On 20/09/2009 11:13, JoSH Lehan wrote: > 1) If the router is rebooted while either the cable or the DSL is down, > Shorewall won't come up It requires *both* interfaces to be fully > active before Shorewall will start. If either is down, my firewall is > DOA, requiring manual intervention. > > I was hoping to set up a dual WAN setup for redundancy and safety, and > unfortunately instead, this makes it *more* brittle. > > 2) Shorewall is a one-shot deal: it exists just to configure the > kernel's firewall settings. There's no active monitor that can stay > around and take care of things if either the cable or the DSL goes down. > I've written a script that repeatedly pings both the cable and DSL > connection, and attempts to give the command "ip route replace", with > appropriate arguments, as needed. > > I'm wondering if there's a more Shorewall-friendly way to do this? I've > ran into trouble before, when I mess with the routing table and > Shorewall doesn't expect this.
If your DSL link goes down, your ppp0 device disappears, and the scripts in /etc/ppp/ip-down.d/ are executed so you can take the appropriate measures. > 3) If the PPP modem goes down, the ppp0 device disappears entirely. > That's unfortunate. Is there a way to make it behave like the eth* > devices, where they are allowed be in "down" state and still exist as an > active device within the kernel? > > The reason this is a requirement, is that the kernel will drop all > routing and firewall rules associated with a device, when it disappears! > So, if ppp0 disappears, it will later come back up... completely bare, > as it will have no more firewall or router rules! I need to manually > restart Shorewall whenever this happens. > > It's really unfortunate that the developers of PPP in Linux chose to > make the device disappear, instead of just keeping it around in a "down" > state. Because I have a *range* of IP addresses coming to me via PPP, I > can't activate the built-in PPPoE protocol termination feature of the > modem. If I do this, then the modem takes over the IP addresses, and > only gives me a single IP address from it. Are you sure your modem can't take on it's wan side the 1st public ip address, and then attributing on the lan side one of the public ip addresses from the public range ? ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
