Shorewall 4.4 is running on a gateway machine with 2 providers, and also running squid and pppd. I have two related problems. One is that I''ve never been able to get "balance,track" working for both interfaces, thus can''t use "routefilter" for both. 2nd problem is web access from the shorewall machine itself. Two external interfaces are eth0 T1 and ppp0. PPP0 is a DSL modem in briding mode. It needs "TCPMSS clamp to PMTU". I wasn''t able to get it working with the "balance" option on both interfaces. So we have providers:"balance" only on the dsl and interfaces:"routefilter" only on eth0. Apparently this causes PPP0 to be the default route, which seems to also cause all packets to get their MSS set. If I add balance and routefilter where they''re missing, I get lots of these: Sep 29 11:02:45 charcoal kernel: [319681.436182] martian source 206.80.216.107 from 69.63.184.142, on dev ppp0 masq looks like: lo 0.0.0.0/0 127.0.0.1 tcp 3128 ppp0 0.0.0.0/0 eth0 0.0.0.0/0 detect 2nd problem is squid. I *was* able to get locally-generated HTTP requests working, but only using a kludge: rules: ACCEPT loc:lo all REDIRECT fw 3128 tcp www - !192.168.1.254 - !proxy interfaces: loc lo detect routefilter,logmartians,tcpflags,nosmurfs As far as I know, lo shouldn''t need to be listed in any file. If I don''t add interfaces:"lo", then I can''t add it to "masq", and packets redirected to 3128 have the (dynamic) source address of the ppp0 interface (due to default route?). That''s of course not found in squid.conf, so it rejects the request. Does anyone have any suggestions for either problem? Justin ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin T Pryzby wrote:> Shorewall 4.4 is running on a gateway machine with 2 providers, and > also running squid and pppd. I have two related problems. One is > that I''ve never been able to get "balance,track" working for both > interfaces, thus can''t use "routefilter" for both. 2nd problem is web > access from the shorewall machine itself. > > Two external interfaces are eth0 T1 and ppp0. PPP0 is a DSL modem in > briding mode. It needs "TCPMSS clamp to PMTU". I wasn''t able to get > it working with the "balance" option on both interfaces. So we have > providers:"balance" only on the dsl and interfaces:"routefilter" only > on eth0. Apparently this causes PPP0 to be the default route, which > seems to also cause all packets to get their MSS set.That is all very unclear.> > If I add balance and routefilter where they''re missing, I get lots of > these: > > Sep 29 11:02:45 charcoal kernel: [319681.436182] martian source 206.80.216.107 from 69.63.184.142, on dev ppp0Then you are doing something wrong.> > masq looks like: > lo 0.0.0.0/0 127.0.0.1 tcp 3128What in the world is that for?> ppp0 0.0.0.0/0 > eth0 0.0.0.0/0 detect > > 2nd problem is squid. I *was* able to get locally-generated HTTP > requests working, but only using a kludge: > > rules: > ACCEPT loc:lo all > REDIRECT fw 3128 tcp www - !192.168.1.254 - !proxy > > interfaces: > loc lo detect routefilter,logmartians,tcpflags,nosmurfs > > As far as I know, lo shouldn''t need to be listed in any file. > > If I don''t add interfaces:"lo", then I can''t add it to "masq", and > packets redirected to 3128 have the (dynamic) source address of the > ppp0 interface (due to default route?). That''s of course not found in > squid.conf, so it rejects the request. > > Does anyone have any suggestions for either problem?No -- but if you configure Shorewall the way that you think should work (without all of the workarounds) then submit the output of "shorewall dump" collected as described at http://www.shorewall.net/support.htm#Guidelines, we will try to help. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrDo4MACgkQO/MAbZfjDLJJbQCeOGPFzVLu5U7zv87CxAHQvYlE fKMAn2s9l4MEJJ04iCpeR1XMLAiG+DIx =tvKs -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Wed, Sep 30, 2009 at 11:29:23AM -0700, Tom Eastep wrote:> Justin T Pryzby wrote: > > Shorewall 4.4 is running on a gateway machine with 2 providers, and > > also running squid and pppd. I have two related problems. One is > > that I''ve never been able to get "balance,track" working for both > > interfaces, thus can''t use "routefilter" for both. 2nd problem is web > > access from the shorewall machine itself.> > masq looks like: > > lo 0.0.0.0/0 127.0.0.1 tcp 3128 > > What in the world is that for?That''s the ony way I''ve been able to get local HTTP access working. Without it, squid denyies requests with PPP0 source address which is not included in the ACL allow list (since it''s dynamic). I made changes to put our configuration the way it''s supposed to work. The shorewall dump is attached. I got the following: Sep 30 12:08:39 charcoal kernel: [410035.138906] martian source 206.80.216.107 from 209.46.18.85, on dev ppp0 Sep 30 12:08:46 charcoal kernel: [410042.416678] martian source 206.80.216.107 from 64.4.32.7, on dev ppp0 Sep 30 12:08:52 charcoal kernel: [410048.016960] martian source 206.80.216.107 from 74.205.114.154, on dev ppp0 Sep 30 12:08:52 charcoal kernel: [410048.567794] martian source 206.80.216.107 from 63.245.221.10, on dev ppp0 Sep 30 12:08:55 charcoal kernel: [410050.617160] martian source 206.80.216.107 from 209.167.231.15, on dev ppp0 Sep 30 12:08:58 charcoal kernel: [410054.307034] martian source 206.80.216.107 from 174.129.210.177, on dev ppp0 The differences between the intended configuration and the kludgy configuration are: --- interfaces 2009-09-30 12:10:08.000000000 -0700 +++ ../cur/interfaces 2009-09-30 12:27:32.000000000 -0700 @@ -2 +2 @@ -net eth0 detect routefilter,logmartians,tcpflags,nosmurfs,norfc1918,blacklist +net eth0 detect logmartians,tcpflags,nosmurfs,norfc1918,blacklist # routefilter, --- masq 2009-09-30 12:30:09.000000000 -0700 +++ ../cur/masq 2009-09-30 12:27:32.000000000 -0700 @@ -3,0 +4 @@ +lo 0.0.0.0/0 127.0.0.1 tcp 3128 --- providers 2009-09-30 12:10:17.000000000 -0700 +++ ../cur/providers 2009-09-30 12:27:32.000000000 -0700 @@ -9,2 +9,2 @@ -dsl 2 0x200 - ppp0 - track,balance - -t1 1 0x100 - eth0 206.80.216.105 track,balance - +dsl 2 0x200 main ppp0 - track,balance eth1 +t1 1 0x100 main eth0 206.80.216.105 track eth1 --- route_rules 2009-09-30 12:30:36.000000000 -0700 +++ ../cur/route_rules 2009-09-30 12:27:32.000000000 -0700 @@ -7,0 +8 @@ +- 10.1.0.0/24 main 1000 --- shorewall.conf 2009-09-30 12:14:41.000000000 -0700 +++ ../cur/shorewall.conf 2009-09-30 12:27:32.000000000 -0700 @@ -184 +184 @@ -USE_DEFAULT_RT=Yes +USE_DEFAULT_RT=No Justin ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin T Pryzby wrote:> On Wed, Sep 30, 2009 at 11:29:23AM -0700, Tom Eastep wrote: >> Justin T Pryzby wrote: >>> Shorewall 4.4 is running on a gateway machine with 2 providers, and >>> also running squid and pppd. I have two related problems. One is >>> that I''ve never been able to get "balance,track" working for both >>> interfaces, thus can''t use "routefilter" for both. 2nd problem is web >>> access from the shorewall machine itself. > >>> masq looks like: >>> lo 0.0.0.0/0 127.0.0.1 tcp 3128 >> What in the world is that for? > That''s the ony way I''ve been able to get local HTTP access working. > Without it, squid denyies requests with PPP0 source address which is > not included in the ACL allow list (since it''s dynamic).So it isn''t that you can''t make local web access work -- you rather can''t make it work with Squid because of your use of ACLs. Why are you using Squid for web access from the firewall itself? Surely, the only web access that occurs from the firewall is for package updates which likely won''t benefit from the local caching Squid provides.> > I made changes to put our configuration the way it''s supposed to work. > The shorewall dump is attached. I got the following: > Sep 30 12:08:39 charcoal kernel: [410035.138906] martian source 206.80.216.107 from 209.46.18.85, on dev ppp0 > Sep 30 12:08:46 charcoal kernel: [410042.416678] martian source 206.80.216.107 from 64.4.32.7, on dev ppp0 > Sep 30 12:08:52 charcoal kernel: [410048.016960] martian source 206.80.216.107 from 74.205.114.154, on dev ppp0 > Sep 30 12:08:52 charcoal kernel: [410048.567794] martian source 206.80.216.107 from 63.245.221.10, on dev ppp0 > Sep 30 12:08:55 charcoal kernel: [410050.617160] martian source 206.80.216.107 from 209.167.231.15, on dev ppp0 > Sep 30 12:08:58 charcoal kernel: [410054.307034] martian source 206.80.216.107 from 174.129.210.177, on dev ppp0 >Route filtering seems to be broken with this configuration -- the default route that Shorewall is creating is correct. default nexthop dev ppp0 weight 1 nexthop via 206.80.216.105 dev eth0 weight 1 I suggest that you leave leave ''balance'' on that provider but turn off route filtering on ppp0 (in /etc/shorewall/interfaces, include "routefilter=0"). - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrDvb8ACgkQO/MAbZfjDLKhQgCghYUXYxwZ0h10Hj6dLjBlbYRh PkAAnjciYWQAYf56eDYwHTGjnvt5VMHv =DZmT -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf