Hello! I've been running Shorewall for a few years now, and it's performed well.
I have a non-trivial setup, though, and it is rough around the edges when trying to deal with it. In particular, I have a dual WAN. One is cable modem (DHCP), and another is DSL modem (PPPoE). What's more, the cable modem is a single IP address that often changes, while the DSL modem is a static IP address *range*. There is a "main" address that the PPP connection sets up, but it also accepts several other nearby addresses. I have this running right now with aliases for the ppp0 device. I've studied this document: http://shorewall.net/MultiISP.html There are 3 main problems I have: 1) If the router is rebooted while either the cable or the DSL is down, Shorewall won't come up It requires *both* interfaces to be fully active before Shorewall will start. If either is down, my firewall is DOA, requiring manual intervention. I was hoping to set up a dual WAN setup for redundancy and safety, and unfortunately instead, this makes it *more* brittle. 2) Shorewall is a one-shot deal: it exists just to configure the kernel's firewall settings. There's no active monitor that can stay around and take care of things if either the cable or the DSL goes down. I've written a script that repeatedly pings both the cable and DSL connection, and attempts to give the command "ip route replace", with appropriate arguments, as needed. I'm wondering if there's a more Shorewall-friendly way to do this? I've ran into trouble before, when I mess with the routing table and Shorewall doesn't expect this. 3) If the PPP modem goes down, the ppp0 device disappears entirely. That's unfortunate. Is there a way to make it behave like the eth* devices, where they are allowed be in "down" state and still exist as an active device within the kernel? The reason this is a requirement, is that the kernel will drop all routing and firewall rules associated with a device, when it disappears! So, if ppp0 disappears, it will later come back up... completely bare, as it will have no more firewall or router rules! I need to manually restart Shorewall whenever this happens. It's really unfortunate that the developers of PPP in Linux chose to make the device disappear, instead of just keeping it around in a "down" state. Because I have a *range* of IP addresses coming to me via PPP, I can't activate the built-in PPPoE protocol termination feature of the modem. If I do this, then the modem takes over the IP addresses, and only gives me a single IP address from it. I'm running Shorewall 4.2.10 on Debian. Is it worth upgrading to 4.4? What Shorewall output should I provide here, that might assist in asking for help? Thanks! Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
