Re: [Shorewall-users] LSM configuration

Nico Pagliaro Thu, 26 Mar 2015 12:38:31 -0700

Hi Angela, thanks for answer
I am installing the firewall and I decide to test with one ISP first.
I have this in my rtrules
#SOURCE                 DEST                    PROVIDER        PRIORITY
     MASK
eth1                    -                       ANTEL           1000
ppp0                    -                       ADSL            1000



Is that what you have? Did you find something wrong in my lsm conf?

Thanks

On Thu, Mar 26, 2015 at 4:26 PM, Angela Williams <[email protected]> wrote:

> Hi
>
> On 26/03/2015 20:52, Nico Pagliaro wrote:
> > Hi, I am trying to have LSM working but I cant.
> > I cant get my .status files change after I disconnect the UTP cable
> >
> > Shorewall 4.6.7 / centos 6
> >
> > I followed ths doc in http://shorewall.net/MultiISP.html#lsm but doesnt
> work
> > (I have change a line that I think is wrong in the doc:
> >
> >  /usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm
> >
> > for this
> >
> >  /usr/sbin/lsm *-c* /etc/lsm/lsm.conf >> /var/log/lsm
> >
> > Well, here is my conf:
> >
> > eth0=LAN
> >
> > eth1=ISP1 (Static IP)
> >
> > eth2=ISP2 (dynamic IP)
> >
> >
> > */etc/shorewall/params*
> >
> > ANTEL=eth1
> >
> > ADSL=ppp0
> > *
> > *
> >
> > */etc/shorewall/isusable*
> >
> > *
> > *
> >
> > local status=0
> > #
> > # Read the status file (if any) created by /etc/lsm/script
> > #
> > [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
> >
> > return $status
> >
> >
> >
> > */etc/shorewall/lib.private*
> >
> > start_lsm() {
> >    #
> >    # Kill any existing lsm process(es)
> >    #
> >    killall lsm 2> /dev/null
> >    #
> >    # Create the Shorewall-specific part of the LSM configuration. This
> > file is
> >    # included by /etc/lsm/lsm.conf
> >    #
> >    # Avvanta has a static gateway while Comcast's is dynamic
> >    #
> >    cat <<EOF > /etc/lsm/shorewall.conf
> > connection {
> >     name=ANTEL
> >     checkip=201.217.149.169
> >     device=$ANTEL
> >     ttl=2
> > }
> >
> > EOF
> >    #
> >    # Since LSM assumes that interfaces start in the 'up' state, remove
> any
> >    # existing status files that might have an interface in the down state
> >    #
> >    rm -f /var/lib/shorewall/*.status
> >    #
> >    # Run LSM -- by default, it forks into the background
> >    #
> >    /usr/sbin/lsm -c /etc/lsm/lsm.conf >> /var/log/lsm
> >
> > }
> >
> > */etc/shorewall/started*
> >
> > if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep '
> > )" ]; then
> >     start_lsm
> > fi
> >
> >
> > */etc/shorewall/restored*
> > *
> > *
> > if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
> >    start_lsm
> > fi
> >
> >
> > */etc/lsm/lsm.conf*
> > *
> > *
> > debug=9
> >
> > #
> > # Defaults for the connection entries
> > #
> > #
> > # Defaults for the connection entries
> > #
> > defaults {
> >   name=defaults
> >   checkip=127.0.0.1
> >   eventscript=/etc/lsm/script
> >   max_packet_loss=20
> >   max_successive_pkts_lost=7
> >   min_packet_loss=5
> >   min_successive_pkts_rcvd=10
> >   interval_ms=2000
> >   timeout_ms=2000
> >   [email protected]
> > <mailto:[email protected]>
> >   check_arp=0
> >   sourceip=
> >   ttl=0
> > }
> >
> > include /etc/lsm/shorewall.conf
> >
> > */etc/lsm/script**
> > *
> >
> > STATE=${1}
> > NAME=${2}
> > CHECKIP=${3}
> > DEVICE=${4}
> > WARN_EMAIL=${5}
> > REPLIED=${6}
> > WAITING=${7}
> > TIMEOUT=${8}
> > REPLY_LATE=${9}
> > CONS_RCVD=${10}
> > CONS_WAIT=${11}
> > CONS_MISS=${12}
> > AVG_RTT=${13}
> >
> > if [ -f /usr/share/shorewall-lite/lib.base ]; then
> >     VARDIR=/var/lib/shorewall-lite
> >     STATEDIR=/etc/shorewall-lite
> >     TOOL=/sbin/shorewall-lite
> > else
> >     VARDIR=/var/lib/shorewall
> >     STATEDIR=/etc/shorewall
> >     TOOL=/usr/sbin/shorewall
> > fi
> >
> > [ -f ${STATEDIR}/vardir ] && . ${STATEDIR}/vardir
> >
> > cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
> >
> > Hi,
> > Connection ${NAME} is now ${STATE}.
> >
> > Following parameters were passed:
> > newstate     = ${STATE}
> > name         = ${NAME}
> > checkip      = ${CHECKIP}
> > device       = ${DEVICE}
> > warn_email   = ${WARN_EMAIL}
> >
> > Packet counters:
> > replied      = ${REPLIED} packets replied
> > waiting      = ${WAITING} packets waiting for reply
> > timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
> > reply_late   = ${REPLY_LATE} packets that received a reply after timeout
> > cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
> > cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
> > cons_miss    = ${CONS_MISS} consecutive packets that have timed out
> > avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out
> > packets have rtt = 0 when calculating this
> >
> > Your LSM Daemon
> >
> > EOM
> >
> > # Uncomment the next two lines if you are running Shorewall 4.4.x or
> earlier
> >
> > # [ ${STATE} = up ] && state=0 || state=1
> > # echo $state > ${VARDIR}/${DEVICE}.status
> >
> > $TOOL restart -f >> /var/log/lsm 2>&1
> >
> > $TOOL show routing >> /var/log/lsm
> >
> > exit 0
> >
> > #EOF
> >
> > */etc/shorewall/providers*
> > #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
> > OPTIONS         COPY
> > ANTEL   1       1       -               eth1            201.217.149.169
> > track,loose,balance=100
> > ADSL    2       2       -               ppp0            detect
> >  track,loose,balance=1
> >
> >
> > *WHEN SHOREWAL STOPPED*
> >
> > *ll /var/lib/shorewall/*
> >
> > total 120
> > -rw-------. 1 root root     4 Mar 26 13:55 eth1_weight
> > -rwx------. 1 root root 87764 Mar 26 13:55 firewall
> > -rw-r--r--. 1 root root    88 Mar 25 11:48 lsm.conf
> > -rw-------. 1 root root   162 Mar 26 13:55 marks
> > -rw-------. 1 root root   226 Mar 26 13:55 policies
> > -rw-------. 1 root root     2 Mar 26 13:55 ppp0_weight
> > -rw-------. 1 root root    29 Mar 26 13:55 restarted
> > -rw-------. 1 root root    39 Mar 26 14:27 state
> > -rw-------. 1 root root    75 Mar 26 13:55 zones
> >
> > *ps ax | grep lsm*
> >
> > 5122 pts/0    S+     0:00 grep lsm
> >
> >
> > *service shorewall start*
> > *
> > *
> >  ps ax | grep lsm
> > * *5499 ?        Rs     0:03 /usr/sbin/lsm -c /etc/lsm/lsm.conf
> >  5506 pts/0    S+     0:00 grep lsm
> >
> >
> >  ll /var/lib/shorewall/
> >
> > -rw-------. 1 root root    38 Mar 26 14:31 default_route
> > -rw-------. 1 root root     2 Mar 26 14:31 eth1.status
> > -rw-------. 1 root root     4 Mar 26 14:31 eth1_weight
> > -rwx------. 1 root root 87764 Mar 26 14:31 firewall
> > -rw-r--r--. 1 root root    88 Mar 25 11:48 lsm.conf
> > -rw-------. 1 root root   162 Mar 26 14:31 marks
> > -rw-------. 1 root root     0 Mar 26 14:31 nat
> > -rw-------. 1 root root   226 Mar 26 14:31 policies
> > -rw-------. 1 root root     2 Mar 26 14:31 ppp0.status
> > -rw-------. 1 root root     2 Mar 26 14:31 ppp0_weight
> > -rw-------. 1 root root     0 Mar 26 14:31 proxyarp
> > -rw-------. 1 root root    29 Mar 26 14:31 restarted
> > -rw-------. 1 root root    60 Mar 26 14:31 state
> > -rw-------. 1 root root   271 Mar 26 14:31 undo_ADSL_routing
> > -rw-------. 1 root root   271 Mar 26 14:31 undo_ANTEL_routing
> > -rw-------. 1 root root    68 Mar 26 14:31 undo_balance_routing
> > -rw-------. 1 root root     0 Mar 26 14:31 undo_default_routing
> > -rw-------. 1 root root   134 Mar 26 14:31 undo_main_routing
> > -rw-------. 1 root root    75 Mar 26 14:31 zones
> >
> >
> >
> > The ISP1 cable is disconnected but when I do
> >
> > cat /var/lib/shorewall/eth1.status
> > 0
> >
> > Is this correct?
> > Thomas can you give me a hand on this?
> >
>
> It appears that you are only monitoring the ANTEL link and not the ADSL
> as well!!
>
> My setups monitor each internet connection and not just to the first hop
> but to two or more stable servers. I use fixed routing to froce the
> packets the right way. Not elegant but it works!
>
>
>
> Ang
>
> --
> Angela Williams
> angierfw at gmail dot com
> Linux/Networking Hacker
> Blog http://angierfw.wordpress.com
>
> Smile! Yahshua Loves You!
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] LSM configuration

Reply via email to