Hi, I''m running a shorewall box with balancing over three ISPs and have two data transfers to customers via ftps. All went fine, but suddenly the ftp jobs didn''t work any more. I discovered, that sometimes the ftps control session left the firewall on ISP 1 and the data session on ISP 2. So the ftps server didn''t accept the data session, because it originated from another IP than the control session (all traffic is masqueraded with the corresponding external addresses of the firewall). Unfortunately the initial port and the data port ranges aren''t the same. I have following rules: ACCEPT dmz9 <customer1> tcp 22 ACCEPT dmz9 <customer1> tcp 5000:10000 ACCEPT dmz12 <customer2> tcp 990 ACCEPT dmz12 <customer2> tcp 45000:49999 Is there a "shorewall way" to solve this problem? In the meantime I pin the route to the ftps servers to one ISP on the network level (ip route add -host.....). But perhaps there is a better solution for this. In case the used ISP is down, I would have to manually switch the routes now. Thank you for any hint, Christian ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Robert K Coffman Jr. -Info From Data Corp.
2009-Oct-20 13:50 UTC
Re: MultiISP balancing and ftps
>Is there a "shorewall way" to solve this problem?I would start with http://www.shorewall.net/MultiISP.html. Sounds like the "track" option may solve this. - Bob Coffman ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/20/2009 06:50 AM, Robert K Coffman Jr. -Info From Data Corp. wrote:>> Is there a "shorewall way" to solve this problem? > > I would start with http://www.shorewall.net/MultiISP.html. > > Sounds like the "track" option may solve this.I agree that this is another case where ''track'' should help. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd0oMACgkQO/MAbZfjDLK28wCgjfceb57DUbb2W2vfZ0XusYoO vmMAn28PBzSdnE76880s6MoM8V5fQTaa =CrUt -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom wrote: >>> Is there a "shorewall way" to solve this problem? >> >> I would start with http://www.shorewall.net/MultiISP.html. >> Sounds like the "track" option may solve this. > > I agree that this is another case where ''track'' should help. I''m sorry, but I found no hint in the MultiISP documentation for solving my problem. All providers are configured with options "track,balance" and get a different MARK value. As I understood, the standard connection tracking is based on incoming traffic (perhaps better to say: external initiated traffic). But with ftps I have two connections initiated by myself. Of course, I could insert a rule in tcrules pointing all traffic to one provider, but the result would be the same as my route pinning now: If the chosen provider is down, I have to manually change the routing rule. So, the question is: When the first connection is established, how can I mark all further connections (from the origin of the connection or to the destination of the connection) to use the same provider, as long as the first connection stays established? Regards, Christian ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Christian Vieser wrote:> Tom wrote: > >>> Is there a "shorewall way" to solve this problem? > >> > >> I would start with http://www.shorewall.net/MultiISP.html. > >> Sounds like the "track" option may solve this. > > > > I agree that this is another case where ''track'' should help. > > I''m sorry, but I found no hint in the MultiISP documentation for solving my > problem. All providers are configured with options "track,balance" and get > a different MARK value. As I understood, the standard connection tracking > is based on incoming traffic (perhaps better to say: external initiated > traffic). > But with ftps I have two connections initiated by myself. Of course, I > could > insert a rule in tcrules pointing all traffic to one provider, but the > result would > be the same as my route pinning now: If the chosen provider is down, I have > to manually change the routing rule. > > So, the question is: When the first connection is established, how can I > mark > all further connections (from the origin of the connection or to the > destination > of the connection) to use the same provider, as long as the first > connection > stays established?Try using the ''SAME'' MARK/CLASSIFY target in a tcrule that specifies the ftps client''s address in the SOURCE column. Note that this is yet one more reason to prefer sftp over ftps. Netfilter can''t relate ftps control and data connections, so it can''t transfer the control connection''s mark to related data connections as it does with unencrypted ftp. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom Eastep wrote:> Christian Vieser wrote:>> So, the question is: When the first connection is established, how can I >> mark >> all further connections (from the origin of the connection or to the >> destination >> of the connection) to use the same provider, as long as the first >> connection >> stays established? > > Try using the ''SAME'' MARK/CLASSIFY target in a tcrule that specifies the > ftps client''s address in the SOURCE column. >Note that SAME works slightly differently than what you asked -- so long as a connection matching the rule has sent a packet within the last five minutes, all other packets that match the rule will get the same mark. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom Eastep wrote:> Try using the ''SAME'' MARK/CLASSIFY target in a tcrule that specifies the > ftps client''s address in the SOURCE column.Hi Tom, thank you very much for pointing me to the right direction. Although I run firewalls for a while now, I have no experience with the abilities of tcrules. I inserted now appropriate rules and will see if it works as expected.> > Note that this is yet one more reason to prefer sftp over ftps.Yes, I know. But we have only little influence on the preferences of our customers... Regards, Christian ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference