On Wed, 2007-01-31 at 13:12 -0800, Tom Eastep wrote: > Brian J. Murrell wrote: > > I'm just starting to experiment with multi-isp configuration and at the > > part of the doc (http://www.shorewall.net/MultiISP.html) that specifies: > > > > Regardless of whether you have masqueraded hosts or not, YOU > > MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq: > > > > #INTERFACE SUBNET ADDRESS > > eth0 130.252.99.27 206.124.146.176 > > eth1 206.124.146.176 130.252.99.27 > > > > If this is a MUST requirement for all multi-isp set ups, then can > > shorewall not figure this out for itself and install it without the user > > having to specify it? > > Not really. > > a) Shorewall couldn't determine where to put them in the masq file and the > file is order-sensitive.
OK. That brings up a question then: where should they go normally? It seems that they are just a safety check that a locally generated packet has the right source address for the interface it's bound for. Does order really matter in this case? Given the configuration at hand at http://www.shorewall.net/MultiISP.html: #INTERFACE SUBNET ADDRESS eth0 eth2 206.124.146.176 eth1 eth2 130.252.99.27 and the need to add: eth0 130.252.99.27 206.124.146.176 eth1 206.124.146.176 130.252.99.27 It doesn't seem to matter what order those go in since they don't overlap at all. > b) Shorewall could redundantly add them, not realizing that the same traffic > is adequately covered by other masq rules such as: > > eth0 0.0.0.0/0 206.124.146.177 #The different ADDRESS is > #intentional If the "don't use the other known interface source addresses" rules were put right at the end, would that not suffice? i.e: * if no other masq rules match and * the source address for the destined interface is known to be for another outbound interface * then masq it to the right address In any case, I am sure you understand the issues better than I, so if my logic above is still flawed, I will just accept that it cannot be made automatic. I have some thoughts on dealing with dead ISPs and multi-ISP configurations. Shall I start a thread about it or are you really not interested in Shorewall dealing with this situation? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
