similar to: BGP + shorewall on multiISP env.

Hi, I plan to implement a redundant Internet connection using BGP on 2 different Linux Routers. The routing daemon software I will be using is Zebra (zebra.org). I''m wondering if I should have my Linux firewall behind the 2 BGP routers, or could I keep the shorewall on both BGP routers? Has anyone had any experience with this? Any help is much appreciated. Thanks, Sam

Hi, I have successfully shape bandwidth using htb.init using ip address , but when i try to shape zebra BGP using their ip address and BGP port it can''t match the class for BGP and always get the default class. Here''s my htb.init script in the bridge : #eth0-2:50.bgp RATE=128kbit RULE=192.168.192.163 RULE=192.168.199.22 RULE=*:179 #eth1-2:50.bgp RATE=128kbit

When I attempt to start shorewall (version 4.0.15) I get an RTNETLINK error (see below). /var/log/shorewall-init.log [...] 21:02:18 Creating Interface Chains... 21:02:19 Adding Providers... RTNETLINK answers: File exists ERROR: Command "ip route add table 1 129.116.XXX.0/24 dev eth2 proto kernel s cope link src 129.116.XXX.30" Failed 21:02:25 Shorewall-generated routing tables and

OS: Debian Lenny (kernel 2.6.26-2-686 Shorewall: 4.0.15 (installed from Debian repository) I have an FTP server behind Debian system I am using for a firewall and I am wanting to use Shorewall on it (the Debian firewall). Following the instructions for configuring FTP (at <http://www.shorewall.net/FTP.html>), I have the following rule in my /etc/shorewall/rules file: FTP(DNAT) net

Greetings, I''m new to Shorewall but not to working with Iptables. Shorewall is the simplest firewall front end I have found thus far. I''m currently trying to build a Cfengine policy to maintain Shorewall configurations. My main problem at them moment is confirming that the running iptables rules match what Shorewall originally built. If I understand Shorewall correctly the

hi Tom I have use Shorewall version 3.4.8 what it would be for me in this rules? > As I can have more than two MAC addresses to apply a rule > in shorewall, I have the following to block port 443: > > > REJECT loc:~00-11-22-33-44-55 net tcp 443 > > > I try this > > > REJECT loc:~00-11-22-33-44-55,~AA-BB-CC-DD-EE-FF net tcp 443 That

I am currently using Fedora 16 with the distribution provided shorewall-*-4.4.23.3-6.fc16 packages. shorewall-init seems to be missing a critical file. /lib/systemd/system/shorewall-init.service attempts to call /sbin/shorewall-init, but, /sbin/shorewall-init does not exist. I thought maybe it was a packaging error, so, downloaded the original source, (i.e., shorewall-init-4.4.23.3.tar.bz2), still

For a same configuration in which the default policy is drop and only one connection is accepted in rules, continuous pinging to devices will stop squarely in 4.0.15 as soon as a very basic firewall is enabled whereas in 4.4.26.1, pinging will still continue after the firewall is enabled. All tests are done with proper reboot of the unit3 where the firewall is applied: unit1 <---> eth4

Before I start, I don''t want to do ECMP or simple bonding ... I have multiple Internet connections available to multiple boxes on one of my networks. Box A connects to ISPs 1, 2 and 3 Box B connects to ISPs 1 and 4 Boxes A and B are both connected to each other and the rest of the network. 1) I would like to set up some dynamic routing in such a way that any given outgoing packet from

Hi, in shorewall version 3.4.8 used this rule to block access to Facebook through port 443 (https): /shorewall/rules: REJECT loc net:69.171.224.12, 69.171.224.0/19,69.63.176.0/20,66.220.144.0/20 tcp 443 What I did was block the public IP network segment to fitthrough https. Now I use this same rule in version 4.4 and I works already. Has anything changed in this

Hi all I have been working with Shorewall connected to two ISPs lately, and I would like to suggest a couple of improvements to the MultiISP.html documentation page. I followed the examples in that page (but the legacy setup and the USE_DEFAULT_RT one), but I had problems with locally (by the firewall) generated packets: I wanted them to go out using only one ISP, but if I use a tcrules rule to

I'm looking for an open source router solution, and someone from the list recently recommended zebra (www.zebra.org). I haven't yet identified all my needs, but I'm guessing that it will do all my routing needs for a, say, class C set of IP addresses, particularly if I ever have to do anything BGP-related. Anyone have any pointers before I delve in? Or possibly a recommendation for

Refering to pppoe i have next problem : I asked my isp if i can buy a class of real ip`s to be routed by them. They said elegantly it can`t be done . I want opinions . I am using an ADSL connection through a Speedtouch 510 configured in bridge. About Bgp : i asked someone if i can peer 2 different locations on 2 different ip`s using private asn number and he said yes , and what i don`t

In policy $FW Net ACCEPT Dump.rar join THX -----Message d''origine----- De : shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] De la part de Tom Eastep Envoyé : jeudi 12 octobre 2006 21:22 À : Shorewall Users Objet : Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard... Joffrey FLEURICE wrote: > > >

In policy : -----Message d''origine----- De : shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] De la part de Tom Eastep Envoyé : jeudi 12 octobre 2006 21:22 À : Shorewall Users Objet : Re: [Shorewall-users] Tc rules Help with multiISP + squid& squidguard... Joffrey FLEURICE wrote: > > > All works, but no surf with

Hi, I''ve setup quagga on a shorewall firewall server. The only purpose for this is to use BGP to connect to a "peering platform" supplied by our data centre supplier. There are some very large ISP''s (and other various providers including google) on this peering platform and connecting to it will speed up access to/from our services and hosted servers. The physical

Hi All! I only ever have complex setups. Customer site has a dedicated leased line from their ISP terminating on a Cisco router. Router is configuered with the first usable address on a /28 network - 196.x.y.73. The linux firewall is configured with the remaining 5 ip''s, 196.x.y.74 to 196.x.y.78 and 79 as the broadcast. Sounds normal but here is the twist. The primary or first ip

Hello Anyone used Zebra routing daemon and created virtual routers before? Is it possible to run OSPF/BGP on each virtual server and get them to talk to each other? I''m new to Xen and I need to know... I will be trying this out in the coming days and I want to know about any pitfalls to avoid. -- Nonchalantly yours GobbledeGeek [Every thing but Gobbledegook.. !!]

Hello! I have trouble with multipath routing. Those options are enabled in kernel: [*] IP: policy routing [*] IP: equal cost multipath [*] IP: equal cost multipath with caching support (EXPERIMENTAL) <*> MULTIPATH: round robin algorithm But issuing: ip r a 1.2.3.0/23 scope global equalize nexthop via 80.245.176.11 \ dev eth0 weight 1 nexthop via 80.245.176.13 dev eth0

Hi I have a default route to 192.168.1.1 as soon as I start shorewall the default route dissapear. What do I need to do to have it not disappear. Kind Regards My network setup /etc/network/interfaces: # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.17 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255