On Wed, 2007-12-05 at 09:07 -0800, Tom Eastep wrote: > > I always forget there is another factor here. > > Let's suppose you have the following: > > ISP1 ISP2 > | | > -------------------- > | | > | Firewall |-- DMZ > | | > --------------------- > | > LOC > > If you mark traffic from LOC in PREROUTING based on protocol and port, > then that traffic will be routed based on whether it will go to ISP1 or > ISP2. But suppose that it goes to the DMZ! So you need to include the > route to the DMZ in the routing tables for both ISP1 and ISP2. That is > independent of whether you use 'track' or not.
Note that you could also add a routing rule in the 1000-1999 range, sending traffic to the DMZ address range through the main table (254). I do that here with my DMZ which has one system (206.124.146.177): #SOURCE DEST PROVIDER PRIORITY - 206.124.146.177 254 1000 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
