Shorewall users - Jan 2006 - Multiple ISPs: How to force $FW traffic to a specific ISP (reprise)

Hi!
I have reprise try to resolve this problem, suspended from 17 dec 2005

I have try to apply the suggest of Jerry (see above).

The problem still exist.

See attach shorewall config, dump and tcpdump when I check to exit whit
SSH from firewall...

In the masq file is reported the last my attempt in order to resolve my
problem, however I have test also the example reported in MultiISP.html,
but none is changed

Many thanks to All 
 
>                                Da: 
> Jerry Vonau <jvonau@shaw.ca>
>                        Rispondi-a: 
> shorewall-users@lists.sourceforge.net
>                                 A: 
> shorewall-users@lists.sourceforge.net
>                           Oggetto: 
> Re: [Shorewall-users] Multiple
> ISPs: How to force
> traffic       generated from FW to
> a specific ISP
>                              Data: 
> Sat, 17 Dec 2005 11:26:25 -0600
> (18:26 CET)
> 
> 
> ----- Original Message ----- 
> > All config files and debug files is into attachment tar file.
> > 
> > > Thanks,
> > Thanks you Tom!
> > 
> >From the dump that you posted:
> Chain tcout (1 references)
>  pkts bytes target     prot opt in     out     source
> destination         
>     1    60 MARK       tcp  --  *      *       0.0.0.0/0           !
> 192.168.0.0/16      tcp dpt:22 MARK set 0x5 
>     7   420 MARK       tcp  --  *      *       0.0.0.0/0           !
> 192.168.0.0/16      tcp dpt:25 MARK set 0x5 
> 
> Chain eth1_masq (1 references)
>  pkts bytes target     prot opt in     out     source
> destination         
>     7   420 SNAT       all  --  *      *       192.168.0.2
> 0.0.0.0/0           to:80.18.151.125 
>    10   677 SNAT       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           to:80.18.151.125 
>     0     0 SNAT       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           to:80.18.151.125 
> 
> Note the 7 pkts, 420 bytes that are common to both chains, there
> should be 8 pkts, 480 bytes for 
> the eth1_masq chain if the ssh client used 192.168.0.2 as a source
> address, and leaves me 
> wondering what the source address the ssh clinet is actually using. 
> 
> With tcrules the last match gets to mark the packet, so to help debug
> this could you try these tcrules:
> 
> 5 $FW:    !192.168.0.0/16 tcp 22
> 5 $FW:192.168.1.254  !192.168.0.0/16 tcp 22
> 5 $FW:172.16.1.1  !192.168.0.0/16 tcp 22
> 5 $FW:80.18.151.125  !192.168.0.0/16 tcp 22
> 5 $FW:192.168.0.2  !192.168.0.0/16 tcp 22
> 
> 5 $FW:  !192.168.0.0/16 tcp 25
> 5 $FW:192.168.1.254  !192.168.0.0/16 tcp 25
> 5 $FW:172.16.1.1  !192.168.0.0/16 tcp 25
> 5 $FW:80.18.151.125 !192.168.0.0/16 tcp 25
> 5 $FW:192.168.0.2  !192.168.0.0/16 tcp 25
> 
> The first rule should catch anything not below it, the second/third
> rules should catch 
> anything that comes from the loc/dmz interfaces, and the forth/fifth
> rules should catch
> anything from your isp''s interfaces.
> 
> "shorewall restart", then "shorewall reset" and retest,
then sumit a
> "shorewall dump" again.
>  
> Jerry
> 
> 
-- 
Dario Lesca <d.lesca@solinos.it>
-- 
Dario Lesca <d.lesca@solinos.it>

Dario Lesca wrote:
> Hi!
> I have reprise try to resolve this problem, suspended from 17 dec 2005
> 
> I have try to apply the suggest of Jerry (see above).
> 
> The problem still exist.
> 
> See attach shorewall config, dump and tcpdump when I check to exit whit
> SSH from firewall...
> 
> In the masq file is reported the last my attempt in order to resolve my
> problem, however I have test also the example reported in MultiISP.html,
> but none is changed
>
In the prior dump that was submitted there was a masq rule:
$NET_IF  192.168.0.2	80.18.151.125
It''s not in your config anymore?

Why bother with this workaround for ssh, just use the -b flag with the 
source address to be used.

from man ssh:

  -b bind_address
              Use bind_address on the local machine as the source 
address 	     of the connection.  Only useful on systems with more 
than 		             one address.


This has been referred to as "binding the client application to a single 
source address" on this list. Your mail client *might* (should?) have a 
similar option.


Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Il giorno mar, 17/01/2006 alle 20.57 -0600, Jerry Vonau ha scritto:
> In the prior dump that was submitted there was a masq rule:
> $NET_IF  192.168.0.2	80.18.151.125
> It''s not in your config anymore?
this is no the same thing?
$NET_IT 0.0.0.0/0 80.18.151.125
> 
> Why bother with this workaround for ssh, just use the -b flag with the 
> source address to be used.
If I use -b 80.18.151.125 the ssh work.
If I use -b 192.168.0.2 not work

and not for all application is possible to specific a bind ip
> This has been referred to as "binding the client application to a
single
> source address" on this list. Your mail client *might* (should?) have
a
> similar option.
I use a mail server (qmail) and I not bind it to a specific IP ... I
would have?

this is my IP configurations
[root@payprox ~]# ip a
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:46:46:76:1d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::20c:46ff:fe46:761d/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:11:d8:0c:d6:43 brd ff:ff:ff:ff:ff:ff
    inet 80.18.151.125/29 brd 80.18.151.127 scope global eth1
    inet 80.18.151.122/29 brd 80.18.151.127 scope global secondary
eth1:1
    inet 80.18.151.123/29 brd 80.18.151.127 scope global secondary
eth1:2
    inet6 fe80::211:d8ff:fe0c:d643/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:2e:20:35:6e brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.1/24 brd 172.16.1.255 scope global eth2
    inet6 fe80::20e:2eff:fe20:356e/64 scope link
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:48:54:01:18:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth3
    inet6 fe80::248:54ff:fe01:1860/64 scope link
       valid_lft forever preferred_lft forever
6: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
13: tun3: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1255 qdisc pfifo_fast
qlen 500
    link/[65534]
    inet 192.168.1.253 peer 192.168.3.250/32 scope global tun3
14: tun2: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast
qlen 500
    link/[65534]
    inet 192.168.1.249 peer 192.168.1.250/32 scope global tun2
[root@payprox ~]# ip r
80.18.151.121 dev eth2  scope link
192.168.1.250 dev tun2  proto kernel  scope link  src 192.168.1.249
192.168.3.250 dev tun3  proto kernel  scope link  src 192.168.1.253
80.18.151.124 dev eth2  scope link
80.18.151.120/29 dev eth1  proto kernel  scope link  src 80.18.151.125
192.168.3.0/24 via 192.168.3.250 dev tun3
192.168.2.0/24 via 192.168.1.250 dev tun2
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254
192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.2
172.16.1.0/24 dev eth2  proto kernel  scope link  src 172.16.1.1
default
        nexthop via 80.18.151.126  dev eth1 weight 1
        nexthop via 192.168.0.1  dev eth3 weight 10

other useful information:

FC3
[root@payprox tmp]# tc -V
tc utility, iproute2-ss040831
[root@payprox tmp]# iptables -V
iptables v1.2.11
[root@payprox tmp]# uname -rv
2.6.12-1.1378_FC3smp #1 SMP Wed Sep 14 04:52:36 EDT 2005

and this is my last shorewall config:

(see attach)

I have also test the "Child from KoRn" suggest, but none is changed:
pleas, someone can help me?

Many thanks to all.

-- 
Dario Lesca <d.lesca@solinos.it>

Dario Lesca wrote:
> Il giorno mar, 17/01/2006 alle 20.57 -0600, Jerry Vonau ha scritto:
> 
> 
>>In the prior dump that was submitted there was a masq rule:
>>$NET_IF  192.168.0.2	80.18.151.125
>>It''s not in your config anymore?
> 
> 
> this is no the same thing?
> $NET_IT 0.0.0.0/0 80.18.151.125
> 
You''d think that it was, but it''s not really...

In your current masq file your using this:
$NET_IF			$DMZ_IF 	80.18.151.125

that results in these rules:

0     0 SNAT       all  --  *      *       80.18.151.121 
0.0.0.0/0           to:80.18.151.125
0     0 SNAT       all  --  *      *       80.18.151.124 
0.0.0.0/0           to:80.18.151.125

That really defeats the purpose of proxyarp, you could be changing a 
public ip address, to the firewall''s ip address.
>>Why bother with this workaround for ssh, just use the -b flag with the 
>>source address to be used.
> 
> 
> If I use -b 80.18.151.125 the ssh work.
> If I use -b 192.168.0.2 not work
> 
Was that with the masq rule below in place?
$NET_IF			192.168.0.2	80.18.151.125

> and not for all application is possible to specific a bind ip
> 
> 
Then you better get this working... ;)

<snip>
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:11:d8:0c:d6:43 brd ff:ff:ff:ff:ff:ff
>     inet 80.18.151.125/29 brd 80.18.151.127 scope global eth1
>     inet 80.18.151.122/29 brd 80.18.151.127 scope global secondary
> eth1:1
>     inet 80.18.151.123/29 brd 80.18.151.127 scope global secondary
> eth1:2
>     inet6 fe80::211:d8ff:fe0c:d643/64 scope link
>        valid_lft forever preferred_lft forever
$DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is not 
in the params file, copy & paste error again?

.122 above shows up in the dump that you posted, so I''ll assume that 
both of the variables above are .122.

 From your current dump:
Chain tcout (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     1    60 MARK       tcp  --  *      *       0.0.0.0/0 
!192.168.0.0/16      tcp dpt:22 MARK set 0x5
     0     0 MARK       tcp  --  *      *       192.168.1.254 
!192.168.0.0/16      tcp dpt:22 MARK set 0x5
     0     0 MARK       tcp  --  *      *       172.16.1.1 
!192.168.0.0/16      tcp dpt:22 MARK set 0x5
     0     0 MARK       tcp  --  *      *       80.18.151.125 
!192.168.0.0/16      tcp dpt:22 MARK set 0x5
     1    60 MARK       tcp  --  *      *       192.168.0.2 
!192.168.0.0/16      tcp dpt:22 MARK set 0x5

The first rule marked a packet that didn''t have a source address that 
was defined below it. To help debug this further could you add these to 
tcrules:
5 $FW:80.18.151.122	!192.168.0.0/16 tcp 22,25
5 $FW:80.18.151.123	!192.168.0.0/16 tcp 22,25
5 $FW:192.168.1.249 	!192.168.0.0/16 tcp 22,25
5 $FW:192.168.1.253	!192.168.0.0/16 tcp 22,25

That should cover every src address that is shown in "ip route ls"

reset, restart, retest. Just trying to get a handle on what source 
address is being used without the -b flag.

Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Il giorno gio, 19/01/2006 alle 19.54 -0600, Jerry Vonau ha scritto:
> $DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is
not
> in the params file, copy & paste error again?
Yes, sorry.
> The first rule marked a packet that didn''t have a source address
that
> was defined below it. To help debug this further could you add these to 
> tcrules:
> 5 $FW:80.18.151.122	!192.168.0.0/16 tcp 22,25
> 5 $FW:80.18.151.123	!192.168.0.0/16 tcp 22,25
> 5 $FW:192.168.1.249 	!192.168.0.0/16 tcp 22,25
> 5 $FW:192.168.1.253	!192.168.0.0/16 tcp 22,25
> 
> That should cover every src address that is shown in "ip route
ls"
> 
> reset, restart, retest. Just trying to get a handle on what source 
> address is being used without the -b flag.
Not work. :-(

If I telnet out on port 25
[root@payprox ~]# telnet 82.186.161.26 25 &
I exit on eth1 (80.18.151.125) and connect to 82.186.161.26
then the external host connect to me on 80.18.151.125, but the telnet is
bind to 192.168.0.2

[root@payprox ~]# netstat -natp|grep telnet
tcp 0 1 192.168.0.2:48129 82.186.161.26:25   SYN_SENT    27960/telnet

and the connection not work.

Attach there is the last config files and dump....
please help me.

Many thanks

-- 
Dario Lesca <d.lesca@solinos.it>

Dario Lesca wrote:
> Il giorno gio, 19/01/2006 alle 19.54 -0600, Jerry Vonau ha scritto:
> 
> 
>>$DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is
not
>>in the params file, copy & paste error again?
> 
> Yes, sorry.
> 
> 
>>The first rule marked a packet that didn''t have a source
address that
>>was defined below it. To help debug this further could you add these to 
>>tcrules:
>>5 $FW:80.18.151.122	!192.168.0.0/16 tcp 22,25
>>5 $FW:80.18.151.123	!192.168.0.0/16 tcp 22,25
>>5 $FW:192.168.1.249 	!192.168.0.0/16 tcp 22,25
>>5 $FW:192.168.1.253	!192.168.0.0/16 tcp 22,25
>>
>>That should cover every src address that is shown in "ip route
ls"
>>
>>reset, restart, retest. Just trying to get a handle on what source 
>>address is being used without the -b flag.
> 
> 
> Not work. :-(
> 
> If I telnet out on port 25
> [root@payprox ~]# telnet 82.186.161.26 25 &
> I exit on eth1 (80.18.151.125) and connect to 82.186.161.26
> then the external host connect to me on 80.18.151.125, but the telnet is
> bind to 192.168.0.2
> 
> [root@payprox ~]# netstat -natp|grep telnet
> tcp 0 1 192.168.0.2:48129 82.186.161.26:25   SYN_SENT    27960/telnet
> 
> and the connection not work.
> 
> Attach there is the last config files and dump....
> please help me.
Could you humor me, in your policy file add to the top of the list:
fw	net	ACCEPT	info

thanks
Jerry






-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Dario Lesca wrote:
> Il giorno gio, 19/01/2006 alle 19.54 -0600, Jerry Vonau ha scritto:
> 
> 
>>$DNS_LEPAGHE_IT & $MAIL_LEPAGHE_IT are in the rules file but that is
not
>>in the params file, copy & paste error again?
> 
> Yes, sorry.
> 
> 
>>The first rule marked a packet that didn''t have a source
address that
>>was defined below it. To help debug this further could you add these to 
>>tcrules:
>>5 $FW:80.18.151.122	!192.168.0.0/16 tcp 22,25
>>5 $FW:80.18.151.123	!192.168.0.0/16 tcp 22,25
>>5 $FW:192.168.1.249 	!192.168.0.0/16 tcp 22,25
>>5 $FW:192.168.1.253	!192.168.0.0/16 tcp 22,25
>>
>>That should cover every src address that is shown in "ip route
ls"
>>
>>reset, restart, retest. Just trying to get a handle on what source 
>>address is being used without the -b flag.
> 
> 
> Not work. :-(
> 
> If I telnet out on port 25
> [root@payprox ~]# telnet 82.186.161.26 25 &
> I exit on eth1 (80.18.151.125) and connect to 82.186.161.26
> then the external host connect to me on 80.18.151.125, but the telnet is
> bind to 192.168.0.2
> 
> [root@payprox ~]# netstat -natp|grep telnet
> tcp 0 1 192.168.0.2:48129 82.186.161.26:25   SYN_SENT    27960/telnet
> 
> and the connection not work.
> 
----
  1    60 MARK       tcp  --  *      *       192.168.0.2 
!192.168.0.0/16      tcp dpt:22 MARK set 0x5

----

Chain eth1_masq (1 references)
  pkts bytes target     prot opt in     out     source 
destination
     2   147 SNAT       all  --  *      *       192.168.1.0/24 
0.0.0.0/0           to:80.18.151.125
  <snip>
     1    60 SNAT       all  --  *      *       192.168.0.2 
0.0.0.0/0           to:80.18.151.125
----

So the outbound is tagged, and masq''d.


Shoot, from your dump:
----
tcp      6 15 SYN_RECV src=192.168.0.2 dst=82.186.161.26 sport=52183 
dport=22 packets=1 bytes=60 src=82.186.161.26 dst=80.18.151.125 sport=22 
dport=52183 packets=6 bytes=360 mark=1 use=1
----
and the config files:

FASTACCEPT=No

----
guess you didn''t read the warning from the webpage:

---quote---

RESTRICTION: If you specify FASTACCEPT=Yes in 
/etc/shorewall/shorewall.conf then the ESTABLISHED and RELATED sections 
must be empty.
Caution

Unless you understand Netfilter well enough to be comfortable with the 
difference between ESTABLISHED, RELATED, INVALID and NEW connection 
tracking states, you should omit the ESTABLISHED and RELATED sections 
and place all of your rules in the NEW section.

---/quote---

I''ll invert the meaning for you, if you have fastaccept=no then you
must
have entries in the ESTABLISHED and RELATED sections. To put things in 
perspective, *I* have not played with those features yet.... Go ahead, 
you can tell me how it works, OK?

Lets try setting that to yes and try again.

Jerry



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Il giorno mer, 01/02/2006 alle 10.03 -0600, Jerry Vonau ha
scritto:
> Could you humor me, in your policy file add to the top of the list:
> fw	net	ACCEPT	info
kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth3 SRC=192.168.0.2
DST=82.186.161.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10101 DF PROTO=TCP
SPT=35691 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

If the traffic is generate from a local IP (192.168.0.2) of the local
eth3 interface, it is possible to redirect it on another interface
(eth1) and masquerate it whit another IP (80.18.151.125) ??

How to do this?

I still have my initial problem.

-- 
Dario Lesca <d.lesca@solinos.it>



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Il giorno mer, 01/02/2006 alle 16.47 -0600, Jerry Vonau ha scritto:
> I''ll invert the meaning for you, if you have fastaccept=no then
you must
> have entries in the ESTABLISHED and RELATED sections. To put things in 
> perspective, *I* have not played with those features yet.... Go ahead, 
> you can tell me how it works, OK?
> 
> Lets try setting that to yes and try again.
> 
Not work, the problem still the same: the local traffic generated from
local application bind to a local IP of eth3 is not send and mask to
another interface (eth1) 

Attach is a new dump and new shorewall config (I have simplify some
things into tcrules).

Some other suggest?

Many thanks!


-- 
Dario Lesca <d.lesca@solinos.it>

On Sunday 12 February 2006 14:10, Dario Lesca wrote:
> Il giorno mer, 01/02/2006 alle 10.03 -0600, Jerry Vonau ha scritto:
> > Could you humor me, in your policy file add to the top of the list:
> > fw	net	ACCEPT	info
>
> kernel: Shorewall:fw2net:ACCEPT:IN= OUT=eth3 SRC=192.168.0.2
> DST=82.186.161.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10101 DF PROTO=TCP
> SPT=35691 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
>
You cant'' use Shorewall logging to determine which interface this
traffic
actually goes out of. You must use tcpdump.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Dario Lesca wrote:
> Il giorno mer, 01/02/2006 alle 16.47 -0600, Jerry Vonau ha scritto:
> 
> 
>>I''ll invert the meaning for you, if you have fastaccept=no then
you must
>>have entries in the ESTABLISHED and RELATED sections. To put things in 
>>perspective, *I* have not played with those features yet.... Go ahead, 
>>you can tell me how it works, OK?
>>
>>Lets try setting that to yes and try again.
>>
> 
> Not work, the problem still the same: the local traffic generated from
> local application bind to a local IP of eth3 is not send and mask to
> another interface (eth1) 
> 
> Attach is a new dump and new shorewall config (I have simplify some
> things into tcrules).
> 
> Some other suggest?
> 
> Many thanks!
> 
> 
Well lets think out loud abit here... You have:

 >1    60 MARK       tcp  --  *      *       192.168.0.0/24 
 >82.186.161.24/29    tcp dpt:22 MARK set 0x5

 >1    60 SNAT       all  --  *      *       192.168.0.0/24 
 >0.0.0.0/0           to:80.18.151.125


 >Feb 12 23:14:23 fw2net:ACCEPT:IN= OUT=eth3 SRC=192.168.0.2 
 >DST=82.186.161.26 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3449 DF 
PROTO=TCP >SPT=50564 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

This all looks fine but this:

 >tcp      6 37 SYN_RECV src=192.168.0.2 dst=82.186.161.26 sport=50564 
 >dport=22 packets=1 bytes=60 src=82.186.161.26 dst=80.18.151.125 
 >sport=22 dport=50564 packets=5 bytes=300 mark=1 use=1

Judging from the source port the connection looks to be masq''d, and the
replies are there, but using "mark 1" and no "assured". Lets
not fight
with it and try using "1" as the mark in tcrules. IF that works for
you,
then you can remove the "FwOut" from the providers file. I''m
not using
the "routefilter" or "tcpflags" in the interfaces file, that
is the only
other thing I can think of at this time.


Jerry











-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Il giorno dom, 12/02/2006 alle 18.21 -0600, Jerry Vonau ha scritto:
> Judging from the source port the connection looks to be masq''d,
and the
> replies are there, but using "mark 1" and no "assured".
Lets not fight
> with it and try using "1" as the mark in tcrules. IF that works
for you,
> then you can remove the "FwOut" from the providers file.
I''m not using
> the "routefilter" or "tcpflags" in the interfaces file,
that is the only
> other thing I can think of at this time.
Still not work.

I have remove the routefilter and tcpflag, I have remove FwOut and use
mark 1 but none is changed:

If I use "ssh -b so.me.fw.ip -v remote" work for all IP except the
192.168.0.2! this is the only fw-ip witch not work.

Someone can explain me why?

I do not know what I can to try for resolve this problem.

please give me some suggest...

Attached there are the last fwconf and fwdump log.

Many thanks

-- 
Dario Lesca <d.lesca@solinos.it>

Dario Lesca wrote:
> Il giorno dom, 12/02/2006 alle 18.21 -0600, Jerry Vonau ha scritto:
> 
> 
>>Judging from the source port the connection looks to be masq''d,
and the
>>replies are there, but using "mark 1" and no
"assured". Lets not fight
>>with it and try using "1" as the mark in tcrules. IF that
works for you,
>>then you can remove the "FwOut" from the providers file.
I''m not using
>>the "routefilter" or "tcpflags" in the interfaces
file, that is the only
>>other thing I can think of at this time.
> 
> 
> Still not work.
> 
> I have remove the routefilter and tcpflag, I have remove FwOut and use
> mark 1 but none is changed:
> 
> If I use "ssh -b so.me.fw.ip -v remote" work for all IP except
the
> 192.168.0.2! this is the only fw-ip witch not work.
> 
> Someone can explain me why?
> 
> I do not know what I can to try for resolve this problem.
> 
> please give me some suggest...
> 
> Attached there are the last fwconf and fwdump log.
> 
> Many thanks
> 
Looks like just removing "routefilter" is not enough by itself, you
need
to reset the /proc entries by hand, or a network restart might fix it.

Can you try:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth3/rp_filter

Hope this works, I''m out of ideas.

Jerry


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642