On Mon, 26 Jul 2021 19:38:42 +0100 Norman and Audrey Henderson <norm.aud...@gmail.com> wrote:
> The interfaces of course require a gateway since they are not > point-to-point. You missed the point. Interface scripts must not add gateway when you do multi-isp. If you down/up interface and scripting add gateway, then running shorewall reload actually need to remove gateway from main routing table. So you should not configure gateway when using multi-isp. So rule #1 - do not configure gateway. > Today I disabled foolsm so I am sure those scripts are not doing > anything. I cannot guess what other system component could be > reacting to a change in interface status and creating a default route > in table main - unless there is some misconfiguration in shorewall, > but I don't see any evidence of that. foolsm logs all it's actions - if you suspect foolsm changing your interface status you can see it in syslog. > I have off.d and routable.d scripts in networkd-dispatcher, which end > with shorewall reload. So as far as I am aware, any changes to > interfaces would be caught by those scripts and shorewall reload will > be run after the interface changes state. > > Today I noted on the firewall running shorewall that (1) periodically > a default route for the flaky interface, I believe actually totally > down all day, would appear in table main (2) as a result the firewall > could not ping out (unless specifying another interface) and no-one > else on the network had outside access either (3) shorewall reload > removes the offending default route and then everything works again. If you have gateway configured in interface scripting and you down/up interface gateway gets added to main routing table. With multi-isp you must not set gateway from interface script, correct place to configure is in /etc/shorewall/providers -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
