Hello all,
after reading all the Shorewall documentation about multi-ISP and
routing some questions remain.
I have a Shorewall system running connected to two ISPs. Up to now I use
static routes, defined in the linux system, and a default route pointing
to one of the interfaces. I don''t use the "balance" option in
/etc/shorewall/providers (yes, and don''t use the
"routefilter" option on
interfaces).
Now we will extend our bandwith with a third ISP line. What I now want
is a load balance on two of the interfaces and some dedicated traffic on
the third. As I understood the documentation, all I have to do for this
is to add the "balance" option to the desired provider lines and to
delete the single default route in linux (since it is inserted by
Shorewall anyway for each provider line). Am I right up to here? Did I
forget anything?
So, what''s the difference between defining routing on linux
("route add
-net....") and using /etc/shorewall/route_roules? Is there any advantage
to use the one or other?
Thanks for your advice,
Christian
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Mon, Mar 10, 2008 at 02:44:30PM +0100, Christian Vieser wrote:> So, what''s the difference between defining routing on linux ("route add > -net....") and using /etc/shorewall/route_roules? Is there any advantage > to use the one or other?Shorewall has a somewhat crude form of routing automation to solve one specific problem that happens to occur fairly often. If you want to do exactly that, it''s probably easier. If you want to do anything else, you''re going to have to define your own routing table (and you probably want to be using ''ip route'' rather than ''route''). ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Christian Vieser wrote:> Hello all, > > after reading all the Shorewall documentation about multi-ISP and > routing some questions remain. > > I have a Shorewall system running connected to two ISPs. Up to now I use > static routes, defined in the linux system, and a default route pointing > to one of the interfaces. I don''t use the "balance" option in > /etc/shorewall/providers (yes, and don''t use the "routefilter" option on > interfaces). > > Now we will extend our bandwith with a third ISP line. What I now want > is a load balance on two of the interfaces and some dedicated traffic on > the third. As I understood the documentation, all I have to do for this > is to add the "balance" option to the desired provider lines and to > delete the single default route in linux (since it is inserted by > Shorewall anyway for each provider line). Am I right up to here?No. The default route added by Shorewall is in the provider''s routing table, not in the main routing table. It is necessary if you are going to use that table for anything. In this case, you probably don''t want to specify ''balance'' on the third line that you want to use for special purposes. That way, it won''t get added as one of the options in the main table''s default route. Did I forget anything? You then need to add either tcrules or route_rules to direct the desired traffic to the third line.> > So, what''s the difference between defining routing on linux ("route add > -net....") and using /etc/shorewall/route_roules? Is there any advantage > to use the one or other? >They do totally different things. "route add" (which is deprecated in favor of "ip route add") adds an entry to a routing table. Entries in /etc/shorewall/route_rules add routing rules -- the two are different things. Routing rules determine which routing table(s) is(are) used to route a packet. Routing table entries determine that actual routing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi!!!! I have he next question. I have some IP with full access with this rules ACCEPT lan:IP1,IP2,IP3 wan all - - How to block some destiny ports!? thx ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rodrigo Cortes wrote:> Hi!!!! > > I have he next question. I have some IP with full access with this rules > > ACCEPT lan:IP1,IP2,IP3 wan all - - > > How to block some destiny ports!?Precede that rule with: REJECT lan:IP1,IP2,IP3 wan tcp p1,p2,... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jejeje okidoki. I think some more complex >_> -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Martes, 11 de Marzo de 2008 17:15 To: Shorewall Users Subject: Re: [Shorewall-users] full access but... Rodrigo Cortes wrote:> Hi!!!! > > I have he next question. I have some IP with full access with this rules > > ACCEPT lan:IP1,IP2,IP3 wan all - - > > How to block some destiny ports!?Precede that rule with: REJECT lan:IP1,IP2,IP3 wan tcp p1,p2,... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Mar 11, 2008 at 05:10:34PM -0300, Rodrigo Cortes wrote:> Hi!!!! > > I have he next question. I have some IP with full access with this rules > > ACCEPT lan:IP1,IP2,IP3 wan all - - > > How to block some destiny ports!? >You are going about this the hard way. However, a rule like this *BEFORE* the rule you list, would work: REJECT:info lan:IP1 wan all a,b,c That would block IP1 from sending out traffic on ports a, b and c. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> >> So, what''s the difference between defining routing on linux ("route add >> -net....") and using /etc/shorewall/route_roules? Is there any advantage >> to use the one or other? > They do totally different things. "route add" (which is deprecated in favor > of "ip route add") adds an entry to a routing table. Entries in > /etc/shorewall/route_rules add routing rules -- the two are different > things. Routing rules determine which routing table(s) is(are) used to route > a packet. Routing table entries determine that actual routing. >Tom, thank you for clarifying this. I''m sorry, I grew up with HP-UX and the use of the command "ip" instead of "ifconfig" and "route" is still somewhat odd to me. So, let me recapitulate this. On startup, Shorewall copies the appropriate entries from the main routing table to new routing tables, one for each provider, and inserts a default route to every, pointing to each providers gateway. These routing tables can be listed with the command "ip route list table X", where X is the number of the provider in /etc/shorewall/providers. Entries in /etc/shorewall/route_roules determine, to which provider packets are routed to (in case packets aren''t already marked due to connection tracking), using this providers routing table. The resulting ruleset can be listed with the command "ip rule ls". I hope, I got it now right. Regards, Christian ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/