Hi Charles, You've peaked my interest with the 'redundant Internet connections' idea! My goal this holiday was to research the concept, especially with respect to incorporating FreeS/WAN into the equation. I had pretty much decided that the most likely way of doing this successfully would be with a second box between the LRP/FreeS/WAN box and the Internet connections - functioning as a router only, no masq'ing or firewalling going on. I have a hard time getting my head around how the ipsec and eth interfaces work together when it comes to the routing - probably it's not that tough, but I haven't seen an explanation that works for me! Adding more complexity to the gateway would cause a cerebral vascular airlock I'm sure.
I had also toyed with the idea of using two dynamic dns domains (or maybe one - haven't thought it through yet), one for each of the two Internet connections, and somehow add this to the VPN info... if one domain went dead, run a script to start a tunnel with the second. Like I said, it's all just ideas so far (and uneducated ones to boot ;-) but I'm very interested to see what you work out. If I can be of any use, let me know. Brock > Message: 2 > From: "Charles Steinkuehler" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Date: Fri, 21 Dec 2001 16:32:27 -0600 > Subject: [Leaf-user] Advanced firewall tricks > > For those of you who don't subscribe to Sys Admin, there are a couple of > interesting articles in the latest issue (Jan 2002) that are somewhat > applicable to LEAF. > > In "Halted Firewalls", Mike Murray discusses the interesting fact that you > can shut-down the linux kernel (ie "halt"), but kernel processes will keep > running. Having the kernel running without any user processes is not > generally very useful, but if you don't explicitly bring down ethernet > interfaces and flush the ipchains rules, your system will still route, > firewall, and forward packets. Without any user processes running, there's > no swap space (LEAF systems don't typically have any swap anyhow), and > dynamic connections using dhclient, PPPoE, and similar won't work, but it's > still kind of a neat concept. It's pretty hard to hack into (or remote > administer) a system with no running processes. > > Even more interesting is "Redundant Internet Connections Using Linux" by > Seann Herdejurgen. He describes a simple method for bandwidth sharing > between two interfaces, a topic that surfaces occasionally on this list. > While not quite a complete solution, the equal weight default routing looks > like it would work for masqueraded firewalls. I'll have to test the > masquerading code on 2.2 and see if it properly divides reqests between > multiple external interfaces, and correctly mangles the source IP for both > interfaces. Anyone try this already and know if it works? If the > masquerading works properly with multiple external NIC's, it's a (fairly) > straight-forward matter to integrate this support into the firewall scripts, > duplicating the public rules for more than one interface. The hard part is > making some scripts to properly route traffic if one of the links goes > down...since typically the ethernet link between the firewall and the > cable/DSL modem is always up, periodic pings or some other link test needs > to happen to swap routing tables around if a link fails. > > Anyone know if SeaWall or any of the other firewall scripts will handle > multiple external interfaces? > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
