Shorewall 4.4 is running on a gateway machine with 2 providers, and also running squid and pppd. I have two related problems. One is that I've never been able to get "balance,track" working for both interfaces, thus can't use "routefilter" for both. 2nd problem is web access from the shorewall machine itself.
Two external interfaces are eth0 T1 and ppp0. PPP0 is a DSL modem in briding mode. It needs "TCPMSS clamp to PMTU". I wasn't able to get it working with the "balance" option on both interfaces. So we have providers:"balance" only on the dsl and interfaces:"routefilter" only on eth0. Apparently this causes PPP0 to be the default route, which seems to also cause all packets to get their MSS set. If I add balance and routefilter where they're missing, I get lots of these: Sep 29 11:02:45 charcoal kernel: [319681.436182] martian source 206.80.216.107 from 69.63.184.142, on dev ppp0 masq looks like: lo 0.0.0.0/0 127.0.0.1 tcp 3128 ppp0 0.0.0.0/0 eth0 0.0.0.0/0 detect 2nd problem is squid. I *was* able to get locally-generated HTTP requests working, but only using a kludge: rules: ACCEPT loc:lo all REDIRECT fw 3128 tcp www - !192.168.1.254 - !proxy interfaces: loc lo detect routefilter,logmartians,tcpflags,nosmurfs As far as I know, lo shouldn't need to be listed in any file. If I don't add interfaces:"lo", then I can't add it to "masq", and packets redirected to 3128 have the (dynamic) source address of the ppp0 interface (due to default route?). That's of course not found in squid.conf, so it rejects the request. Does anyone have any suggestions for either problem? Justin ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
