Shorewall users - Sep 2006 - Multiple ISP Issues

Hi all,

    I am having an issue with a multiple ISP setup.  I have followed the
docs online and I think I have everything setup correctly but I can
get the desired traffice to go out my secondary ISP.

A quick run down on what I am trying to acomplish.  I want to send all
sip/iax traffic out one ISP in the net zone and then send all other
traffic out my secondary ISP in the dsl zone.
Attached is my running config.

I''m sure I am just missing some little thing in the packet marking or
something.

What keeps happening is that I get martian packets on my secondary ISP
interface.

Here is what is reported from the logs.

Sep 19 22:56:43 pfars kernel: Shorewall:loc2all:ACCEPT:IN=eth1 OUT=eth0
SRC=10.0.0.94 DST=66.114.106.8 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1321
DF PROTO=TCP SPT=1112 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0
Sep 19 22:56:43 pfars kernel: martian source 10.0.0.94 from 66.114.106.8,
on dev eth0
Sep 19 22:56:43 pfars kernel: ll header:
00:60:08:39:56:93:00:02:3b:01:47:df:08:00

Says the packet is accepted but the response back generates a martian source.


Thanks in advance for any help.
Jon Scottorn
Systems Administrator
The Possibility Forge, Inc.
http://www.possibilityforge.com

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
> Hi all,
> 
>     I am having an issue with a multiple ISP setup.  I have followed the
> docs online and I think I have everything setup correctly but I can
> get the desired traffice to go out my secondary ISP.
> 
> A quick run down on what I am trying to acomplish.  I want to send all
> sip/iax traffic out one ISP in the net zone and then send all other
> traffic out my secondary ISP in the dsl zone.
> Attached is my running config.
Hi Jon,

You''ll need to provide us with a dump as per
http://www.shorewall.net/support.htm.  A copy of your providers and
tcrules configs wouldn''t go astray, either.

Regards,
Paul



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
> Hi all,
> 
>     I am having an issue with a multiple ISP setup.  I have followed the
> docs online and I think I have everything setup correctly but I can
> get the desired traffice to go out my secondary ISP.
P.S.  What on earth is a ''w1g1chdl''?!?  :-)

Paul



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> jscottorn@possibilityforge.com wrote:
>> Hi all,
>>
>>     I am having an issue with a multiple ISP setup.  I have followed
the
>> docs online and I think I have everything setup correctly but I can
>> get the desired traffice to go out my secondary ISP.
>>
>> A quick run down on what I am trying to acomplish.  I want to send all
>> sip/iax traffic out one ISP in the net zone and then send all other
>> traffic out my secondary ISP in the dsl zone.
>> Attached is my running config.
>
> Hi Jon,
>
> You''ll need to provide us with a dump as per
> http://www.shorewall.net/support.htm.  A copy of your providers and
> tcrules configs wouldn''t go astray, either.
>
Sorry, Here is my dump, I did shorewall show before.

Here is what is in my providers file

#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
OPTIONS
t1      1       1       main            w1g1chdl        65.88.235.145   loose
dsl1    2       2       main            eth0            71.4.72.129     loose

And my tcrules file:

#MARK           SOURCE          DEST                    PROTO   PORT(S)
CLIENT PORT(S)
1               eth1            0.0.0.0/0               tcp     sip,iax,ssh
1               eth1            0.0.0.0/0               udp     sip,iax
#2               eth1           0.0.0.0/0               tcp    
!sip,!iax,!ssh
#2               eth1           0.0.0.0/0               udp     !sip,!iax

I had to comment the second item out so I could have internet access
again. I''m not sure if my ! statements work, but shorewall starts.

Thanks again for any advise.

Jon
> Regards,
> Paul
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> jscottorn@possibilityforge.com wrote:
>> Hi all,
>>
>>     I am having an issue with a multiple ISP setup.  I have followed
the
>> docs online and I think I have everything setup correctly but I can
>> get the desired traffice to go out my secondary ISP.
>
> P.S.  What on earth is a ''w1g1chdl''?!?  :-)
That is my T1 Provider.  It is a sangoma card and the provider uses chdlc.
>
> Paul
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> jscottorn@possibilityforge.com wrote:
>> Hi all,
>>
>>     I am having an issue with a multiple ISP setup.  I have followed
the
>> docs online and I think I have everything setup correctly but I can
>> get the desired traffice to go out my secondary ISP.
>>
>> A quick run down on what I am trying to acomplish.  I want to send all
>> sip/iax traffic out one ISP in the net zone and then send all other
>> traffic out my secondary ISP in the dsl zone.
>> Attached is my running config.
>
> Hi Jon,
>
> You''ll need to provide us with a dump as per
> http://www.shorewall.net/support.htm.  A copy of your providers and
> tcrules configs wouldn''t go astray, either.
>
I sent it but was too big to get on the list so it is waiting to be aproved.
> Regards,
> Paul
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
> ...
>> P.S.  What on earth is a ''w1g1chdl''?!?  :-)
> That is my T1 Provider.  It is a sangoma card and the provider uses chdlc.
You learn something every day...  :-)

Paul



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
>> ...
>> You''ll need to provide us with a dump as per
>> http://www.shorewall.net/support.htm.  A copy of your providers and
>> tcrules configs wouldn''t go astray, either.
>>
> I sent it but was too big to get on the list so it is waiting to be
aproved.
I''ve manually approved now.  Did you compress it with bzip2?  It was
hard to work that out from the information i can see in the mailman
admin interface.

Paul




-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
> ...
> Sorry, Here is my dump, I did shorewall show before.
> Here is what is in my providers file
> 
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
> OPTIONS
> t1      1       1       main            w1g1chdl        65.88.235.145  
loose
> dsl1    2       2       main            eth0            71.4.72.129    
loose
I haven''t had a chance to look at your dump yet, but it is recommended
to use track and balance, even though you don''t want to do strict load
balancing.  See the notices marked "Important" in
http://www.shorewall.net/MultiISP.html

Paul



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Paul Gear wrote:
> jscottorn@possibilityforge.com wrote:
>> ...
>> Sorry, Here is my dump, I did shorewall show before.
> 
>> Here is what is in my providers file
>>
>> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
>> OPTIONS
>> t1      1       1       main            w1g1chdl        65.88.235.145  
loose
>> dsl1    2       2       main            eth0            71.4.72.129    
loose
> 
> I haven''t had a chance to look at your dump yet, but it is
recommended
> to use track and balance, even though you don''t want to do strict
load
> balancing.  See the notices marked "Important" in
> http://www.shorewall.net/MultiISP.html
Those same notices also lead you to FAQs 57 and 58 -- Please read them...

I would also recommend using the COPY column appropriately (I suspect that it
should specify just eth1).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> Paul Gear wrote:
>> jscottorn@possibilityforge.com wrote:
>>> ...
>>> Sorry, Here is my dump, I did shorewall show before.
>>
>>> Here is what is in my providers file
>>>
>>> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
>>> OPTIONS
>>> t1      1       1       main            w1g1chdl       
65.88.235.145
>>> loose
>>> dsl1    2       2       main            eth0            71.4.72.129
>>> loose
>>
>> I haven''t had a chance to look at your dump yet, but it is
recommended
>> to use track and balance, even though you don''t want to do
strict load
>> balancing.  See the notices marked "Important" in
>> http://www.shorewall.net/MultiISP.html
>
> Those same notices also lead you to FAQs 57 and 58 -- Please read them...
>
I did the suggested items by added the track and balance and that worked
but now it is sending all traffic out my second ISP and none out the
first.

When I issue a shorewall restart I get these warnings.  Don''t know if I
need to worry about them or not.

Processing /etc/shorewall/providers...
/usr/share/shorewall/firewall: line 1393: 20000 + (1 - 1) * 256 + $rulenum
: syntax error: operand expected (error token is "$rulenum ")
   Provider t1 1 1 main w1g1chdl 65.88.235.145 track,balance eth0 Added
/usr/share/shorewall/firewall: line 1393: 20000 + (2 - 1) * 256 + $rulenum
: syntax error: operand expected (error token is "$rulenum ")
   Provider dsl1 2 2 main eth1 71.4.72.129 track,balance eth0 Added
   Default route  nexthop via 65.88.235.145 dev w1g1chdl weight 1 nexthop
via 71.4.72.129 dev eth1 weight 1 Added.
> I would also recommend using the COPY column appropriately (I suspect that
> it
> should specify just eth1).
>
I tried this as well and all data still just goes out my second ISP as well.


What I want to do is hopefully send all SIP/IAX traffic out my primary ISP
and all other traffic out my secondary ISP.

Is there anything else I can try to get this to work.

Thanks for the advice.

Jon
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
>> Paul Gear wrote:
>>> jscottorn@possibilityforge.com wrote:
>>>> ...
>>>> Sorry, Here is my dump, I did shorewall show before.
>>>> Here is what is in my providers file
>>>>
>>>> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
>>>> OPTIONS
>>>> t1      1       1       main            w1g1chdl       
65.88.235.145
>>>> loose
>>>> dsl1    2       2       main            eth0           
71.4.72.129
>>>> loose
>>> I haven''t had a chance to look at your dump yet, but it is
recommended
>>> to use track and balance, even though you don''t want to do
strict load
>>> balancing.  See the notices marked "Important" in
>>> http://www.shorewall.net/MultiISP.html
>> Those same notices also lead you to FAQs 57 and 58 -- Please read
them...
>>
> I did the suggested items by added the track and balance and that worked
> but now it is sending all traffic out my second ISP and none out the
> first.
> 
> When I issue a shorewall restart I get these warnings.  Don''t know
if I
> need to worry about them or not.
> 
> Processing /etc/shorewall/providers...
> /usr/share/shorewall/firewall: line 1393: 20000 + (1 - 1) * 256 + $rulenum
> : syntax error: operand expected (error token is "$rulenum ")
>    Provider t1 1 1 main w1g1chdl 65.88.235.145 track,balance eth0 Added
> /usr/share/shorewall/firewall: line 1393: 20000 + (2 - 1) * 256 + $rulenum
> : syntax error: operand expected (error token is "$rulenum ")
>    Provider dsl1 2 2 main eth1 71.4.72.129 track,balance eth0 Added
>    Default route  nexthop via 65.88.235.145 dev w1g1chdl weight 1 nexthop
> via 71.4.72.129 dev eth1 weight 1 Added.
> 
John -- please see
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt

There is a fix available for this problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> jscottorn@possibilityforge.com wrote:
>>> Paul Gear wrote:
>>>> jscottorn@possibilityforge.com wrote:
>>>>> ...
>>>>> Sorry, Here is my dump, I did shorewall show before.
>>>>> Here is what is in my providers file
>>>>>
>>>>> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE      
GATEWAY
>>>>> OPTIONS
>>>>> t1      1       1       main            w1g1chdl       
65.88.235.145
>>>>> loose
>>>>> dsl1    2       2       main            eth0           
71.4.72.129
>>>>> loose
>>>> I haven''t had a chance to look at your dump yet, but
it is recommended
>>>> to use track and balance, even though you don''t want
to do strict load
>>>> balancing.  See the notices marked "Important" in
>>>> http://www.shorewall.net/MultiISP.html
>>> Those same notices also lead you to FAQs 57 and 58 -- Please read
>>> them...
>>>
>> I did the suggested items by added the track and balance and that
worked
>> but now it is sending all traffic out my second ISP and none out the
>> first.
>>
>> When I issue a shorewall restart I get these warnings.  Don''t
know if I
>> need to worry about them or not.
>>
>> Processing /etc/shorewall/providers...
>> /usr/share/shorewall/firewall: line 1393: 20000 + (1 - 1) * 256 +
>> $rulenum
>> : syntax error: operand expected (error token is "$rulenum ")
>>    Provider t1 1 1 main w1g1chdl 65.88.235.145 track,balance eth0 Added
>> /usr/share/shorewall/firewall: line 1393: 20000 + (2 - 1) * 256 +
>> $rulenum
>> : syntax error: operand expected (error token is "$rulenum ")
>>    Provider dsl1 2 2 main eth1 71.4.72.129 track,balance eth0 Added
>>    Default route  nexthop via 65.88.235.145 dev w1g1chdl weight 1
>> nexthop
>> via 71.4.72.129 dev eth1 weight 1 Added.
>>
>
> John -- please see
>
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt
>
> There is a fix available for this problem.
>
Where do I find this, Is it out of CVS or something?
Replace /usr/share/shorewall/firewall with the ''firewall'' file
from the
    ''errata'' sub-directory.

and will it also fix my issue of sending all my data out my secondary ISP?

Thanks,

Jon
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
>>>
>> John -- please see
>>
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt
>>
>> There is a fix available for this problem.
>>
> 
> Where do I find this, Is it out of CVS or something?
You find the ''errata'' sub-directory in the same directory as
the
''known_problems.txt'' file that you are reading (namely
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/)
> Replace /usr/share/shorewall/firewall with the ''firewall''
file from the
>     ''errata'' sub-directory.
> 
> and will it also fix my issue of sending all my data out my secondary ISP?
That will depend on your marking rules -- you haven''t shown those two
us since
you (presumably) followed the instructions in FAQ 58.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> jscottorn@possibilityforge.com wrote:
>
>>>>
>>> John -- please see
>>>
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt
>>>
>>> There is a fix available for this problem.
>>>
>>
>> Where do I find this, Is it out of CVS or something?
>
> You find the ''errata'' sub-directory in the same directory
as the
> ''known_problems.txt'' file that you are reading (namely
> http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/)
>
>> Replace /usr/share/shorewall/firewall with the
''firewall'' file from the
>>     ''errata'' sub-directory.
>>
>> and will it also fix my issue of sending all my data out my secondary
>> ISP?
>
> That will depend on your marking rules -- you haven''t shown those
two us
> since
> you (presumably) followed the instructions in FAQ 58.
>
Sorry, I have now replaced the firewall. That fixed the warnings on
shorewall restart.

I am still having the same issue though.  Everything is being sent out my
secondary ISP.

Here is my providers file
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
OPTIONS         COPY
t1      1       1       main            w1g1chdl        65.88.235.145  
track,balance   eth0
dsl1    2       2       main            eth1            71.4.72.129    
track,balance   eth0

Here is my tcrules file:

#MARK           SOURCE          DEST                    PROTO   PORT(S)
CLIENT PORT(S)
1               eth0            0.0.0.0/0               tcp     sip,iax,ssh
1               eth0            0.0.0.0/0               udp     sip,iax
2               eth0            0.0.0.0/0               tcp    
!sip,!iax,!ssh

Thanks,

Jon
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys -- and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
...you haven''t shown those two us...

I sure hope that those of you for whom English is a second language
don''t copy
the grammar and spelling in my posts :-)

Should have been:

...you haven''t shown those *to* us...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

jscottorn@possibilityforge.com wrote:
>> jscottorn@possibilityforge.com wrote:
>>
>>>> John -- please see
>>>>
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt
>>>>
>>>> There is a fix available for this problem.
>>>>
>>> Where do I find this, Is it out of CVS or something?
>> You find the ''errata'' sub-directory in the same
directory as the
>> ''known_problems.txt'' file that you are reading
(namely
>> http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/)
>>
>>> Replace /usr/share/shorewall/firewall with the
''firewall'' file from the
>>>     ''errata'' sub-directory.
>>>
>>> and will it also fix my issue of sending all my data out my
secondary
>>> ISP?
>> That will depend on your marking rules -- you haven''t shown
those two us
>> since
>> you (presumably) followed the instructions in FAQ 58.
>>
> 
> Sorry, I have now replaced the firewall. That fixed the warnings on
> shorewall restart.
> 
> I am still having the same issue though.  Everything is being sent out my
> secondary ISP.
> 
> Here is my providers file
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY        
> OPTIONS         COPY
> t1      1       1       main            w1g1chdl        65.88.235.145  
> track,balance   eth0
> dsl1    2       2       main            eth1            71.4.72.129    
> track,balance   eth0
> 
> Here is my tcrules file:
> 
> #MARK           SOURCE          DEST                    PROTO   PORT(S)
> CLIENT PORT(S)
> 1               eth0            0.0.0.0/0               tcp     sip,iax,ssh
> 1               eth0            0.0.0.0/0               udp     sip,iax
> 2               eth0            0.0.0.0/0               tcp    
> !sip,!iax,!ssh

All tcp traffic is getting mark value 2. The only traffic getting mark value 1
is UDP sip,aix. As pointed out in the tcrules documentation, the LAST rule that
matches determines the mark value.

Consequently the answer to FAQ 58 specifically says that you must put the
default mark first! (and I would leave off the protocol).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV