Brian J. Murrell wrote: > > Given the configuration at hand at > http://www.shorewall.net/MultiISP.html: > > #INTERFACE SUBNET ADDRESS > eth0 eth2 206.124.146.176 > eth1 eth2 130.252.99.27 > > and the need to add: > > eth0 130.252.99.27 206.124.146.176 > eth1 206.124.146.176 130.252.99.27 > > It doesn't seem to matter what order those go in since they don't > overlap at all.
So you don't believe it matters whether you put your frequently-matched rules before the ones that are not matched very often? Shorewall certainly can't tell which rules are going to be matched more heavily. > >> b) Shorewall could redundantly add them, not realizing that the same traffic >> is adequately covered by other masq rules such as: >> >> eth0 0.0.0.0/0 206.124.146.177 #The different ADDRESS is >> #intentional > > If the "don't use the other known interface source addresses" rules were > put right at the end, would that not suffice? i.e: > * if no other masq rules match and > * the source address for the destined interface is known to be for > another outbound interface > * then masq it to the right address It would suffice -- but again, it still takes CPU cycles to add the rules and it still consumes CPU cycles at run-time to send packets through these rules -- if they are redundant, then those CPU cycles are basically wasted. > > In any case, I am sure you understand the issues better than I, so if my > logic above is still flawed, I will just accept that it cannot be made > automatic. It isn't case of whether it can be made automatic -- of course it can. The question is rather "Is making it automatic the right thing to do?". I'm not convinced that it is. > > I have some thoughts on dealing with dead ISPs and multi-ISP > configurations. Shall I start a thread about it or are you really not > interested in Shorewall dealing with this situation? Sure -- start a thread. It might be best though to start the thread on the development list rather than on the users list. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
