I've been using Shorewall on an older box for 3 years and it has worked fabulous. But we've expanded to having 2 ISPs so I'm building a new Fedora 6 firewall with Shorewall 3.4.2 and 4 NICs.
I'm having a problem with outgoing connections when I add the track option to my providers file. Here's my providers file: # Shorewall version 3.4 - Providers File # #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth2 216.x.y.33 track,balance ETH0 ISP2 2 2 main eth3 136.x.y.1 balance ETH0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE My interfaces are configured like this: LAN = ETH0 (10.0.0.0/24 DMZ = ETH1 (not used yet) ISP1 = ETH2 (216.x.y.34/28) ISP2 = ETH3 (136.x.y.2/25) I have the following in my rules file ACCEPT:info all all icmp to allow all pings and log them. I have nothing in my tcrules file. The problem seems to be that if I use the track option in the providers file, I can't make any outgoing connections using that ISP. If I try to ping an external address that I know exists and the ping goes out ISP2(ETH3), I get a reply back. If the ping goes out ISP1(ETH2), the reply is stopped on its way back in and looks like it has been redirected back out ETH2 where it came from. Here's the entries from syslog showing this: May 22 17:05:45 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 OUT=eth3 SRC=10.0.0.88 DST=12.12.12.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=60171 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55040 May 22 17:05:59 outcast kernel: Shorewall:lan2inet:ACCEPT:IN=eth0 OUT=eth2 SRC=10.0.0.88 DST=12.12.12.3 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=60172 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=55296 May 22 17:05:59 outcast kernel: Shorewall:FORWARD:DROP:IN=eth2 OUT=eth2 SRC=12.12.12.3 DST=10.0.0.88 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=8952 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=55296 I suspect I have missed something in my configuration. I've studied http://www.shorewall.net/MultiISP.html pretty hard and have not found the answer. Any suggestions would be appreciated. Thanks, Grant Scheffert Pantheon Computer Systems 507-835-2212 If all the human potential that's being directed towards creating and fighting spam went to science instead, we'd have a cure for cancer. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
