El 11/05/12 15:31, Tom Eastep escribió:
> Beta 1 is now available for testing.
>
> Problems Corrected:
>
> 1) Previously, nested conditionals did not work correctly in all
> cases. In particular:
>
> ?IF $FALSE
> ?IF $FALSE
> foo
> bar
> ?ENDIF
> baz
> bop
> ?ENDIF
>
> In this case, the lines 'baz' and 'bop' were incorrectly included
> when they should have beeen omitted.
>
> New Features:
>
> 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was
> incomplete and required additional logic to be added in the 'start'
> or 'started' extension scripts.
>
> In this release, the TPROXY implementation has been changed and an
> additional DIVERT action has been created. Because the new TPROXY
> has a different set of parameters than the prior one, the tcrules
> file now supports two formats:
>
> FORMAT 1 - (default, deprecated )
>
> The TPROXY action allows three arguments, the first of which
> ('mark') is required.
>
> FORMAT 2
>
> The TPROXY action has two optional arguments:
>
> port -- the port on which the proxy is listening. While
> this argument is optional, it will normally be
> supplied.
>
> ip address -- The address on which the proxy is listening.
>
> The format is specified by a line line this:
>
> FORMAT {1|2}
>
> The Sample configurations have been updated to use FORMAT 2.
>
> The format-2 tcrules file also supports the DIVERT action. The
> DIVERT action directs matching packets to the local system if there
> is a transparent socket in the local system that matches the
> destination of the packet.
>
> Finally, the providers file supports a new 'tproxy' option. When
> 'tproxy' is specified:
>
> - It must be the only OPTION given
> - The MARK, DUPLICATE and GATEWAY columns must be empty.
>
> The 'tproxy' option causes a reserved mark value to be associated
> with the provider and for its associated routing rule to have
> priority 1.
>
> Here is the TPROXY configuration at shorewall.net:
>
> tcrules:
>
> FORMAT 2
> #ACTION SOURCE DEST PROTO DEST SOURCE
> # PORT(S) PORT(S)
> ...
> DIVERT eth1 - tcp - 80
> DIVERT eth0 - tcp - 80
> TPROXY(3129,172.20.1.254) eth2 - tcp 80
>
> Note: eth1 and eth0 are Internet interfaces and eth2 connects to
> the local LAN.
>
> providers:
>
> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
> ...
> Squid 3 - - lo - tproxy
>
> /etc/squid3/squid.conf:
>
> ...
> http_port 172.20.1.254:3129 tproxy
> ...
>
> Thank you for testing,
> -Tom
Hi all, hi Tom
I am using 2 providers in the same ethernet (realm) , in that case, is
ok to set ? :
tcrules:
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
...
DIVERT eth4:192.168.150.199 - tcp -
80
DIVERT eth4:192.168.150.200 - tcp -
80
DIVERT eth6 - tcp -
80
TPROXY(3129,x.x.x.x) eth2 - tcp 80
/etc/shorewall/providers
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
cyber2 2 2 main eth4:192.168.150.99
192.168.150.199 track,loose,balance=10,mtu=1492
cyber3 3 3 main eth4:192.168.150.99
192.168.150.200 track,loose,balance=8,mtu=1492
silica 4 4 main
eth6 186.0.x.x
track,balance=2,mtu=1500
Thanks for the Great Work Tom, i got few nightmares nights with TPROXY
before trying to make it work.
Ricardo.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
