Shorewall users - Jan 2010 - Shorewall 4.4.6 and Multiple ISP with 2 routed subnets

Hello,

 

I have 2 ISP uplinks (zones: inet1 and inet2), each with a fixed IP on the
outside and a routed subnet (/25 and /26) on the inside. So, behind the firewall
i have 2 networksegments (lan1 and lan2) with public IP-addresses. The segments
are completely isolated from eachother: hosts in zone "lan1" connect
only to "inet1" and hosts in zone "lan2" only connect to
"inet2".

 

Because the segements don''t have to switch ISP, loadbalancing is not
used.

 

Now I have the folowing files:

 

interfaces:

#ZONE   INTERFACE       BROADCAST       OPTIONS
inet1      eth0               detect              tcpflags,routeback

lan1       eth1               detect              tcpflags,routeback
inet2      eth2               detect              tcpflags,routeback

lan2       eth3               detect              tcpflags,routeback

 

 

masq:

# INTERFACE     SUBNET          ADDRESS
eth0            $ETH0_IP        217.100.100.10
eth2            $ETH2_IP        217.132.100.100


eth0    eth1
eth2    eth3


 

params:

ETH0_IP=$(find_first_interface_address eth2)
ETH2_IP=$(find_first_interface_address eth0)


 

providers:

#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY          
OPTIONS         COPY
ISP1      1           1          main               eth0               
217.100.100.254  track,balance   eth1
ISP2      2           2          main               eth2               
213.132.100.254  track,balance   eth3


 

route_rules:

#SOURCE             DEST                  PROVIDER     PRIORITY

eth0                    -                       ISP1            1000
eth2                    -                       ISP2            1000


 

tcfilters:

#INTERFACE:     SOURCE          DEST            PROTO   DEST    SOURCE   TOS    
LENGTH
#CLASS                                                  PORT(S) PORT(S)
1:P            eth1            0.0.0.0/0       all
2:P            eth3            0.0.0.0/0       all



tcrules:

#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST   
LENGTH  TOS   CONNBYTES

1:P       eth1               0.0.0.0/0       all
2:P       eth3               0.0.0.0/0       all


 

zones:

#ZONE   TYPE            OPTIONS

fw         firewall
inet1      ipv4
lan1       ipv4
inet2      ipv4
lan2       ipv4


I know how to use the files ''policy'' and
''rules'', so i haven''t published these above.

 

When I start shorewall I get the folowing error:

"ERROR: Undefined INTERFACE number (1) : /etc/shorewall/tcfilters"

 

What goes wrong?

 

Thanks!

 
 		 	   		  
_________________________________________________________________
Een netbook met Windows 7? Hier vind je alles dat je moet weten.
www.windows.nl/netbook

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

Graphical overview attached
 
 		 	   		  
_________________________________________________________________
Het laatste nieuws, shownieuws en voetbalnieuws op MSN.nl
http://nl.msn.com/


------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

I don''t know if it has anything to do with your error but the below 
looks wrong.

- Bob Coffman

On 1/21/2010 4:28 AM, M@rk Lombaard wrote:
> params:
> ETH0_IP=$(find_first_interface_address eth2)
> ETH2_IP=$(find_first_interface_address eth0)
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

What should it be then?

 

I can clear the ''params'' file, but what should I put in
''masq'' instead of the variables?

 
 		 	   		  
_________________________________________________________________
Download gratis emoticons voor Messenger
http://www.rulive.nl/aspx/emoticons.aspx

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

M@rk Lombaard wrote:
> tcfilters:
> #INTERFACE:     SOURCE          DEST            PROTO   DEST    SOURCE  
> TOS            LENGTH
> #CLASS                                                  PORT(S) PORT(S)
> 1:P            eth1            0.0.0.0/0       all
> 2:P            eth3            0.0.0.0/0       all
You have put what appear to be tcrules entries in the tcfilters file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

On Thu, 2010-01-21 at 10:40 +0100, M@rk Lombaard wrote:
> Graphical overview attached
And what, pray tell, are we supposed to do with that?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev

On Sat, 2010-01-23 at 19:29 -0800, Tom Eastep wrote:
> On Thu, 2010-01-21 at 10:40 +0100, M@rk Lombaard wrote:
> > Graphical overview attached
> 
> And what, pray tell, are we supposed to do with that?
Please disregard -- I just realized that Mark''s post was sent two days
ago and just arrived tonight.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev