I upgraded our 2 sites with 2 isps to shorewall 4.5.2.4. I''m going to try lsm. If the isp is static do I still need to set as optional in the interfaces file? If rules are set to force traffic to a specific provider and that provider is down, will that traffic go to another provider? John ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/10/2012 12:09 PM, John McMonagle wrote:> I upgraded our 2 sites with 2 isps to shorewall 4.5.2.4. > > I''m going to try lsm. > > If the isp is static do I still need to set as optional in the interfaces > file? >Sure -- just because it has a static IP address doesn''t mean that it''s going to be usable 100% of the time.> If rules are set to force traffic to a specific provider and that provider is > down, will that traffic go to another provider?Existing connections out of the down provider will usually die. New connections will be sent through the remaining provider. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Thursday, May 10, 2012 02:36:56 pm Tom Eastep wrote:> On 05/10/2012 12:09 PM, John McMonagle wrote: > > I upgraded our 2 sites with 2 isps to shorewall 4.5.2.4. > > > > I''m going to try lsm. > > > > If the isp is static do I still need to set as optional in the interfaces > > file? > > Sure -- just because it has a static IP address doesn''t mean that it''s > going to be usable 100% of the time. > > > If rules are set to force traffic to a specific provider and that > > provider is down, will that traffic go to another provider? > > Existing connections out of the down provider will usually die. New > connections will be sent through the remaining provider. > > -TomThanks Tom I had short time yesterday to test. Attached is tar of /etc/shorewall and /etc/lsm Showed some signs of life :-) I expected issues so put the new stuff in /etc/shorewall/lsm started as shorewall /etc/shorewall/lsm I pulled ethernet to cable modem TImeWarner eth2 provider ISP2. Ran watch ip route show table balance and watch cat /var/lib/shorewall/eth2.status in windows On pulling: balance table changed and other ISP2 routes went away. eth2.status did not change. Got down email from lsm. On plugging back in: routing tables did not change. eth2.status did not change. Got up email from lsm. Obviously missed something :-( Do you see anything or have suggestions on how to debug? Thanks John ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/11/2012 11:52 AM, John McMonagle wrote:> On Thursday, May 10, 2012 02:36:56 pm Tom Eastep wrote: >> On 05/10/2012 12:09 PM, John McMonagle wrote: >>> I upgraded our 2 sites with 2 isps to shorewall 4.5.2.4. >>> >>> I''m going to try lsm. >>> >>> If the isp is static do I still need to set as optional in the interfaces >>> file? >> >> Sure -- just because it has a static IP address doesn''t mean that it''s >> going to be usable 100% of the time. >> >>> If rules are set to force traffic to a specific provider and that >>> provider is down, will that traffic go to another provider? >> >> Existing connections out of the down provider will usually die. New >> connections will be sent through the remaining provider. >> >> -Tom > Thanks Tom > > I had short time yesterday to test. > Attached is tar of /etc/shorewall and /etc/lsm > > Showed some signs of life :-) > > I expected issues so put the new stuff in /etc/shorewall/lsm > started as shorewall /etc/shorewall/lsm > > I pulled ethernet to cable modem TImeWarner eth2 provider ISP2. > Ran > watch ip route show table balance > and > watch cat /var/lib/shorewall/eth2.status > in windows > > On pulling: > balance table changed and other ISP2 routes went away. > eth2.status did not change. > Got down email from lsm. > > On plugging back in: > routing tables did not change. > eth2.status did not change. > Got up email from lsm. > > Obviously missed something :-( > > Do you see anything or have suggestions on how to debug? >- Set STARTUP_LOG=/var/log/shorewall-init.log - Set LOG_VERBOSITY=1 Look at the log while testing to see what is going on. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/11/2012 02:04 PM, Tom Eastep wrote:> On 05/11/2012 11:52 AM, John McMonagle wrote:>> eth2.status did not change. >> Got up email from lsm. >> >> Obviously missed something :-( >> >> Do you see anything or have suggestions on how to debug? >> > > - Set STARTUP_LOG=/var/log/shorewall-init.log > - Set LOG_VERBOSITY=1 > > Look at the log while testing to see what is going on. >I''ve discovered that the ''disable'' command is not altering the .status file. Patch attached. patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Saturday 12 May 2012 09:47:50 Tom Eastep wrote:> On 05/11/2012 02:04 PM, Tom Eastep wrote: > > On 05/11/2012 11:52 AM, John McMonagle wrote: > >> eth2.status did not change. > >> Got up email from lsm. > >> > >> Obviously missed something :-( > >> > >> Do you see anything or have suggestions on how to debug? > > > > - Set STARTUP_LOG=/var/log/shorewall-init.log > > - Set LOG_VERBOSITY=1 > > > > Look at the log while testing to see what is going on. > > I''ve discovered that the ''disable'' command is not altering the .status > file. Patch attached. > > patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch > > -TomThanks Tom It may be a week before I can try it. It''s not the sort of thing I want to try remotely. John ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/12/12 10:12 AM, John McMonagle wrote:> On Saturday 12 May 2012 09:47:50 Tom Eastep wrote: >> On 05/11/2012 02:04 PM, Tom Eastep wrote: >>> On 05/11/2012 11:52 AM, John McMonagle wrote: >>>> eth2.status did not change. >>>> Got up email from lsm. >>>> >>>> Obviously missed something :-( >>>> >>>> Do you see anything or have suggestions on how to debug? >>> >>> - Set STARTUP_LOG=/var/log/shorewall-init.log >>> - Set LOG_VERBOSITY=1 >>> >>> Look at the log while testing to see what is going on. >> >> I''ve discovered that the ''disable'' command is not altering the .status >> file. Patch attached. >> >> patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch >> >> -Tom > > Thanks Tom > > It may be a week before I can try it. > It''s not the sort of thing I want to try remotely.You''ll want this patch also. patch /usr/share/shorewall/lib.core < ISUSABLE.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/13/12 12:09 PM, Tom Eastep wrote:> > You''ll want this patch also. > > patch /usr/share/shorewall/lib.core < ISUSABLE.patch >And to those of you who read patches, in my tree I''ve promoted the $COMMAND tests to the initial ''if ...; then''. Obviously should have done so in the original patch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Sunday 13 May 2012 02:09:56 pm Tom Eastep wrote:> On 5/12/12 10:12 AM, John McMonagle wrote: > > On Saturday 12 May 2012 09:47:50 Tom Eastep wrote: > >> On 05/11/2012 02:04 PM, Tom Eastep wrote: > >>> On 05/11/2012 11:52 AM, John McMonagle wrote: > >>>> eth2.status did not change. > >>>> Got up email from lsm. > >>>> > >>>> Obviously missed something :-( > >>>> > >>>> Do you see anything or have suggestions on how to debug? > >>> > >>> - Set STARTUP_LOG=/var/log/shorewall-init.log > >>> - Set LOG_VERBOSITY=1 > >>> > >>> Look at the log while testing to see what is going on. > >> > >> I''ve discovered that the ''disable'' command is not altering the .status > >> file. Patch attached. > >> > >> patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch > >> > >> -Tom > > > > Thanks Tom > > > > It may be a week before I can try it. > > It''s not the sort of thing I want to try remotely. > > You''ll want this patch also. > > patch /usr/share/shorewall/lib.core < ISUSABLE.patch > > -TomTom Seems to work. The provider is removed after about 20 seconds after failure. It returns a bit over 3 minutes after being plugged back in. Seems a bit long. Is that intentional? Thanks again. John ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/14/2012 03:23 PM, John McMonagle wrote:> Tom > > Seems to work. > The provider is removed after about 20 seconds after failure. > It returns a bit over 3 minutes after being plugged back in. > Seems a bit long. Is that intentional?You need to adjust your LSM parameters. The default LSM settings are to fail fast and recover slowly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/14/12 3:28 PM, Tom Eastep wrote:> On 05/14/2012 03:23 PM, John McMonagle wrote: > >> Tom >> >> Seems to work. >> The provider is removed after about 20 seconds after failure. >> It returns a bit over 3 minutes after being plugged back in. >> Seems a bit long. Is that intentional? > > You need to adjust your LSM parameters. The default LSM settings are to > fail fast and recover slowly.And here is another patch you should apply. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/14/12 5:32 PM, Tom Eastep wrote:> On 5/14/12 3:28 PM, Tom Eastep wrote: >> On 05/14/2012 03:23 PM, John McMonagle wrote: >> >>> Tom >>> >>> Seems to work. >>> The provider is removed after about 20 seconds after failure. >>> It returns a bit over 3 minutes after being plugged back in. >>> Seems a bit long. Is that intentional? >> >> You need to adjust your LSM parameters. The default LSM settings are to >> fail fast and recover slowly. > > And here is another patch you should apply.But you must apply this first. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > >> Tom > >> > >> Seems to work. > >> The provider is removed after about 20 seconds after failure. > >> It returns a bit over 3 minutes after being plugged back in. > >> Seems a bit long. Is that intentional? > > > > You need to adjust your LSM parameters. The default LSM settings are to> > fail fast and recover slowly. > > And here is another patch you should apply. > > -Tom > --HiTom, Sounds like I am doing exactly what John is implementing. Using 4.5.3. So I thought I would try these patches. But I get this when running patch Gate:~ # patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch (Stripping trailing CRs from patch.) patching file /usr/share/shorewall/Shorewall/Providers Hunk #1 FAILED at 881. 1 out of 1 hunk FAILED -- saving rejects to file /usr/share/shorewall/Shorewall/Providers.rej Gate:~ # patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch (Stripping trailing CRs from patch.) patching file /usr/share/shorewall/Shorewall/Providers Hunk #1 FAILED at 881. 1 out of 1 hunk FAILED -- saving rejects to file /usr/share/shorewall/Shorewall/Providers.rej Mike ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/14/12 8:10 PM, Mike Lander wrote:> Sounds like I am doing exactly what John is implementing. Using 4.5.3. So I > thought I would try these patches. > But I get this when running patch > > Gate:~ # patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch > (Stripping trailing CRs from patch.) > patching file /usr/share/shorewall/Shorewall/Providers > Hunk #1 FAILED at 881. > 1 out of 1 hunk FAILED -- saving rejects to file > /usr/share/shorewall/Shorewall/Providers.rej > Gate:~ # patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch > (Stripping trailing CRs from patch.) > patching file /usr/share/shorewall/Shorewall/Providers > Hunk #1 FAILED at 881. > 1 out of 1 hunk FAILED -- saving rejects to file > /usr/share/shorewall/Shorewall/Providers.rej >Hi Mike, Wait until later in the week then, when I release 4.5.3.1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
-------- Original Message --------> From: "Tom Eastep" <teastep@shorewall.net> > Sent: Monday, May 14, 2012 8:39 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Multi isp lsm question > > On 5/14/12 8:10 PM, Mike Lander wrote: > > Sounds like I am doing exactly what John is implementing. Using 4.5.3.So I> > thought I would try these patches. > > But I get this when running patch > > > > Gate:~ # patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch > > (Stripping trailing CRs from patch.) > > patching file /usr/share/shorewall/Shorewall/Providers > > Hunk #1 FAILED at 881. > > 1 out of 1 hunk FAILED -- saving rejects to file > > /usr/share/shorewall/Shorewall/Providers.rej > > Gate:~ # patch /usr/share/shorewall/Shorewall/Providers < STATUS.patch > > (Stripping trailing CRs from patch.) > > patching file /usr/share/shorewall/Shorewall/Providers > > Hunk #1 FAILED at 881. > > 1 out of 1 hunk FAILED -- saving rejects to file > > /usr/share/shorewall/Shorewall/Providers.rej > > > > Hi Mike, > > Wait until later in the week then, when I release 4.5.3.1. > > -Tom > --Awesome, Sounds good. I have not had a failover running with shorewall for years. But trying a new setup on a, 10mbit by 100mbit firewall. Dont need load balancing with that. This setup is simular to yours, with the exception of no public servers. Hence, use comcast for all traffic else use failover. Good to hear from you been awhile. Thank you, Mike ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > On 5/14/12 8:10 PM, Mike Lander wrote: > > > Sounds like I am doing exactly what John is implementing. Using4.5.3.> So I > > > thought I would try these patches. > > > But I get this when running patch > > > > > > Gate:~ # patch /usr/share/shorewall/Shorewall/Providers <STATUS.patch> > > (Stripping trailing CRs from patch.) > > > patching file /usr/share/shorewall/Shorewall/Providers > > > Hunk #1 FAILED at 881. > > > 1 out of 1 hunk FAILED -- saving rejects to file > > > /usr/share/shorewall/Shorewall/Providers.rej > > > Gate:~ # patch /usr/share/shorewall/Shorewall/Providers <STATUS.patch> > > (Stripping trailing CRs from patch.) > > > patching file /usr/share/shorewall/Shorewall/Providers > > > Hunk #1 FAILED at 881. > > > 1 out of 1 hunk FAILED -- saving rejects to file > > > /usr/share/shorewall/Shorewall/Providers.rej > > > > > > > Hi Mike, > > > > Wait until later in the week then, when I release 4.5.3.1. > > > > -Tom > > -- > Awesome, > Sounds good. I have not had a failover running with shorewall for years.> But trying a new setup on a, > 10mbit by 100mbit firewall. Dont need load balancing with that. Thissetup> is simular to yours, > with the exception of no public servers. Hence, use comcast for alltraffic> else use failover. > Good to hear from you been awhile. > > Thank you, > Mike >While on this subject would it be to much trouble ot ask about bringing up an Ipsec.conf with the failover as well. I would assume this would be more in the lsm scripting right? Im my case. eth0 backup ISP--eth1 Comcast main ISP Using comcast eth1 with ipsec. eth1 goes down. Lsm detects sends status to shorewall. routes are switched to use eth0> comcast is flushed. My question bring up Ipsec backup like : Ipsec up Backup tunnel Resume normal operations until comcast eth1 is back up? Mike ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/