On 01/04/2013 09:23 AM, f q wrote: > I installed and configured shorewall-init (PRODUCTS="shorewall", > IFUPDOWN=1, etc), in the "stable" repository (4.4.11.6-1). This had > no effect on the process previously described. I assume a more recent > version of shorewall / shorewall-init would help going forward. > > I'll be pursuing that, on another OS, as soon as I can get it up and running. > > On 1/3/13, Tom Eastep <[email protected]> wrote: >> On 01/03/2013 12:51 PM, f q wrote: >>> "If you used 'balance' for tun0 and 'fallback' for eth0, that wouldn't >>> happen. Note that you must also set 'routefilter=0' on both interfaces >>> in /etc/shorewall/interfaces, if you chose to take that approach." >>> >>> #providers >>> >>> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >>> OPTIONS >>> loc 1 1 - eth0 192.168.0.1 >>> track,fallback=1 >>> iPredator 2 2 - tun0 - >>> track,balance=2 >>> >>> #interfaces >>> >>> #ZONE INTERFACE BROADCAST OPTIONS >>> net eth0 detect >>> dhcp,tcpflags,nosmurfs,routefilter=0,logmartians,required >>> vpn tun0 detect optional,routefilter=0 >>> >>> I completed the above steps, which caused some odd behavior: >>> >>> 1) When already connected to OpenVPN, the VPN functioned as expected >>> 2) When disconnecting from the VPN, traffic was routed through eth0 >>> through my default connection (seemingly ignoring all the work with >>> providers / tcrules / etc) >>> 3) When reconnecting to the OpenVPN my traffic continued through my >>> default connection, ignoring the VPN entirely! >>> 4) Disconnecting from the VPN, applying the firewall and reconnecting >>> now allows no traffic to exit my firewall at all! >>> 5) Disconnecting from the VPN when in state (4), will allow traffic, >>> but then only through my default connection. >>> >>> Reverting to previous, semi-working configuration. >> >> You'll never get any of this to work right until you install >> shorewall-init. But 4.5.11.6 Shorewall-init is pretty broken...
Roberto Sanchez maintains a Squeeze repo that has Shorewall 4.5.5.x (the version going into Wheezy). It is linked from the Shorewall Download page. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
