Hello, I don't know if this has any sense as I haven't read the configuration dump, so I'm exposing myself to the most deserved flames.
I just saw that the rule is in "tcfor" and the IP is local so, shouldn't it be in "tcout" ? It shouldn't pass through the forward table then, just the output. IF the firewall is routing traffing (thus forwarding and using tcfor) it would only have the local IP as source if you're doing some kind of NAT, in any other case the src ip should be the localnet's or the remote's but not the firewall's. And even in that case I'd have to check because I don't know if mangling goes before natting or the other way around. (To know if have to do nat or not you already need to know the output iface, so you should pass forwarding before natting and do natting on postrouting... in which case your forwarding rule shouldn't work even if natting. Does that have any sense ?) So my guess is that you should mark using iface name and not ip address (for forwarding), or $FW if marking output traffic. Or both, for triple care. But marking for me was a bit more complex than that as I was mixing shaping and different providers (highmarks,routemarks,tcmarks,ormarks,andmarks,setmarks,...) I can't remember the details, so it could be more complex in this case too. I think the "tcfor" and the "ifconfig" lines with that rule posted... do not fit too well. Hope it helps, and please no flames if I'm lost and wrong. I'm a sensitive guy and could commit suicide at any time. Best regards, Jorge Jorge Daza García-Blanes [EMAIL PROTECTED] - GPG id: 5D7ACDEF P.S.: Tom, why should it have dest ip the local ip ? because that should happen if you receive the traffic, but then marks would only be useful as connmarks but not as tcmarks, wouldn't they ? On 29/12/2006, at 18:53, Tom Eastep wrote: > Ismael Milach da Silveira wrote: >> odd... i did it again, and it showed some traffic now. >> >> ############################################## >> [EMAIL PROTECTED] doctor]$ /sbin/ifconfig >> eth0 Link encap:Ethernet HWaddr 00:02:55:58:5E:C6 >> inet addr:192.168.200.1 Bcast:192.168.200.255 Mask: >> 255.255.255.0 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:38643181 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:38547925 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1000 >> RX bytes:991136881 (945.2 Mb) TX bytes:197020047 (187.8 Mb) >> Interrupt:27 Base address:0x2000 >> >> [EMAIL PROTECTED] doctor]$ wget www.doctornet.com.br/matrix.zip >> --15:04:21-- http://www.doctornet.com.br/matrix.zip >> => `matrix.zip.2' >> Resolving www.doctornet.com.br... done. >> Connecting to www.doctornet.com.br[201.3.160.245]:80... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 199,947,030 [application/zip] > > Wait a minute -- traffic leaving the firewall through interface > eth1 should > never have source IP 192.168.200.1 -- it will have destination address > 192.168.200.1. So you marking rules are screwed up.... > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV________________________________ > _______________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
