I have been using shorewall for a number of years, but I haven''t really tried to use packet marking or multiple isp before. I have a project to build firewall system with 2 isp links. The target is to set shorewall with 2 isp link, with vrrp for failover to another shorewall box. However, I want to get the basic working (i.e. with 1 shorewall firewall). Having followed the multiple isp doc, I believe there''s something missing when putting the pieces together. Here''s my network lab using vmware: I got 3 vyatta routers to simulate the internet: R1 --- R2 --- R3 R1 pretends to be isp1 router R3 pretends to be isp2 router R2 is a router for testing the traffic (i.e. ping, etc) All vyatta routers can see each other and no firewall enabled. R1: 203.202.13.1/24 (link to shore eth1), 203.202.140.1/24 (link to R2) R2: 203.202.140.2/24 (link to R1), 203.18.34.2/24 (link to R3) R3: 203.18.34.3/24 (link to R2), 203.18.30.3/24 (link to shore eth0) I build a shorewall system with eth0 links to R3, eth1 links to R1 for WAN. I have dmz (eth2) and loc (eth3). So far I can make only loc traffic works. The default gateway of shorewall points to R3 (via eth0); this is in /etc/sysconfig/network. My shorewall settings: :shorewall.conf: change: enable=yes :zones: fw firewall net ipv4 loc ipv4 dmz ipv4 :interfaces: net eth0 detect tcpflags,nosmurfs,routefilter,logmartians net eth1 detect tcpflags,nosmurfs,routefilter,logmartians dmz eth2 detect tcpflags,nosmurfs,routefilter,logmartians loc eth3 detect tcpflags,nosmurfs,routefilter,logmartians :tcrules: 1:P 192.168.77.224/27 0.0.0.0/0 icmp echo-reply 1 $FW 0.0.0.0/0 icmp echo-reply :policies: fw all ACCEPT loc net ACCEPT loc dmz ACCEPT loc fw ACCEPT loc all REJECT info dmz net ACCEPT dmz loc REJECT info dmz fw REJECT info dmz all REJECT info net net REJECT info net all REJECT info all all REJECT info :masq: eth0 0.0.0.0/0 203.18.30.251 eth1 0.0.0.0/0 203.202.13.251 :providers: I2N 1 1 main eth0 203.18.30.3 track,balance eth3 AC3 2 2 main eth1 203.202.13.1 track,balance eth3 With above setting, I can ping R2 from loc host and have no problem redirecting the traffic with marking 1 or 2 to control the ping traffic using I2N or AC3 (verified with tcpdump) The problem: I tried to create another tcrules to allow dmz ping using AC3. So i add this in tcrules: 1:P 10.10.10.0/24 0.0.0.0/0 icmp echo-reply 1 $FW 0.0.0.0/0 icmp echo-reply Still, I can''t ping anything from dmz to the net. Using tcpdump, I can see the packets from dmz IS GOING to I2N (mark 1), but it''s not masq (the source address is still 10.10.10.20 (the dmz host). Tried many things, i still can''t get it masq. Anyone knows how to fix this? Thank you. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/15/10 5:47 PM, Lito Kusnadi wrote:> I have been using shorewall for a number of years, but I haven''t > really tried to use packet marking or multiple isp before. > > I have a project to build firewall system with 2 isp links. The > target is to set shorewall with 2 isp link, with vrrp for failover > to another shorewall box. However, I want to get the basic working > (i.e. with 1 shorewall firewall). > > Having followed the multiple isp doc, I believe there''s something > missing when putting the pieces together. Here''s my network lab > using vmware: > > I got 3 vyatta routers to simulate the internet: > > R1 --- R2 --- R3 > > R1 pretends to be isp1 router R3 pretends to be isp2 router R2 is a > router for testing the traffic (i.e. ping, etc) All vyatta routers > can see each other and no firewall enabled. > > R1: 203.202.13.1/24 (link to shore eth1), 203.202.140.1/24 (link to > R2) > > R2: 203.202.140.2/24 (link to R1), 203.18.34.2/24 (link to R3) > > R3: 203.18.34.3/24 (link to R2), 203.18.30.3/24 (link to shore eth0) > > I build a shorewall system with eth0 links to R3, eth1 links to R1 > for WAN. I have dmz (eth2) and loc (eth3). So far I can make only > loc traffic works.One thing that jumps out immediately is that you have not included eth2 in the COPY column in /etc/shorewall/providers. So it is not surprising that you can''t get the DMZ to work.> > The default gateway of shorewall points to R3 (via eth0); this is in > /etc/sysconfig/network.Totally immaterial.> > My shorewall settings:It is difficult to impossible to understand what is going on from the config files; see http://www.shorewall.net/support.htm#Guidelines. To make things worse, you mailer doesn''t break long lines so each paragraph is a single line. Trying to reply and keep the quoting correct is a tedious task.> > :tcrules: > 1:P 192.168.77.224/27 0.0.0.0/0 icmp echo-reply > 1 $FW 0.0.0.0/0 icmp echo-replyBoth of those are meaningless. You don''t want to route the replies through a provider other than the one that the echo-request came in on.> > With above setting, I can ping R2 from loc host and have no problem > redirecting the traffic with marking 1 or 2 to control the ping > traffic using I2N or AC3 (verified with tcpdump) >See above. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
Hi Tom, thank you for your reply. sorry for the text wrapping as I''m using web mail. I have attached the gz format of shorewall dump. To clarify the objective: I want to redirect traffic from dmz (eth2) to use AC3 (eth1) link and redirect traffic from loc (eth3) to use I2N (eth0) link. I''ve changed provider file as follow (tried with "track" only and "track,balance"): I2N 1 1 main eth0 203.18.30.3 track,balance eth3 AC3 2 2 main eth1 203.202.13.1 track,balance eth2 Now the interesting problem: a. from host in loc zone, I can ping dmz and the net (with limitation). According to the provider file, all eth3 traffic must use eth0; but this is not the case when I am trying to ping 203.18.34.2 (R2). But if I ping the other side of R2 (203.202.140.2), it is working! Using tcpdump, I can see why 203.18.34.2 doesn''t work: - because the source address isn''t natted when leaving the wan interface - because it is using eth1 (which against to what the provider file states : the traffic must go through eth0) b. from host in dmz zone, I can''t ping anything. again, tcpdump shows the traffic is using the incorrect wan link (different from provider) and isn''t natted when leaving the wan interface. You mentioned the entry I put in tcrules isn''t relevant. My understanding is that tcrules marks the packets, and using the marking, I should be able to tell shorewall to route the packets to the right wan link using the mark number. If this is gone, how can I control such event? The tcrules i attached is to test ping. Also, for masquerading in dual link scenario, it is all controlled by masq file, correct? So it is similar to simple 2 or 3 interfaces setup of shorewall. Many thanks. --- On Thu, 16/9/10, Tom Eastep <teastep@shorewall.net> wrote:> From: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] help for newbie on shorewall multiple isp > To: shorewall-users@lists.sourceforge.net > Received: Thursday, 16 September, 2010, 2:26 AM > On 9/15/10 5:47 PM, Lito Kusnadi > wrote: > > > I have been using shorewall for a number of years, but > I haven''t > > really tried to use packet marking or multiple isp > before. > > > > I have a project to build firewall system with 2 isp > links. The > > target is to set shorewall with 2 isp link, with vrrp > for failover > > to another shorewall box. However, I want to get the > basic working > > (i.e. with 1 shorewall firewall). > > > > Having followed the multiple isp doc, I believe > there''s something > > missing when putting the pieces together. Here''s my > network lab > > using vmware: > > > > I got 3 vyatta routers to simulate the internet: > > > > R1 --- R2 --- R3 > > > > R1 pretends to be isp1 router R3 pretends to be isp2 > router R2 is a > > router for testing the traffic (i.e. ping, etc) All > vyatta routers > > can see each other and no firewall enabled. > > > > R1: 203.202.13.1/24 (link to shore eth1), > 203.202.140.1/24 (link to > > R2) > > > > R2: 203.202.140.2/24 (link to R1), 203.18.34.2/24 > (link to R3) > > > > R3: 203.18.34.3/24 (link to R2), 203.18.30.3/24 (link > to shore eth0) > > > > I build a shorewall system with eth0 links to R3, eth1 > links to R1 > > for WAN. I have dmz (eth2) and loc (eth3). So far I > can make only > > loc traffic works. > > One thing that jumps out immediately is that you have not > included eth2 > in the COPY column in /etc/shorewall/providers. So it is > not surprising > that you can''t get the DMZ to work. > > > > > The default gateway of shorewall points to R3 (via > eth0); this is in > > /etc/sysconfig/network. > > Totally immaterial. > > > > > My shorewall settings: > > It is difficult to impossible to understand what is going > on from the > config files; see http://www.shorewall.net/support.htm#Guidelines. > > To make things worse, you mailer doesn''t break long lines > so each > paragraph is a single line. Trying to reply and keep the > quoting correct > is a tedious task. > > > > > :tcrules: > > 1:P 192.168.77.224/27 > 0.0.0.0/0 icmp echo-reply > > 1 $FW > 0.0.0.0/0 icmp > echo-reply > > Both of those are meaningless. You don''t want to route the > replies > through a provider other than the one that the echo-request > came in on. > > > > > With above setting, I can ping R2 from loc host and > have no problem > > redirecting the traffic with marking 1 or 2 to control > the ping > > traffic using I2N or AC3 (verified with tcpdump) > > > > See above. > > -Tom > -- > Tom Eastep \ When I die, I want > to go like my Grandfather who > Shoreline, \ died > peacefully in his sleep. Not screaming like > Washington, USA \ all of the > passengers in his car > http://shorewall.net > \________________________________________________ > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment > and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > -----Inline Attachment Follows----- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/15/10 10:01 PM, Lito Kusnadi wrote:> Hi Tom, > thank you for your reply. sorry for the text wrapping as I''m using web mail. > > I have attached the gz format of shorewall dump. > > To clarify the objective: > I want to redirect traffic from dmz (eth2) to use AC3 (eth1) link and > redirect traffic from loc (eth3) to use I2N (eth0) link. > > I''ve changed provider file as follow (tried with "track" only and > "track,balance"): > I2N 1 1 main eth0 203.18.30.3 track,balance eth3 > AC3 2 2 main eth1 203.202.13.1 track,balance eth2Please put ''eth2,eth3'' in both providers.> > Now the interesting problem: > > a. from host in loc zone, I can ping dmz and the net (with limitation). > > According to the provider file, all eth3 traffic must use eth0;No -- The providers file NEVER determines where traffic is to go. What you have done is made it so ONLY eth3 traffic can use eth0. The DUPLICATE and COPY columns in the providers file only determine those routes that are copied to the provider routing tables. You want ''track,''balance'' on both providers. In /etc/shorewall/route_rules: eth3 - I2N 1000 eth2 - AC3 1000 Now, traffic arriving on eth3 will be routed to the I2N provider and traffic arriving on eth2 will be routed to the AC3 provider. If either provider is down (assuming that you have ''optional'' on eth0 and eth1 in your interfaces file), then all traffic will use the remaining provider. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
Thanks Tom, I got it working. Question about link failover, just thinking if the requirement scope can be expanded :) Currently, I am telling shorewall to redirect dmz and loc traffic inside route_rules.And you mentioned that if I am using optional in both wan interfaces, if both goes downI can use the third wan link (if I have one).But if I only have 2 wan links, does it mean the "optional" setting in interfaces file suppose to do the failover?Or I still need something like what you mentioned in the docs (i.e. lsm)? Many thanks. --- On Thu, 16/9/10, Tom Eastep <teastep@shorewall.net> wrote: From: Tom Eastep <teastep@shorewall.net> Subject: Re: [Shorewall-users] help for newbie on shorewall multiple isp To: shorewall-users@lists.sourceforge.net Received: Thursday, 16 September, 2010, 2:32 PM On 9/15/10 10:01 PM, Lito Kusnadi wrote:> Hi Tom, > thank you for your reply. sorry for the text wrapping as I''m using web mail. > > I have attached the gz format of shorewall dump. > > To clarify the objective: > I want to redirect traffic from dmz (eth2) to use AC3 (eth1) link and > redirect traffic from loc (eth3) to use I2N (eth0) link. > > I''ve changed provider file as follow (tried with "track" only and > "track,balance"): > I2N 1 1 main eth0 203.18.30.3 track,balance eth3 > AC3 2 2 main eth1 203.202.13.1 track,balance eth2Please put ''eth2,eth3'' in both providers.> > Now the interesting problem: > > a. from host in loc zone, I can ping dmz and the net (with limitation). > > According to the provider file, all eth3 traffic must use eth0;No -- The providers file NEVER determines where traffic is to go. What you have done is made it so ONLY eth3 traffic can use eth0. The DUPLICATE and COPY columns in the providers file only determine those routes that are copied to the provider routing tables. You want ''track,''balance'' on both providers. In /etc/shorewall/route_rules: eth3 - I2N 1000 eth2 - AC3 1000 Now, traffic arriving on eth3 will be routed to the I2N provider and traffic arriving on eth2 will be routed to the AC3 provider. If either provider is down (assuming that you have ''optional'' on eth0 and eth1 in your interfaces file), then all traffic will use the remaining provider. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----Inline Attachment Follows----- ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev -----Inline Attachment Follows----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/16/10 6:45 PM, Lito Kusnadi wrote:> Thanks Tom, I got it working. > > Question about link failover, just thinking if the requirement scope > can be expanded :) > > Currently, I am telling shorewall to redirect dmz and loc traffic > inside route_rules. And you mentioned that if I am using optional in > both wan interfaces, if both goes down I can use the third wan link > (if I have one).I didn''t say that.> But if I only have 2 wan links, does it mean the "optional" setting > in interfaces file suppose to do the failover?No.> Or I still need something like what you mentioned in the docs (i.e. > lsm)?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
I tried to use lsm, seems there''s issue with the restore when the failed link is up. Then I got this warning when trying to check shorewall:WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added I am trying to revert everything back to a simple 2 isp setting without failover with the config I confirmed working. Currently, shorewall check keeps giving me:WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added I have checked eth1 is up and I am able to ping the gateway of eth1. There''s a note about this message in shorewal 4.4x release, but is it a bug or something needs to be done to make eth1 usable? I''ve tried to stop, clear, and reset shorewall; but haven''t tried to reboot the entire machine. Preferrable to know what is going on without rebooting the machine. attached is the shorewall dump taken after applying 2isp without failover (lsm). Thanks Tom. --- On Fri, 17/9/10, Tom Eastep <teastep@shorewall.net> wrote: From: Tom Eastep <teastep@shorewall.net> Subject: Re: [Shorewall-users] help for newbie on shorewall multiple isp To: shorewall-users@lists.sourceforge.net Received: Friday, 17 September, 2010, 3:00 AM On 9/16/10 6:45 PM, Lito Kusnadi wrote:> Thanks Tom, I got it working. > > Question about link failover, just thinking if the requirement scope > can be expanded :) > > Currently, I am telling shorewall to redirect dmz and loc traffic > inside route_rules. And you mentioned that if I am using optional in > both wan interfaces, if both goes down I can use the third wan link > (if I have one).I didn''t say that.> But if I only have 2 wan links, does it mean the "optional" setting > in interfaces file suppose to do the failover?No.> Or I still need something like what you mentioned in the docs (i.e. > lsm)?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----Inline Attachment Follows----- ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev -----Inline Attachment Follows----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/16/10 7:59 PM, Lito Kusnadi wrote:> I tried to use lsm, seems there''s issue with the restore when the failed > link is up. Then I got this warning when trying to check shorewall: > WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added > > I am trying to revert everything back to a simple 2 isp setting without > failover with the config > I confirmed working. > > Currently, shorewall check keeps giving me: > WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added > > I have checked eth1 is up and I am able to ping the gateway of eth1. > There''s a note about > this message in shorewal 4.4x release, but is it a bug or something > needs to be done to > make eth1 usable? > > I''ve tried to stop, clear, and reset shorewall; but haven''t tried to > reboot the entire machine. Preferrable to know what is going on without > rebooting the machine. > > attached is the shorewall dump taken after applying 2isp without > failover (lsm). >Lito -- this is *NOT PLUG AND PLAY*. You need to understand the software before you try to use it. The problem is probably that there is a file named /var/lib/shorewall/xxx.status that contains ''1''. Delete the file and re-read all of the documentation carefully. It takes several hours to understand these products and get them configured successfully. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/16/10 8:06 PM, Tom Eastep wrote:> On 9/16/10 7:59 PM, Lito Kusnadi wrote: >> I tried to use lsm, seems there''s issue with the restore when the failed >> link is up. Then I got this warning when trying to check shorewall: >> WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added >> >> I am trying to revert everything back to a simple 2 isp setting without >> failover with the config >> I confirmed working. >> >> Currently, shorewall check keeps giving me: >> WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added >> >> I have checked eth1 is up and I am able to ping the gateway of eth1. >> There''s a note about >> this message in shorewal 4.4x release, but is it a bug or something >> needs to be done to >> make eth1 usable? >> >> I''ve tried to stop, clear, and reset shorewall; but haven''t tried to >> reboot the entire machine. Preferrable to know what is going on without >> rebooting the machine. >> >> attached is the shorewall dump taken after applying 2isp without >> failover (lsm). >> > > Lito -- this is *NOT PLUG AND PLAY*. You need to understand the software > before you try to use it. > > The problem is probably that there is a file named > /var/lib/shorewall/xxx.status that contains ''1''. Delete the file and > re-read all of the documentation carefully. It takes several hours to > understand these products and get them configured successfully.And you also need to understand what the various pieces do: - /etc/shorewall/isusable - /etc/shorewall/lib.private - /etc/lsm/* Read the scripts. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
I have read what you suggested in regards to lsm. and so far my scenario is very similar to your example. I only need to adjust the link detail in lib.private. The lsm I got v0.53 compiled as rpm using centos, i can see lsm triggers the script (/etc/lsm/script) when a link is down. When the link recovers, lsm doesn''t trigger the script. Even the formula in lsm readme file says it can detect the link is up when certain conditions happens. But it doesn''t. At the end, the only way to restore the ethx.status of the failed link (make it "0") is to fail the other link. As a result, I only have 1 link at all time after the first failure happens. I know this is not lsm mailing list, but I just want to find out any feedback from people who''s done this. Thank you. --- On Fri, 17/9/10, Tom Eastep <teastep@shorewall.net> wrote: From: Tom Eastep <teastep@shorewall.net> Subject: Re: [Shorewall-users] help for newbie on shorewall multiple isp To: shorewall-users@lists.sourceforge.net Received: Friday, 17 September, 2010, 4:19 AM On 9/16/10 8:06 PM, Tom Eastep wrote:> On 9/16/10 7:59 PM, Lito Kusnadi wrote: >> I tried to use lsm, seems there''s issue with the restore when the failed >> link is up. Then I got this warning when trying to check shorewall: >> WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added >> >> I am trying to revert everything back to a simple 2 isp setting without >> failover with the config >> I confirmed working. >> >> Currently, shorewall check keeps giving me: >> WARNING: Interface eth1 is not usable -- Provider AC3 (2) not Added >> >> I have checked eth1 is up and I am able to ping the gateway of eth1. >> There''s a note about >> this message in shorewal 4.4x release, but is it a bug or something >> needs to be done to >> make eth1 usable? >> >> I''ve tried to stop, clear, and reset shorewall; but haven''t tried to >> reboot the entire machine. Preferrable to know what is going on without >> rebooting the machine. >> >> attached is the shorewall dump taken after applying 2isp without >> failover (lsm). >> > > Lito -- this is *NOT PLUG AND PLAY*. You need to understand the software > before you try to use it. > > The problem is probably that there is a file named > /var/lib/shorewall/xxx.status that contains ''1''. Delete the file and > re-read all of the documentation carefully. It takes several hours to > understand these products and get them configured successfully.And you also need to understand what the various pieces do: - /etc/shorewall/isusable - /etc/shorewall/lib.private - /etc/lsm/* Read the scripts. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----Inline Attachment Follows----- ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev -----Inline Attachment Follows----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
On 9/16/10 10:22 PM, Lito Kusnadi wrote:> > The lsm I got v0.53 compiled as rpm using centos, i can see lsm triggers > the script (/etc/lsm/script) when a link is down. When the link > recovers, lsm doesn''t trigger the script. > > Even the formula in lsm readme file says it can detect the link is up > when certain conditions happens. But it doesn''t. At the end, the only > way to restore the ethx.status of the failed link (make it "0") is to > fail the other link. As a result, I only have 1 link at all time after > the first failure happens.This sounds like a routing problem when the link comes back up. Look at your main routing table to see what route is required to be able to ping the link''s ''checkip''. It must not be a default route since that route will not exist (or will be masked by an earlier route) when the interface comes back up. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev