balancing), is this COPY field 
>>still important ?
>>
>
>More so if your using ''track'' as an option with inbound
DNAT''ed
>connections. I''ve never tried to setup ''balance"
without including the
>local lan in the copy column, based on other examples on the internet that 
>deal with 2 isp support.
>
>Jerry
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click