Re: [Shorewall-users] mangle and network mask
From: Tom Eastep> > I just released 5.1.7.2 which correctly handles your rule. I've seen the release notice. Once again, thank you very much, Tom. Vieri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
On 09/29/2017 01:57 PM, Tom Eastep wrote: > On 09/29/2017 01:54 PM, Vieri Di Paola via Shorewall-users wrote: >> >> >> From: Tom Eastep>>> >>> It is the *next to the last* rule that is causing the problem. >> >> >> OK, so my problem is that I wrote the following in my mangle file: >> >> MARK(1-3):P 0.0.0.0/0 0.0.0.0/0 tcp,udp 53 >> >> and it translated to: >> >> Chain tcpre >> >> [...] >> 7784 6738K MARK all -- * * 0.0.0.0/00.0.0.0/0 >>statistic mode nth every 3 MARK xset 0x1/0xff >> 7783 6764K MARK all -- * * 0.0.0.0/00.0.0.0/0 >>statistic mode nth every 3 packet 1 MARK xset 0x2/0xff >> 7783 6623K MARK all -- * * 0.0.0.0/00.0.0.0/0 >>statistic mode nth every 3 packet 2 MARK xset 0x3/0xff >> >> I erroneously thought that I could "balance" DNS traffic among the first 3 >> providers. >> >> It can't be done here, right? > > It appears that the entry is not being translated correctly, as it is > missing the protocols and port. So take it out for now. I just released 5.1.7.2 which correctly handles your rule. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
From: Bill Shirley> Two observations Thanks for that, Bill. I allow DNS queries only from dedicated DNS servers on the LAN. I don't REDIRECT. Any client misbehaving DNS-wise won't be able to lookup IP addresses. Point 2 taken. Thanks again, Vieri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
Two observations: 1) there are some PC viruses that change the DNS server addresses on the PC so that they can intercept a lookup and return their own reply. So, when you go to www.my-bank.com you actually are pointed to a malicious server. In my rules, I redirect all DNS queries to my own server that is running on the firewall: ?SECTION NEW # = # == Local Restrictions === # = ?COMMENT domain REDIRECT lan domain tcp,udp domain # use this server for DNS REDIRECT dmz domain tcp,udp domain # use this server for DNS This way I can insure no query is hijacked. I implemented these rules when we found a PC that was getting its lease info (address, gateway, DNS servers, etc) from our own DHCP, but was using two unknown DNS servers. 2) With multiple ISPs, it is best to do the DNS lookup thru the same provider that the actual traffic will go. Many content delivery networks (CDN) will have multiple servers and the DNS query response will return an answer with the least hops. I know predicting the actual ISP for traffic may be a difficult task, but your efforts here would be better that random. HTH, Bill On 9/29/2017 4:54 PM, Vieri Di Paola via Shorewall-users wrote: From: Tom EastepIt is the *next to the last* rule that is causing the problem. OK, so my problem is that I wrote the following in my mangle file: MARK(1-3):P 0.0.0.0/0 0.0.0.0/0 tcp,udp 53 and it translated to: Chain tcpre [...] 7784 6738K MARK all -- * * 0.0.0.0/00.0.0.0/0 statistic mode nth every 3 MARK xset 0x1/0xff 7783 6764K MARK all -- * * 0.0.0.0/00.0.0.0/0 statistic mode nth every 3 packet 1 MARK xset 0x2/0xff 7783 6623K MARK all -- * * 0.0.0.0/00.0.0.0/0 statistic mode nth every 3 packet 2 MARK xset 0x3/0xff I erroneously thought that I could "balance" DNS traffic among the first 3 providers. It can't be done here, right? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
On 09/29/2017 01:54 PM, Vieri Di Paola via Shorewall-users wrote: > > > From: Tom Eastep>> >> It is the *next to the last* rule that is causing the problem. > > > OK, so my problem is that I wrote the following in my mangle file: > > MARK(1-3):P 0.0.0.0/0 0.0.0.0/0 tcp,udp 53 > > and it translated to: > > Chain tcpre > > [...] > 7784 6738K MARK all -- * * 0.0.0.0/00.0.0.0/0 > statistic mode nth every 3 MARK xset 0x1/0xff > 7783 6764K MARK all -- * * 0.0.0.0/00.0.0.0/0 > statistic mode nth every 3 packet 1 MARK xset 0x2/0xff > 7783 6623K MARK all -- * * 0.0.0.0/00.0.0.0/0 > statistic mode nth every 3 packet 2 MARK xset 0x3/0xff > > I erroneously thought that I could "balance" DNS traffic among the first 3 > providers. > > It can't be done here, right? It appears that the entry is not being translated correctly, as it is missing the protocols and port. So take it out for now. -Tom > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
From: Tom Eastep> > It is the *next to the last* rule that is causing the problem. OK, so my problem is that I wrote the following in my mangle file: MARK(1-3):P 0.0.0.0/0 0.0.0.0/0 tcp,udp 53 and it translated to: Chain tcpre [...] 7784 6738K MARK all -- * * 0.0.0.0/00.0.0.0/0 statistic mode nth every 3 MARK xset 0x1/0xff 7783 6764K MARK all -- * * 0.0.0.0/00.0.0.0/0 statistic mode nth every 3 packet 1 MARK xset 0x2/0xff 7783 6623K MARK all -- * * 0.0.0.0/00.0.0.0/0 statistic mode nth every 3 packet 2 MARK xset 0x3/0xff I erroneously thought that I could "balance" DNS traffic among the first 3 providers. It can't be done here, right? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
Hi Vieri, Here are all of my files (I think) relevant to routing, with any real addresses changed: providers: #NAME NUMBER MARKDUPLICATE INTERFACE GATEWAY OPTIONS COPY uni01 1 - - usb0192.168.1.1 fallback=50 uni02 2 - - usb1192.168.0.1 fallback=50 tvc01 3 - - vlan5 111.222.333.444 track,balance=1,persistent aot01 4 - - ppp0- track,balance=1,persistent cem50tun5 - - tun110.20.0.145 fallback=150,persistent cem50 6 - - vlan4 10.1.15.1 fallback=100 cem09 7 - - tun310.20.0.129 track :qcem0509tvc 8 - - tun610.20.0.149 loose cem0509uni 9 - - tun710.20.0.153 loose mangle: #ACTION SOURCE DESTPROTO DESTSOURCE USERTESTLENGTH TOS CONNBYTES HELPER PROBABILITY DSCP # PORT(S) PORT(S) MARK(25)10.0.69.2 - tcp smtp MARK(25)- 10.0.69.2 tcp smtp MARK(25)fwall 77.88.99.0/29 tcp smtp MARK(53)- - udp 53 MARK(53)fwall - udp 53 MARK(16)10.0.69.20 - udp sip,iax,1068,1:12000 MARK(16)- 10.0.69.20 udp sip,iax,1068,1:12000 MARK(16)10.1.0.0/24 10.20.0.129 udp sip,iax,1:12000 MARK(16)10.20.0.129 10.1.0.0/24 udp sip,iax,1:12000 MARK(16)10.1.0.0/24 77.88.99.82 udp sip,iax,1:12000 MARK(16)77.88.99.82 10.1.0.0/24 udp sip,iax,1:12000 MARK(16)fwall - udp sip,iax,1:12000 MARK(16)- fwall udp sip,iax,1:12000 MARK(80)10.0.69.2 - tcp http,https MARK(80)10.0.69.2 - udp http,https MARK(80)10.0.69.20 - tcp http,https MARK(80)10.0.69.20 - udp http,https MARK(200) 10.1.10.248 - udp openvpn,5000,5001 MARK(200) fwall 77.88.99.0/29 udp openvpn,5000,5001 MARK(200) fwall 222.111.444.0/29udp openvpn,5000,5001 TOS(16) - - udp iax TOS(16) - - udp - iax TOS(16) - - udp sip TOS(16) - - udp - sip TOS(16) 10.0.69.20 - udp - - - 16 TOS(16) - 10.0.69.20 udp - - - 16 DSCP(EF)- - udp iax DSCP(EF)- - udp - iax DSCP(EF)- - udp sip DSCP(EF)- - udp - sip DSCP(EF)10.0.69.20 - udp - - - 16 DSCP(EF)- 10.0.69.20 udp - - - 16 rtrules: #SOURCE DESTPROVIDERPRIORITYMARK - 10.20.200.0/25 cem09 1000 - 10.20.200.0/24 main1001 - 10.20.0.0/23main1002 - 10.0.68.0/22cem50 1012 - 10.1.8.0/21 cem50 1014 - 192.168.0.0/16 cem50 1018 - 192.168.33.0/24 cem50 1019 - 10.0.68.0/22cem01maf1022 - 10.1.10.0/24cem01maf1024 10.1.10.40 - tvc01 1201 10.1.10.65 - tvc01 1202 10.1.13.93 - tvc01 1203 10.1.15.20 - tvc01 1204 10.1.15.21 - tvc01 1205 10.1.10.40 - aot01 1211 10.1.10.65 - aot01 1212 10.1.13.93 - aot01 1213 10.1.15.20 - aot01 1214 10.1.15.21 - aot01 1215 10.1.10.248 - aot01 1263200 10.1.10.248 - tvc01 1264200 $FW - uni01 1271200 $FW - uni02 1272200 $FW - aot01 1273200 $FW - tvc01 1274200 #NH#20170228# Following rule is not catching "all" traffic in a TCP connection. Therefore... 10.0.69.2 - cem09 128025 #NH#20170228# for now, directing all 10.0.69.2 packets via tun3. 10.0.69.2 - cem09 1281 10.0.0.0/8 - cem09 129016 10.1.0.0/24 - uni01 21005 10.1.0.0/24 - uni02 21006 10.1.8.0/21 - aot01 21901 10.1.8.0/21 - tvc01 21902 10.1.8.0/21 - uni01 21903
Re: [Shorewall-users] mangle and network mask
On 09/29/2017 07:35 AM, Vieri Di Paola via Shorewall-users wrote: > > > From: Tom Eastep>> >> Remember that MARK is not a terminating target -- so the *last* MARK > >> rule to match the packet is the one that assigns the mark. > > I was aware of that when I wrote the rules. > > My providers file is: > > ISP1 1 1 - $IF_ISP1$IF_ISP1_GW > track,balance=3,persistent > ISP2 2 2 - $IF_ISP2$IF_ISP2_GW > track,balance=2,persistent > ISP3 3 3 - $IF_ISP3$IF_ISP3_GW > track,balance=1,persistent > ISP4 4 4 - $IF_ISP4$IF_ISP4_GW > track,balance=1,persistent > > > ...and the *last* line of my mangle file is: > > MARK(3):P - 193.104.0.136 It is the *next to the last* rule that is causing the problem. > > >> Your> statistical MARK rules are overwriting your intended mark values most >> of > >> the time. > > > If by "statistical" you mean the marks produced by "balance" in the providers > file then am I mistaken to think that the last mangle rule defined overwrites > previous marks? > >> You need to populate the TEST column of your route marking> rules to stop >> this unintended overwriting of previously assigned marks. > > > The TEST column in the mangle file? > Not quite sure which value to use for a MARK rule on the last line of that > file. Again, it isn't the last rule that is the issue. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
From: Norman Henderson> > MARK(25)10.0.69.2 - tcp smtp > MARK(25)- 10.0.69.2 tcp smtp > > 10.0.69.2 - cem09 128025 Could you please share the relevant part of your providers file? > rtrules 10.0.69.2 - cem09 1281 In my specific example I could very well use policy based routing in rtrules without marks. However, there are other cases where I require to use MARK. Vieri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
From: Tom Eastep> > Remember that MARK is not a terminating target -- so the *last* MARK > rule to match the packet is the one that assigns the mark. I was aware of that when I wrote the rules. My providers file is: ISP11 1 - $IF_ISP1$IF_ISP1_GW track,balance=3,persistent ISP22 2 - $IF_ISP2$IF_ISP2_GW track,balance=2,persistent ISP33 3 - $IF_ISP3$IF_ISP3_GW track,balance=1,persistent ISP44 4 - $IF_ISP4$IF_ISP4_GW track,balance=1,persistent ...and the *last* line of my mangle file is: MARK(3):P - 193.104.0.136 > Your> statistical MARK rules are overwriting your intended mark values most of > the time. If by "statistical" you mean the marks produced by "balance" in the providers file then am I mistaken to think that the last mangle rule defined overwrites previous marks? > You need to populate the TEST column of your route marking> rules to stop > this unintended overwriting of previously assigned marks. The TEST column in the mangle file? Not quite sure which value to use for a MARK rule on the last line of that file. Vieri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
On 09/27/2017 06:00 AM, Vieri Di Paola via Shorewall-users wrote: > Hi again, > > It seems that I'm getting mixed results. According to the dump I'm posting in > the link below, shouldn't a host accessing 193.104.0.136 on port 443 go out > provider marked as 3? > > The dump was taken while trying to open https site at 193.104.0.136 from > 10.215.144.48. > > https://drive.google.com/open?id=0B-tpkY1LkI67X0FzWnRMSFRYd1E > > I had mixed results. Sometimes traffic is going out provider 3, and at times > it's going out another provider. > > So my previous posts are probably "wrong" in that the netmask has nothing to > do with the issue I'm seeing. > > Even if I balance traffic in the providers file, I require traffic to > 193.104.0.136 to *always* go out provider 3. > Remember that MARK is not a terminating target -- so the *last* MARK rule to match the packet is the one that assigns the mark. Your statistical MARK rules are overwriting your intended mark values most of the time. You need to populate the TEST column of your route marking rules to stop this unintended overwriting of previously assigned marks. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
Interesting - I may have a similar issue with the following (partial) mangle file - there is other content in the file but nothing related to this address: MARK(25)10.0.69.2 - tcp smtp MARK(25)- 10.0.69.2 tcp smtp MARK(80)10.0.69.2 - tcp http,https MARK(80)10.0.69.2 - udp http,https Either the mark (25) is not being consistently applied, or the rtrules entry that depends on it isn't always respecting the mark: 10.0.69.2 - cem09 128025 The result is that the tcp connection gets sent part on one provider and part on another which of course doesn't work. When I noticed it I didn't have time to diagnose properly so I found a bypass (rtrules 10.0.69.2 - cem09 1281) that doesn't depend on the mark but that isn't a good solution. If I get time I will do another dump, but maybe your case will lead to a solution before that :) - Norm On Wed, Sep 27, 2017 at 2:00 PM, Vieri Di Paola via Shorewall-users < shorewall-users@lists.sourceforge.net> wrote: > Hi again, > > It seems that I'm getting mixed results. According to the dump I'm posting > in the link below, shouldn't a host accessing 193.104.0.136 on port 443 go > out provider marked as 3? > > The dump was taken while trying to open https site at 193.104.0.136 from > 10.215.144.48. > > https://drive.google.com/open?id=0B-tpkY1LkI67X0FzWnRMSFRYd1E > > I had mixed results. Sometimes traffic is going out provider 3, and at > times it's going out another provider. > > So my previous posts are probably "wrong" in that the netmask has nothing > to do with the issue I'm seeing. > > Even if I balance traffic in the providers file, I require traffic to > 193.104.0.136 to *always* go out provider 3. > > Regards, > > Vieri > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
Hi again, It seems that I'm getting mixed results. According to the dump I'm posting in the link below, shouldn't a host accessing 193.104.0.136 on port 443 go out provider marked as 3? The dump was taken while trying to open https site at 193.104.0.136 from 10.215.144.48. https://drive.google.com/open?id=0B-tpkY1LkI67X0FzWnRMSFRYd1E I had mixed results. Sometimes traffic is going out provider 3, and at times it's going out another provider. So my previous posts are probably "wrong" in that the netmask has nothing to do with the issue I'm seeing. Even if I balance traffic in the providers file, I require traffic to 193.104.0.136 to *always* go out provider 3. Regards, Vieri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
Sorry for the noise, but it doesn't seem to be related to what I put in mangle's PROTO column. When I use this address in SOURCE (192.168.210.0/23) traffic is not sent out provider 4. Using either 192.168.210.0/24,192.168.211.0/24 or 192.168.210.1-192.168.211.254 does send traffic out provider 4. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] mangle and network mask
Actually, it's not a netmask issue. After another test, I noticed that this fails (better yet, it doesn't do what I want): MARK(4):P 192.168.210.0/23,192.168.212.0/24 0.0.0.0/0 all whereas this other is what I want: MARK(4):P 192.168.210.0/23,192.168.212.0/24 0.0.0.0/0 What's the difference? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users