--- On Tue, 9/18/12, Tom Eastep <[email protected]> wrote:
> > Maybe I'm saying something completely absurd and wrong > so please bear with me. > > Since both the client and server are right behind > shorewall routers at both ends, would it make sense to > block/drop ICMP altogether in order to avoid error messages > and break connections? > > Let's back up a little. How do you plan to detect link > failures and what > will you do when a failure is detected? I would do something like: http://www.shorewall.net/MultiISP.html#LinkMonitor ('fallback' provider) I was thinking of detecting link failures with anything else but pings. Maybe issuing 'arp -d <ip_addr_to_monitor> ; arp <ip_addr_to_monitor>'. If arp doesn't resolve a MAC address (should be able to in my network example) then I'm assuming that the 'net1' link is dead. Vieri ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
