I have a rather complex configuration (thanks Tom for the great flexibility of Shorewall!) with three ISP connections, two separate LAN zones, a DMZ and a vpn zone (OpenVPN server for road warriors running on the firewall).
Initially I tried to force the use of one of the ISPs for specific protocols and / or source addresses in the loc zone, with limited success (maybe something wrong in my configuration files). Today I revised the configuration, following the "Complete Working Example" of Tom's network in early 2009 http://www.shorewall.net/MultiISP.html#Complete but I can't find the tcrules file in the example and I'm not sure that mine is correct. Specifically, I need a confirmation about the MARK field in providers: in the example it's above 0xFF (so I assume HIGH_ROUTE_MARKS=Yes in shorewall.conf) and I can't understand from the documentation if I need to use 0x100, 0x200 and so on MARKs also in tcrules or not (in all the examples I found I always see 1, 2 and similar low values). Anyway, I decided not to use HIGH_ROUTE_MARKS (like in the "fall 2008" example) so that the MARKs are always 1, 2 and 3, and I am using route_rules to force certain loc IP ranges to use provider 1, and tcrules (with MARK 1 without :P or other chain specifiers) to force specific protocols on provider 1. I have no specific need for shaping, so tcclasses is empty and tcdevices only specifies the out-banwidth. Before going into more details (contents of the configuration files and dumps) I would like to understand if what I did is reasonable. Thanks for any help Elio ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
