Richard Houston
2006-Feb-23 21:39 UTC
forcing specific protocols through specific interface
Hi all Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3 Ethernet cards. One connects to a high speed radio service(8 mbit eth0) the second to a broadband cable provider (1.5 mbit eth2) and the other into our dmz (eth1) I have the two external lines balanced , both set at default weight. The issue I run into is the the cable providers ip addresses have been added to several RLB on the net so if the mail server, situated in the dmz, tries to send mail to gov addresses the mail gets bounce. What I would like to do is send all traffic for port 25 out on the 8 mbit eth0 line only. If it helps we can send all the traffic for a specific machine out via the 8 mbit eth0 interface, that works for me. Thanks all and appreciate your help. +------------------------------------+ Best regards, -Richard Houston -R.L.H. Consulting -E-Mail rhouston@rlhc.net -WWW http://www.rlhc.net -Blog http://www.rlhc.net/blog/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep
2006-Feb-23 21:48 UTC
Re: forcing specific protocols through specific interface
On Thursday 23 February 2006 13:39, Richard Houston wrote:> Hi all > > Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3 > Ethernet cards. One connects to a high speed radio service(8 mbit eth0) > the second to a broadband cable provider (1.5 mbit eth2) and the other > into our dmz (eth1) I have the two external lines balanced , both set at > default weight. > > The issue I run into is the the cable providers ip addresses have been > added to several RLB on the net so if the mail server, situated in the > dmz, tries to send mail to gov addresses the mail gets bounce. > > What I would like to do is send all traffic for port 25 out on the 8 mbit > eth0 line only. If it helps we can send all the traffic for a specific > machine out via the 8 mbit eth0 interface, that works for me. > > Thanks all and appreciate your help.The example in the Shorewall multiISP documentaiton describes *exactly* how to do this (it even uses tcp port 25 as the example application!!!) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Richard Houston
2006-Feb-23 23:06 UTC
Re: forcing specific protocols through specific interface
> > The example in the Shorewall multiISP documentaiton describes *exactly* > how to do this (it even uses tcp port 25 as the example application!!!) > > -TomThanks Tom, I have been working from that document and still having issues. Here is what I have: IN TCRULES: 2:P 10.10.10.0 0.0.0.0 tcp 1:P 10.10.10.11 0.0.0.0 tcp 25 Now I still see port 25 traffic going out eth2 or P:2 in this case. 1:P is the eth1 line which I want to see it go out. This is the content of my PROVIDERS file: tgo 1 1 main eth0 64.201.181.177 track,balance eth1 shw 2 2 main eth2 24.79.4.1 track,balance eth1 And here is the result of my shorewall restart: Setting up Traffic Control Rules... TC Rule "2:P 10.10.10.0 0.0.0.0 tcp " added TC Rule "1:P 10.10.10.11 0.0.0.0 tcp 25 " added Note: 10.10.10.10 is a proxy server so I want all of it''s traffic to go out via the slower eth2 line. We want the eth0 line to be free for inbound connections. TC_ENABLED is set to TC_ENABLEDIf I set it to yes it bombs with a "no tcstart found" Is this my issue? What should be in the tcstart file. Thanks again for your help. +------------------------------------+ Best regards, -Richard Houston -R.L.H. Consulting -E-Mail rhouston@rlhc.net -WWW http://www.rlhc.net -Blog http://www.rlhc.net/blog/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Richard Houston wrote:> ... > I have been working from that document and still having issues. Here is > what I have: > ... > > TC_ENABLED is set to TC_ENABLED> If I set it to yes it bombs with a "no tcstart found" Is this my issue? > What should be in the tcstart file.If you''re using Shorewall''s built-in TC, it should be set to "Internal". Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Richard Houston
2006-Feb-24 00:45 UTC
Re: Re: forcing specific protocols through specific interface
Thanks for that. That is what it was set to be for but it did not work correctly. The mail and web traffic is balanced between the 2 Internet connected connection. +------------------------------------+ Best regards, -Richard Houston -R.L.H. Consulting -E-Mail rhouston@rlhc.net -WWW http://www.rlhc.net -Blog http://www.rlhc.net/blog/> Richard Houston wrote: > >> ... >> I have been working from that document and still having issues. Here is >> what I have: ... >> >> >> TC_ENABLED is set to TC_ENABLED>> If I set it to yes it bombs with a "no tcstart found" Is this my issue? >> What should be in the tcstart file. >> > > If you''re using Shorewall''s built-in TC, it should be set to "Internal". > > > Paul > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language that extends applications into web and mobile media. Attend the > live webcast and join the prime developer group breaking into this new > coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Jerry Vonau
2006-Feb-24 01:17 UTC
Re: Re: forcing specific protocols through specific interface
Richard Houston wrote:> Thanks for that. That is what it was set to be for but it did not work > correctly. The mail and web traffic is balanced between the 2 Internet > connected connection. > >How is the masq file setup? Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Richard Houston wrote:> Thanks for that. That is what it was set to be for but it did not work > correctly. The mail and web traffic is balanced between the 2 Internet > connected connection.Well your problem is elsewhere, then. :-) Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep
2006-Feb-24 01:37 UTC
Re: Re: forcing specific protocols through specific interface
On Thursday 23 February 2006 16:45, Richard Houston wrote:> Thanks for that. That is what it was set to be for but it did not work > correctly. The mail and web traffic is balanced between the 2 Internet > connected connection.We have very specific instructions for reporting problems so that we can solve them easily (see http://www.shorwall.net/support.htm). We need the information described in those instructions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Richard Houston
2006-Feb-24 03:09 UTC
Re: Re: forcing specific protocols through specific interface
> Richard Houston wrote: > >> Thanks for that. That is what it was set to be for but it did not work >> correctly. The mail and web traffic is balanced between the 2 Internet >> connected connection. >> >> > How is the masq file setup? > JerryHere it is: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 eth2 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE> > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language that extends applications into web and mobile media. Attend the > live webcast and join the prime developer group breaking into this new > coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Michael Cozzi
2006-Feb-24 03:10 UTC
Re: forcing specific protocols through specific interface
Richard Houston wrote:> Hi all > > Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3 > Ethernet cards. One connects to a high speed radio service(8 mbit eth0) > the second to a broadband cable provider (1.5 mbit eth2) and the other > into our dmz (eth1) I have the two external lines balanced , both set at > default weight. > > The issue I run into is the the cable providers ip addresses have been > added to several RLB on the net so if the mail server, situated in the > dmz, tries to send mail to gov addresses the mail gets bounce. > > What I would like to do is send all traffic for port 25 out on the 8 mbit > eth0 line only. If it helps we can send all the traffic for a specific > machine out via the 8 mbit eth0 interface, that works for me. > > Thanks all and appreciate your help. >Richard, I''m a pretty heavy duty sendmail admin who manages several large volume servers. My comments are unrelated to Shorewall (sorry). While putting a protocol through a specific interface might work, it''s a really messy way of avoiding an RBL listing. The best way of handling it would be to find out what RBLs are involved, and get whitelisted. There are *several problems* and *RFC transgressions* that can happen under the config you are proposing, and while you might be able to avoid them through being meticulous, the best route really is to get off the RBLs. I would be suprised if the .gov servers you are referring to are using the really aggressive RBLs. If they are it will be more reliable long term to contact the administrators of the RBLs and go through the clearing process, and/or contact the postmasters of those servers for whitelisting. I''ve had to "cleanup" IP ranges a bunch of times as clients have come and gone and my servers have moved around the country. It pays in spades to do the RBL work up front. And in your case, if the second connection gets blacklisted, you''ll have to de-pollute the IP range anyway. And that process, depending on how bad things are (ISP/Number of listings), and whether your servers are configured correctly, can take weeks. Don''t be without e-mail for weeks- deal with the RBL problem. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Richard Houston
2006-Feb-24 03:10 UTC
Re: Re: forcing specific protocols through specific interface
> Richard Houston wrote: > >> Thanks for that. That is what it was set to be for but it did not work >> correctly. The mail and web traffic is balanced between the 2 Internet >> connected connection. > > Well your problem is elsewhere, then. :-) > > > PaulK, any ideas where I can look for the issue?> > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language that extends applications into web and mobile media. Attend the > live webcast and join the prime developer group breaking into this new > coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Richard Houston
2006-Feb-24 03:11 UTC
Re: Re: forcing specific protocols through specific interface
> On Thursday 23 February 2006 16:45, Richard Houston wrote: > >> Thanks for that. That is what it was set to be for but it did not work >> correctly. The mail and web traffic is balanced between the 2 Internet >> connected connection. > > We have very specific instructions for reporting problems so that we can > solve them easily (see http://www.shorwall.net/support.htm). We need the > information described in those instructions. > > -TomWill do. Thanks! ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Jerry Vonau
2006-Feb-24 03:29 UTC
Re: Re: forcing specific protocols through specific interface
Richard Houston wrote:> > >>Richard Houston wrote: >> >> >>>Thanks for that. That is what it was set to be for but it did not work >>>correctly. The mail and web traffic is balanced between the 2 Internet >>>connected connection. >>> >>> >> >>How is the masq file setup? >>Jerry > > > Here it is: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > eth0 eth1 > eth2 eth1 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEYou really should be doing SNAT here, that is done by using the third column, like in the examples on http://www.shorewall.net/MultiISP.html. The short story is that iproute and the masq code don''t play nice together. From experence, you should not give it a chance to guess what source address to use for the outbound masq''d connections. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hello Michael. I like your approach. Going head on the problem, not working around it. But as for getting the cable connection white listed is a difficult process. Many RBL have a listing on dynamic IP ranges. (I would suspect that this is the case of Richard''s cable connection) and they will not remove these listings. I would expect the 8Mbit connection to have a more "permanent" status and therefore a recommended solution. Make it possible to get of the blacklists should that occur. I would recommend on getting a permanent IP/range registered to your organization on a non "dynamic CABLE/xDSL IP pool" for a critical mail system. (If this isn''t already the case on the 8Mbit connection.) It''s also recommended to get the proper reverse IP lookup on that mail server to match the hostname. Some servers may check to se if the mail servers reported hostname is equal to the official reverse lookup of the IP. Some have had this as a requirement, but has later removed this for the amount of "good" servers being rejected. best regards, Kristian. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Michael Cozzi Sent: 24. februar 2006 04:10 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] forcing specific protocols through specific interface Richard Houston wrote:> Hi all > > Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3 > Ethernet cards. One connects to a high speed radio service(8 mbit eth0) > the second to a broadband cable provider (1.5 mbit eth2) and the other > into our dmz (eth1) I have the two external lines balanced , both set at > default weight. > > The issue I run into is the the cable providers ip addresses have been > added to several RLB on the net so if the mail server, situated in the > dmz, tries to send mail to gov addresses the mail gets bounce. > > What I would like to do is send all traffic for port 25 out on the 8 mbit > eth0 line only. If it helps we can send all the traffic for a specific > machine out via the 8 mbit eth0 interface, that works for me. > > Thanks all and appreciate your help. >Richard, I''m a pretty heavy duty sendmail admin who manages several large volume servers. My comments are unrelated to Shorewall (sorry). While putting a protocol through a specific interface might work, it''s a really messy way of avoiding an RBL listing. The best way of handling it would be to find out what RBLs are involved, and get whitelisted. There are *several problems* and *RFC transgressions* that can happen under the config you are proposing, and while you might be able to avoid them through being meticulous, the best route really is to get off the RBLs. I would be suprised if the .gov servers you are referring to are using the really aggressive RBLs. If they are it will be more reliable long term to contact the administrators of the RBLs and go through the clearing process, and/or contact the postmasters of those servers for whitelisting. I''ve had to "cleanup" IP ranges a bunch of times as clients have come and gone and my servers have moved around the country. It pays in spades to do the RBL work up front. And in your case, if the second connection gets blacklisted, you''ll have to de-pollute the IP range anyway. And that process, depending on how bad things are (ISP/Number of listings), and whether your servers are configured correctly, can take weeks. Don''t be without e-mail for weeks- deal with the RBL problem. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Michael Cozzi
2006-Feb-24 17:00 UTC
Re: forcing specific protocols through specific interface
K wrote:> Hello Michael. > > I like your approach. Going head on the problem, not working around it. > But as for getting the cable connection white listed is a difficult process. > Many RBL have a listing on dynamic IP ranges. (I would suspect that this is > the case of Richard''s cable connection) and they will not remove these > listings. >K, Yes is might be a challenge, but it seems easier than moving a mail server in production to a new IP range. If you work with the ISP, the RBL, and the problem servers you can fix it permanently. Some RBLs have become more sensitive to the dynamic IP listing since many Cable/Low tier providers are now handing out IP ranges and hosting servers. It''s worth a try anyway. I''ve always been successful in these situations. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642