Menu
▾
▴
Re: [Shorewall-users] R: Multi-ISP without routing cache
|
From: Tom E. <te...@sh...> - 2015-02-18 18:55:26
|
On 2/16/2015 2:45 PM, sho...@io... wrote: >> Da: Tom Eastep [mailto:te...@sh...] >> Inviato: lunedì 16 febbraio 2015 19:00 >> >> On 2/15/2015 3:27 PM, sho...@io... wrote: >>> Hallo, >>> >>> I'm updating some shorewall firewalls from CentOS6 to CentOS7. They >>> have multiple internet providers. >>> With CentOS6 kernel, routes were cached, and the same target was >>> always reached via the same internet provider and the same IP. In >>> linux-3.6, routing cache was removed, and I'm facing problems in >>> CentOS7 accessing services which track where a client is coming from. >>> The routing cache solution was sub-optimal, since all the sources were >>> going to use the same provider to access the same host, but it did >>> work. I worked around the problem by statically defining which >>> provider to use to access the problematic services, changing the >>> provider when needed (see LSM 0.178 and 0.179). But again this solution > is >> not optimal. >>> So, is it possible in Shorewall to make sure that the same triplet >>> (source ip, dest ip, dest port) will always go with the same provider? >>> >> >> Have you looked at the SAME action in the mangle/tcrules file? > > Unfortunately no; I'll do it now. > But I fear 300 seconds timeout can be too low. Take for example an > application like a webmail: one can easily return to it after an hour or so, > and it could be annoying if it requires a new authentication almost every > time. I think it should not be much difficult to add an argument to SAME > representing the timeout, if I find it is really needed. > > Anyway, it could be nice to have the ability to assign addresses/ports to > ipsets in mangle, like we do to mark packets (low priority, kind feature > request). Both features will be in 4.6.7 Beta 1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |