Re: [Shorewall-users] Lsm Failover

Mike Lander Fri, 18 May 2012 12:55:41 -0700

> No it's not good -- it is just working now until the next failure.
> Please forward your lsm.conf file and the output of 'shorewall show
> routing' with both providers up.
> 
> -Tom

Yes I knew not good to go, (still scratching head)
lsm 0.130-1
lsm.conf
#
# (C) 2009 Mika Ilmaranta <[email protected]>
#
# License: GPLv2
#

#
# Debug level: 0 .. 8 are normal, 9 gives lots of stuff and 100 doesn't
# bother to detach
#
#debug=10
debug=9
#debug=8

#
# Defaults for the connection entries
#
defaults {
  name=defaults
  checkip=127.0.0.1
  eventscript=/etc/lsm/script
  notifyscript=
  max_packet_loss=15
  max_successive_pkts_lost=7
  min_packet_loss=5
  min_successive_pkts_rcvd=10
  interval_ms=1000
  timeout_ms=1000
  [email protected]
  check_arp=0
  sourceip=
# if using ping probes for monitoring only then defaults should
# not define a default device for packets to autodiscover their path
# to destination
#  device=eth0
# use system default ttl
  ttl=0
# assume initial up state at lsm startup (1 = up, 0 = down, 2 = unknown 
(default))
# status=1
}

#
# Some example connections are found in lsm.conf.sample
#
include /etc/lsm/shorewall.conf
#EOF

lsm script

#!/bin/sh
#
# (C) 2009 Mika Ilmaranta <[email protected]>
# (C) 2009 Tom Eastep <[email protected]>
#
# License: GPLv2
#

STATE=${1}
NAME=${2}
CHECKIP=${3}
DEVICE=${4}
WARN_EMAIL=${5}
REPLIED=${6}
WAITING=${7}
TIMEOUT=${8}
REPLY_LATE=${9}
CONS_RCVD=${10}
CONS_WAIT=${11}
CONS_MISS=${12}
AVG_RTT=${13}

if [ -f /usr/share/shorewall-lite/lib.base ]; then
    VARDIR=/var/lib/shorewall-lite
    STATEDIR=/etc/shorewall-lite
else
    VARDIR=/var/lib/shorewall
    STATEDIR=/etc/shorewall
fi

[ -f ${STATEDIR}/vardir ] && . ${STATEDIR}/vardir

cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}

Hi,

Connection ${NAME} is now ${STATE}.

Following parameters were passed:
newstate     = ${STATE}
name         = ${NAME}
checkip      = ${CHECKIP}
device       = ${DEVICE}
warn_email   = ${WARN_EMAIL}

Packet counters:
replied      = ${REPLIED} packets replied
waiting      = ${WAITING} packets waiting for reply
timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
reply_late   = ${REPLY_LATE} packets that received a reply after timeout
cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
cons_miss    = ${CONS_MISS} consecutive packets that have timed out
avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out 
packets have rtt = 0 when calculating this

Your LSM Daemon

EOM

if [ ${STATE} = up ]; then
# echo 0 > ${VARDIR}/${DEVICE}.status # Uncomment this line if you are 
running Shorewall 4.4.x or earlier
  ${VARDIR}/firewall enable ${DEVICE}
else

#  echo 1 > ${VARDIR}/${DEVICE}.status # Uncomment this line if you are 
running Shorewall 4.4.x or earlier
   ${VARDIR}/firewall disable ${DEVICE}

fi

/sbin/shorewall show routing >> /var/log/lsm

exit 0

#EOF

shorewall show routing

Routing Rules

0:      from all lookup local 
999:    from all lookup main 
1000:   from all to 192.168.100.0/24 lookup main 
1000:   from all to 10.199.7.0/24 lookup main 
10000:  from all fwmark 0x100/0xff00 lookup rea 
10001:  from all fwmark 0x200/0xff00 lookup com 
20000:  from 205.134.193.138 lookup rea 
20000:  from 50.78.47.90 lookup com 
32765:  from all lookup balance 
32767:  from all lookup default 

Table balance:

default via 50.78.47.94 dev eth1

Table com:

50.78.47.94 dev eth1 scope link src 50.78.47.90
default via 50.78.47.94 dev eth1 src 50.78.47.90

Table default:

205.134.193.137 dev eth0 scope link
default via 205.134.193.137 dev eth0 src 205.134.193.138 metric 1

Table local:

local 50.78.47.90 dev eth1 proto kernel scope host src 50.78.47.90
local 205.134.193.138 dev eth0 proto kernel scope host src 205.134.193.138
local 172.16.2.1 dev tun0 proto kernel scope host src 172.16.2.1
local 172.16.100.1 dev tun2 proto kernel scope host src 172.16.100.1
local 127.0.0.2 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 10.20.227.1 dev vlan10 proto kernel scope host src 10.20.227.1
local 10.19.227.20 dev eth3 proto kernel scope host src 10.19.227.20
broadcast 50.78.47.95 dev eth1 proto kernel scope link src 50.78.47.90
broadcast 50.78.47.88 dev eth1 proto kernel scope link src 50.78.47.90
broadcast 205.134.193.143 dev eth0 proto kernel scope link src 
205.134.193.138
broadcast 205.134.193.136 dev eth0 proto kernel scope link src 
205.134.193.138
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.20.227.255 dev vlan10 proto kernel scope link src 10.20.227.1
broadcast 10.20.227.0 dev vlan10 proto kernel scope link src 10.20.227.1
broadcast 10.19.227.255 dev eth3 proto kernel scope link src 10.19.227.20
broadcast 10.19.227.0 dev eth3 proto kernel scope link src 10.19.227.20

Table main:

50.78.47.94 dev eth1 scope link src 50.78.47.90
205.134.193.137 dev eth0 scope link src 205.134.193.138
172.16.2.2 dev tun0 proto kernel scope link src 172.16.2.1
172.16.100.2 dev tun2 proto kernel scope link src 172.16.100.1
50.78.47.88/29 dev eth1 proto kernel scope link src 50.78.47.90
205.134.193.136/29 dev eth0 proto kernel scope link src 205.134.193.138
192.168.100.0/24 via 172.16.2.2 dev tun0
10.4.138.0/24 via 10.19.227.254 dev eth3
10.20.227.0/24 dev vlan10 proto kernel scope link src 10.20.227.1
10.199.7.0/24 via 172.16.100.2 dev tun2
10.194.244.0/24 via 10.19.227.254 dev eth3
10.192.139.0/24 via 10.19.227.254 dev eth3
10.19.227.0/24 dev eth3 proto kernel scope link src 10.19.227.20
10.143.99.0/24 via 10.19.227.254 dev eth3
10.10.182.0/24 via 10.19.227.254 dev eth3
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link

Table rea:

205.134.193.137 dev eth0 scope link src 205.134.193.138
default via 205.134.193.137 dev eth0 src 205.134.193.138
Gate:~ # 



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Lsm Failover

Reply via email to
