On Wed, 2007-12-05 at 08:11 -0800, Tom Eastep wrote: > On Wed, 2007-12-05 at 16:41 +0100, Erwin Van de Velde wrote: > > Hi all, > > > > I am trying to configure a firewall with 2 ISPs, difference between them is > > the strictness of the firewall. some zones have to route via ISP1, some via > > ISP2. > > What do I need to put in the providers file? More in particular, what does > > DUPLICATE do exactly and what should I put there? > > Adding an entry to /etc/shorewall/providers creates a routing table. > Now, a routing table is useless unless it is populated with routes. > Shorewall will always add a default route via the GATEWAY to the table > but you need additional routes if you specify the 'track' option. That > is because when 'track' is specified, traffic entering the INTERFACE is > routed using the provider's table. > > I regret having designed the facility in this way and I'm thinking of > providing an option to change it in Shorewall 4.2. But in the mean time, > when 'track' is given, you normally will want to copy the routes to your > local networks into the provider's routing table. To do that, you enter > 'main' in the DUPLICATE column and you list your local interfaces in the > COPY column. That way, traffic entering a tracked interface can be > routed to the local networks.
I always forget there is another factor here.
Let's suppose you have the following:
ISP1 ISP2
| |
--------------------
| |
| Firewall |-- DMZ
| |
---------------------
|
LOC
If you mark traffic from LOC in PREROUTING based on protocol and port,
then that traffic will be routed based on whether it will go to ISP1 or
ISP2. But suppose that it goes to the DMZ! So you need to include the
route to the DMZ in the routing tables for both ISP1 and ISP2. That is
independent of whether you use 'track' or not.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
