Tom Eastep wrote: >> 1. man shorewall-rtrules->PRIORITY: The explanation of this column makes >> a reference to "ISP interface rules" in the context of priority numbers >> 26000-26999: "...After ISP interface rules but before 'default' rule". >> What is that, exactly? Could you clarify this definition please? Is this >> the 'main' routing table? >> > > I should reword that. 'ISP interface rules' are generated when 'loose' > is not specified. Those rules cause traffic originating on the firewall > to be routed to providers based on the source address. In other words, > if the packet's SOURCE address is associated with a provider interface, > then the packet should be routed out of that interface. > OK, so I've got that right then, since I started my rules using numbers 26000+, though I have a few rules based on destination addresses - they start first though, followed up by my "general" rules based on the eth0 primary address (didn't know that I could use "&interface" instead), as well as a separate rule involving the interface name (i.e. ip rule add oif eth0) and that is pretty much it.
>> 2. The same man page->SOURCE: "Beginning with Shorewall 4.5.0, you may >> specify &interface in this column to indicate that the source is the >> primary IP address of the named interface". Again, what does that mean? >> With "&interface", if used, I am "indicating" an interface, not a >> "primary IP address", so how does that work then? >> > > See http://www.shorewall.net/configuration_file_basics.htm#AddressVariables. > Nice, thanks - never knew that before and used a separate "params" variable for this. >> 3. How do I add a "default" route in "routes"? >> > > You don't -- Shorewall generates the default routes based on the > provider GATEWAY (specified or detected). > Got it now, thanks. >> 4. Similar to 3 above: how do I add, say "10.1.7.0/24 dev eth0 proto >> kernel scope link src 10.1.7.7 table dmz7" in routes (needed when a >> device is brought up, but that route is normally placed in 'main' by the >> OS)? The reason I ask this is because I have a rule based on this >> interface source address (i.e. "ip rule add from 10.1.7.7 table dmz7") >> so I need to have this rule in my dmz7 table, not 'main'. >> > > #PROVIDER DEST GATEWAY DEVICE > dmz7 10.1.7.0/24 - eth0 > > Shorewall will choose the primary IP address of eth0 as the route > source. It shouldn't be difficult to add a SOURCE column if that is > needed, but I won't do that until 4.5.17. > I already tried that - the above translates to "10.1.7.0/24 dev eth0 scope link table dmz7" so I am not sure it is the same (if it doesn't make any difference - all's well!). As an aside: If/When the device goes down (eth0 in my case) are all of these routes restored (by shorewall-init?) when that device is brought up again? ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
