Tom wrote:
> I should add however that this is not a particularly easy feature to
> use in general, which could be why Rich thought that it wasn't working.
> You have to set it up MultiISP with one 'Provider' for each maclan
> interface and then use policy routing to direct traffic out of a
> particular interface.
Thanks for this info.
In an attempt to avoid having to use the multi-ISP stuff, I tried an
experiment this evening in which I set up Xen on my firewall and created
a domU to handle one of my external IP addresses. The domU was bridged
(using two separate bridges, of course) to both the internal and external
interfaces of the dom0, and Shorewall was used both on the dom0 and
the domU. I tried setting up one machine in my local net with the domU
(instead of the dom0) as its default Internet gateway.
I ran into some bizarre interactions between the two firewalls, however.
When I did outbound connections from the domU to the Internet, the
external IP address of the domU was affected by lines in the "masq" file
on the dom0. And if I set up a machine in my local network to use the
omU as its default router, connections from that local machine through
the domU to the Internet didn't work. (I did a "shorewall dump" on
the domU and looked at the output, and the Conntrack Table showed TCP
connections with SYN_SENT and marked as [UNREPLIED] -- apparently
meaning that the reply packets were being blocked or mangled.)
I'm guessing that the dom0's Shorewall rules did something to mess up
traffic coming back into the domU from the outside. I also noted that
I couldn't connect in either direction between the domU's external IP
address and any of the external IP addresses of my dom0 ("Destination
Host Unreachable" errors when I tried "ping") -- but even when I fixed
that problem by adding some specific host routes, the domU still would
not function as a gateway.
If there's some straightforward thing I could/should do (presumably in
the dom0's rules) to make the domU's traffic pass totally untouched
through the dom0, I imagine I might be able to make this work. If I can
get this to work, it seems appealing, in large part because the rules in
each separate Shorewall configuration would only need to worry about one
external IP address (and the corresponding internal host or hosts).
Or maybe this all means that the multi-ISP method, for all its complex
strangeness, would still be simpler than using Xen and a bunch of domU's.
--
Rich Wales === Palo Alto, CA, USA === [EMAIL PROTECTED]
http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
