Re: [Shorewall-users] mangle and network mask

2017-09-30 Thread Vieri Di Paola via Shorewall-users
From: Tom Eastep > > I just released 5.1.7.2 which correctly handles your rule. I've seen the release notice. Once again, thank you very much, Tom. Vieri --

Re: [Shorewall-users] mangle and network mask

2017-09-30 Thread Tom Eastep
On 09/29/2017 01:57 PM, Tom Eastep wrote: > On 09/29/2017 01:54 PM, Vieri Di Paola via Shorewall-users wrote: >> >> >> From: Tom Eastep >>> >>> It is the *next to the last* rule that is causing the problem. >> >> >> OK, so my problem is that

Re: [Shorewall-users] mangle and network mask

2017-09-30 Thread Vieri Di Paola via Shorewall-users
From: Bill Shirley > Two observations Thanks for that, Bill. I allow DNS queries only from dedicated DNS servers on the LAN. I don't REDIRECT. Any client misbehaving DNS-wise won't be able to lookup IP addresses. Point

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Bill Shirley
Two observations: 1) there are some PC viruses that change the DNS server addresses on the PC     so that they can intercept a lookup and return their own reply. So, when you     go to www.my-bank.com you actually are pointed to a malicious server.     In my rules, I redirect all DNS queries to

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Tom Eastep
On 09/29/2017 01:54 PM, Vieri Di Paola via Shorewall-users wrote: > > > From: Tom Eastep >> >> It is the *next to the last* rule that is causing the problem. > > > OK, so my problem is that I wrote the following in my mangle file: > >

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Vieri Di Paola via Shorewall-users
From: Tom Eastep > > It is the *next to the last* rule that is causing the problem. OK, so my problem is that I wrote the following in my mangle file: MARK(1-3):P 0.0.0.0/0 0.0.0.0/0 tcp,udp 53 and it translated

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Norman Henderson
Hi Vieri, Here are all of my files (I think) relevant to routing, with any real addresses changed: providers: #NAME NUMBER MARKDUPLICATE INTERFACE GATEWAY OPTIONS COPY uni01 1 - - usb0192.168.1.1 fallback=50 uni02 2 -

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Tom Eastep
On 09/29/2017 07:35 AM, Vieri Di Paola via Shorewall-users wrote: > > > From: Tom Eastep >> >> Remember that MARK is not a terminating target -- so the *last* MARK > >> rule to match the packet is the one that assigns the mark. > > I was

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Vieri Di Paola via Shorewall-users
From: Norman Henderson > > MARK(25)10.0.69.2 - tcp smtp > MARK(25)- 10.0.69.2 tcp smtp > > 10.0.69.2 - cem09 128025 Could you please share the

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Vieri Di Paola via Shorewall-users
From: Tom Eastep > > Remember that MARK is not a terminating target -- so the *last* MARK > rule to match the packet is the one that assigns the mark. I was aware of that when I wrote the rules. My providers file is: ISP11 1

Re: [Shorewall-users] mangle and network mask

2017-09-29 Thread Tom Eastep
On 09/27/2017 06:00 AM, Vieri Di Paola via Shorewall-users wrote: > Hi again, > > It seems that I'm getting mixed results. According to the dump I'm posting in > the link below, shouldn't a host accessing 193.104.0.136 on port 443 go out > provider marked as 3? > > The dump was taken while

Re: [Shorewall-users] mangle and network mask

2017-09-28 Thread Norman Henderson
Interesting - I may have a similar issue with the following (partial) mangle file - there is other content in the file but nothing related to this address: MARK(25)10.0.69.2 - tcp smtp MARK(25)- 10.0.69.2 tcp smtp MARK(80)

Re: [Shorewall-users] mangle and network mask

2017-09-27 Thread Vieri Di Paola via Shorewall-users
Hi again, It seems that I'm getting mixed results. According to the dump I'm posting in the link below, shouldn't a host accessing 193.104.0.136 on port 443 go out provider marked as 3? The dump was taken while trying to open https site at 193.104.0.136 from 10.215.144.48.

Re: [Shorewall-users] mangle and network mask

2017-09-27 Thread Vieri Di Paola via Shorewall-users
Sorry for the noise, but it doesn't seem to be related to what I put in mangle's PROTO column. When I use this address in SOURCE (192.168.210.0/23) traffic is not sent out provider 4. Using either 192.168.210.0/24,192.168.211.0/24 or 192.168.210.1-192.168.211.254 does send traffic out

Re: [Shorewall-users] mangle and network mask

2017-09-27 Thread Vieri Di Paola via Shorewall-users
Actually, it's not a netmask issue. After another test, I noticed that this fails (better yet, it doesn't do what I want): MARK(4):P 192.168.210.0/23,192.168.212.0/24 0.0.0.0/0 all whereas this other is what I want: MARK(4):P 192.168.210.0/23,192.168.212.0/24 0.0.0.0/0 What's the