From: Vikas K. <vkh...@im...> - 2005-09-27 07:47:44
|
Hi, I have setup a box with shorewall and squid working as a transparent = proxy setup is eth0 : local network eth1 : ISP 1 eth2 : ISP 2 I am currently using eth0 and eth1 and it is working fine. now I want to = use the second ISP configured on eth2 and load balance the bandwidth. I = had tried to configure multiple isp using entries in providers file but = at that time it did not work. Please guide me to configure multiple isp = in a step by step method.=20 Thanks in advance.. Vikas |
From: Jerry V. <jv...@sh...> - 2005-09-27 13:10:41
|
>Hi, >I have setup a box with shorewall and squid working as a transparent = proxy >setup is >eth0 : local network >eth1 : ISP 1 >eth2 : ISP 2 > >I am currently using eth0 and eth1 and it is working fine. now I want = to use the second ISP configured on eth2 and load balance the bandwidth. = I had tried to >configure multiple isp using entries in providers file = but at that time it did not work. Please guide me to configure multiple = isp in a step by step method.=20 > >Thanks in advance.. Can you post the config files that you tried, and where does the squid = box live, on the firewall? Jerry |
From: Vikas K. <vkh...@im...> - 2005-09-27 13:18:50
|
yes, squid is on the firewall itself, I had put two lines in provider file ISP1 1 1 main eth1 gateway address track,balance ISP2 2 2 main eth2 gateway address track,balance do I need to modify some other files. --Vikas ----- Original Message ----- From: "Jerry Vonau" <jv...@sh...> To: <sho...@li...> Sent: Tuesday, September 27, 2005 6:40 PM Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup >Hi, >I have setup a box with shorewall and squid working as a transparent proxy >setup is >eth0 : local network >eth1 : ISP 1 >eth2 : ISP 2 > >I am currently using eth0 and eth1 and it is working fine. now I want to >use the second ISP configured on eth2 and load balance the bandwidth. I had >tried to >configure multiple isp using entries in providers file but at >that time it did not work. Please guide me to configure multiple isp in a >step by step method. > >Thanks in advance.. Can you post the config files that you tried, and where does the squid box live, on the firewall? Jerry ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Shorewall-users mailing list Sho...@li... https://lists.sourceforge.net/lists/listinfo/shorewall-users |
From: Eduardo F. <du...@ic...> - 2005-09-27 13:25:01
|
Vikas wrote on 27/09/2005 10:13:28: > yes, squid is on the firewall itself, > I had put two lines in provider file > ISP1 1 1 main eth1 gateway address > track,balance > ISP2 2 2 main eth2 gateway address > track,balance > > do I need to modify some other files. > How is squid configured? Is there a tcp_outgoing_address directive? |
From: Vikas K. <vkh...@im...> - 2005-09-27 13:30:43
|
I need to configure multiple ISP first. squid is stopped. what files I = need to modify?? Regards, Vikas ----- Original Message -----=20 From: Eduardo Ferreira=20 To: sho...@li...=20 Sent: Tuesday, September 27, 2005 6:54 PM Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup Vikas wrote on 27/09/2005 10:13:28: > yes, squid is on the firewall itself, > I had put two lines in provider file > ISP1 1 1 main eth1 gateway address=20 > track,balance > ISP2 2 2 main eth2 gateway address=20 > track,balance >=20 > do I need to modify some other files. >=20 How is squid configured? Is there a tcp_outgoing_address directive?=20 |
From: Jerry V. <jv...@sh...> - 2005-09-27 13:37:09
|
> yes, squid is on the firewall itself, > I had put two lines in provider file > ISP1 1 1 main eth1 gateway address=20 > track,balance > ISP2 2 2 main eth2 gateway address=20 > track,balance >=20 > do I need to modify some other files. >=20 Maybe, lets start here, with this: ISP1 1 1 main eth1 <gateway address> track,balance eth0 ISP2 2 2 main eth2 <gateway address> track,balance eth0 Jerry |
From: Vikas K. <vkh...@im...> - 2005-09-27 14:17:57
|
It seems I was missing eth0 option in the copy section. now atleast this machine is routing packets. how can I check if it is actually load balancing the link.Also one of the link is E1 and second is 512 kbps. I want to set priority for the links. can I set balance=4 for eth1 and balance=1 for eth2 I really appreciate your help Vikas ----- Original Message ----- From: "Jerry Vonau" <jv...@sh...> To: <sho...@li...> Sent: Tuesday, September 27, 2005 7:05 PM Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup > yes, squid is on the firewall itself, > I had put two lines in provider file > ISP1 1 1 main eth1 gateway address > track,balance > ISP2 2 2 main eth2 gateway address > track,balance > > do I need to modify some other files. > Maybe, lets start here, with this: ISP1 1 1 main eth1 <gateway address> track,balance eth0 ISP2 2 2 main eth2 <gateway address> track,balance eth0 Jerry ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Shorewall-users mailing list Sho...@li... https://lists.sourceforge.net/lists/listinfo/shorewall-users |
From: Tom E. <te...@sh...> - 2005-09-27 15:36:59
Attachments:
signature.asc
|
Vikas Khandelwal wrote: > It seems I was missing eth0 option in the copy section. I've updated the example in the providers file to include an interface in the COPY column. The documentation and example at http://www.shorewall.net/Shorewall_and_Routing.html had already been updated in that way. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
From: Vikas K. <vkh...@im...> - 2005-09-29 10:53:44
|
I am not able to run transparent proxy (squid) in a two ISP setup using shorewall. Please inform what configuration is required for this setup. Thanks, Vikas ----- Original Message ----- From: "Tom Eastep" <te...@sh...> To: <sho...@li...> Sent: Tuesday, September 27, 2005 9:08 PM Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup |
From: Jerry V. <jv...@sh...> - 2005-09-29 13:33:42
|
> I am not able to run transparent proxy (squid) in a two ISP setup = using=20 > shorewall. > Please inform what configuration is required for this setup. >=20 > Thanks, > Vikas >=20 http://www.shorewall.net/Shorewall_Squid_Usage.html If you continue to have issues, can you post what you tried,=20 where the proxy is and a "shorewall status" as described at:=20 http://www.shorewall.net/support.htm. I'll have a better idea of what your network layout is like. Jerry |
From: Vikas K. <vkh...@im...> - 2005-09-30 05:55:20
Attachments:
status.tar
|
Hi Jerry, I have attached the output of shorewall status. Is there any way I can configure these links as failover link so that the other ISP is used if one of the ISP is not available? Thanks for your help. Vikas ----- Original Message ----- From: "Jerry Vonau" <jv...@sh...> To: <sho...@li...> Sent: Thursday, September 29, 2005 7:03 PM Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup > I am not able to run transparent proxy (squid) in a two ISP setup using > shorewall. > Please inform what configuration is required for this setup. > > Thanks, > Vikas > http://www.shorewall.net/Shorewall_Squid_Usage.html If you continue to have issues, can you post what you tried, where the proxy is and a "shorewall status" as described at: http://www.shorewall.net/support.htm. I'll have a better idea of what your network layout is like. Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Shorewall-users mailing list Sho...@li... https://lists.sourceforge.net/lists/listinfo/shorewall-users |
From: Tom E. <te...@sh...> - 2005-09-30 14:04:15
Attachments:
signature.asc
|
Vikas Khandelwal wrote: > Hi Jerry, > I have attached the output of shorewall status. > Is there any way I can configure these links as failover link so that > the other ISP is used if one of the ISP is not available? >From http://www.shorewall.net/Shorewall_and_Routing.html ... ------------------------------------------------------------------------ What an Entry in the Providers File Does NOT Do Given that Shorewall is simply a tool to configure Netfilter and does not run continuously in your system, entries in the providers file do not provide any automatic failover in the event of failure of one of your Internet connections. ------------------------------------------------------------------------ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
From: John H. <jh...@no...> - 2005-09-30 14:15:16
|
I have tested and found that on a ping fail to an isp gateway I can make a change in the tcrules file to mark all packets to the working ISP. Then restart Shorewall. Then test later and change it back to both. This keeps the outbound working. I question if this is a good idea. I have yet to put it in production. Any suggestions. --john > -----Original Message----- > From: sho...@li... > [mailto:sho...@li...] On > Behalf Of Tom Eastep > Sent: Friday, September 30, 2005 9:04 AM > To: sho...@li... > Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup > > Vikas Khandelwal wrote: > > Hi Jerry, > > I have attached the output of shorewall status. > > Is there any way I can configure these links as failover > link so that > > the other ISP is used if one of the ISP is not available? > > >From http://www.shorewall.net/Shorewall_and_Routing.html ... > -------------------------------------------------------------- > ---------- > What an Entry in the Providers File Does NOT Do > > Given that Shorewall is simply a tool to configure Netfilter and does > not run continuously in your system, entries in the providers file do > not provide any automatic failover in the event of failure of one of > your Internet connections. > -------------------------------------------------------------- > ---------- > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ te...@sh... > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. |
From: Tom E. <te...@sh...> - 2005-09-30 14:24:13
Attachments:
signature.asc
|
John Hill wrote: > I have tested and found that on a ping fail to an isp gateway I can make a > change in the tcrules file to mark all packets to the working ISP. Then > restart Shorewall. Then test later and change it back to both. This keeps > the outbound working. > I question if this is a good idea. I have yet to put it in production. > Any suggestions. > To just reload the tcrules file, all that is needed is "shorewall refresh" -- you probably also want to "ip route flush cache" to purge all of the cached routes through the down interface. The best solution of course is to run a routing daemon but that requires the cooperation of the ISPs involved which generally increases your cost. What you propose is the "poor man's substitute" for the best solution. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
From: John H. <jh...@no...> - 2005-09-30 14:55:07
|
It's funny telcos seem to offer the least options. BVP4 is out of the question. Alas, 'I am a poor man!' :-) --john > -----Original Message----- > From: sho...@li... > [mailto:sho...@li...] On > Behalf Of Tom Eastep > Sent: Friday, September 30, 2005 9:24 AM > To: sho...@li... > Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup > > John Hill wrote: > > I have tested and found that on a ping fail to an isp > gateway I can make a > > change in the tcrules file to mark all packets to the > working ISP. Then > > restart Shorewall. Then test later and change it back to > both. This keeps > > the outbound working. > > I question if this is a good idea. I have yet to put it in > production. > > Any suggestions. > > > > To just reload the tcrules file, all that is needed is "shorewall > refresh" -- you probably also want to "ip route flush cache" to purge > all of the cached routes through the down interface. > > The best solution of course is to run a routing daemon but > that requires > the cooperation of the ISPs involved which generally increases your > cost. What you propose is the "poor man's substitute" for the > best solution. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ te...@sh... > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. |
From: Tom E. <te...@sh...> - 2005-09-30 16:29:20
Attachments:
signature.asc
|
John Hill wrote: > > It's funny telcos seem to offer the least options. BVP4 is out of the > question. > I suspect you meant *BGP4* -- BVP4 appears to be a "Broadcast Video Processor" which is undoubtedly difficult to get from your Telco :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
From: John H. <jh...@no...> - 2005-09-30 16:49:47
|
Right again! BVP is the vertical ERP provider at work. Sorry! I've been working on BVP problems all morning. I can't use video anyway, the hand gestures I would be sending them would be less than professional! :-) --john > -----Original Message----- > From: sho...@li... > [mailto:sho...@li...] On > Behalf Of Tom Eastep > Sent: Friday, September 30, 2005 11:29 AM > To: sho...@li... > Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup > > John Hill wrote: > > > > It's funny telcos seem to offer the least options. BVP4 is > out of the > > question. > > > > I suspect you meant *BGP4* -- BVP4 appears to be a "Broadcast Video > Processor" which is undoubtedly difficult to get from your Telco :-) > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ te...@sh... > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. |
From: Aaron O'H. <aj...@hu...> - 2005-09-30 19:30:57
|
John, Would u mind sharing your script(s) that implement what u've mentioned for fail-over? -- Aaron On Fri, 2005-30-09 at 09:14 -0500, John Hill wrote: > I have tested and found that on a ping fail to an isp gateway I can make a > change in the tcrules file to mark all packets to the working ISP. Then > restart Shorewall. Then test later and change it back to both. This keeps > the outbound working. > I question if this is a good idea. I have yet to put it in production. > Any suggestions. > > --john > > > -----Original Message----- > > From: sho...@li... > > [mailto:sho...@li...] On > > Behalf Of Tom Eastep > > Sent: Friday, September 30, 2005 9:04 AM > > To: sho...@li... > > Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup > > > > Vikas Khandelwal wrote: > > > Hi Jerry, > > > I have attached the output of shorewall status. > > > Is there any way I can configure these links as failover > > link so that > > > the other ISP is used if one of the ISP is not available? > > > > >From http://www.shorewall.net/Shorewall_and_Routing.html ... > > -------------------------------------------------------------- > > ---------- > > What an Entry in the Providers File Does NOT Do > > > > Given that Shorewall is simply a tool to configure Netfilter and does > > not run continuously in your system, entries in the providers file do > > not provide any automatic failover in the event of failure of one of > > your Internet connections. > > -------------------------------------------------------------- > > ---------- > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ te...@sh... > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > |
From: John H. <jh...@no...> - 2005-09-30 20:11:41
|
Sure, Let me clean them up and I'll post them. I need to add a few things and explain what I'm doing. --john > -----Original Message----- > From: sho...@li... > [mailto:sho...@li...] On > Behalf Of Aaron O'Hara > Sent: Friday, September 30, 2005 1:23 PM > To: sho...@li... > Subject: RE: [Shorewall-users] shorewall + Squid + Two ISP setup > > > John, > > Would u mind sharing your script(s) that implement what u've mentioned > for fail-over? > > -- Aaron > > On Fri, 2005-30-09 at 09:14 -0500, John Hill wrote: > > I have tested and found that on a ping fail to an isp > gateway I can make a > > change in the tcrules file to mark all packets to the > working ISP. Then > > restart Shorewall. Then test later and change it back to > both. This keeps > > the outbound working. > > I question if this is a good idea. I have yet to put it in > production. > > Any suggestions. > > > > --john > > > > > -----Original Message----- > > > From: sho...@li... > > > [mailto:sho...@li...] On > > > Behalf Of Tom Eastep > > > Sent: Friday, September 30, 2005 9:04 AM > > > To: sho...@li... > > > Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup > > > > > > Vikas Khandelwal wrote: > > > > Hi Jerry, > > > > I have attached the output of shorewall status. > > > > Is there any way I can configure these links as failover > > > link so that > > > > the other ISP is used if one of the ISP is not available? > > > > > > >From http://www.shorewall.net/Shorewall_and_Routing.html ... > > > -------------------------------------------------------------- > > > ---------- > > > What an Entry in the Providers File Does NOT Do > > > > > > Given that Shorewall is simply a tool to configure > Netfilter and does > > > not run continuously in your system, entries in the > providers file do > > > not provide any automatic failover in the event of > failure of one of > > > your Internet connections. > > > -------------------------------------------------------------- > > > ---------- > > > > > > -Tom > > > -- > > > Tom Eastep \ Nothing is foolproof to a sufficiently > talented fool > > > Shoreline, \ http://shorewall.net > > > Washington USA \ te...@sh... > > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, > discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- > This mail was scanned by AntiVir Milter. > This product is licensed for non-commercial use. > See www.antivir.de for details. -- This mail was scanned by AntiVir Milter. This product is licensed for non-commercial use. See www.antivir.de for details. |
From: Jerry V. <jv...@sh...> - 2005-10-02 17:25:42
|
=20 > I have tested and found that on a ping fail to an isp gateway I can = make a > change in the tcrules file to mark all packets to the working ISP. = Then > restart Shorewall. Then test later and change it back to both. This = keeps > the outbound working.=20 > I question if this is a good idea. I have yet to put it in production. > Any suggestions. >=20 > --john=20 >=20 John: I *think* all you would need to do is delete, then re-add the fwmark to = the working providers lookup table, then flush the cache. I'd be interested = in working with you off list to see what we could come up with. Email me off list if your interested.=20 For the fallover issue, there are some proc settings that you can play = with. http://mailman.ds9a.nl/pipermail/lartc/2002q4/005274.html and the reply=20 is about the best info I could find regarding these settings. If anybody = knows=20 of some better documentation of these settings, I'd love to here from = you.=20 FWIW, I tried changing some of the settings, in /proc/sys/net/ipv4/route echo 1 > gc_interval echo 1 > gc_timeout echo 1 > gc_elasticity echo 2 > max_delay echo 1 > min_delay Just before the test below, I unplugged the nic that had the higher = weighted=20 value for the gateway.=20 =20 This appears to speed up the trying of the alternate gateway.=20 PING mail.gt.ca (216.18.99.22) 56(84) bytes of data. From 10.50.0.1 icmp_seq=3D1 Destination Host Unreachable From 10.50.0.1 icmp_seq=3D2 Destination Host Unreachable From 10.50.0.1 icmp_seq=3D3 Destination Host Unreachable From 10.50.0.1 icmp_seq=3D5 Destination Host Unreachable From 10.50.0.1 icmp_seq=3D6 Destination Host Unreachable From 10.50.0.1 icmp_seq=3D7 Destination Host Unreachable 64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=3D8 ttl=3D56 = time=3D57.7 ms 64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=3D9 ttl=3D56 = time=3D58.4 ms 64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=3D10 ttl=3D56 = time=3D59.3 ms 64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=3D11 ttl=3D56 = time=3D59.6 ms 64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=3D12 ttl=3D56 = time=3D54.9 ms 64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=3D13 ttl=3D56 = time=3D56.0 ms Before this, it seemed to take 'forever' to try the alternate gateway. = This is not=20 by any means conclusive, just me playing around and my observations. If = you=20 find that changing these settings works for you, I'd like to hear, off = list, about=20 what you tried. Use at your own risk, you been warned.=20 Jerry |
From: Tom E. <te...@sh...> - 2005-10-02 18:40:13
Attachments:
signature.asc
|
Vikas Khandelwal wrote: > I have attached the output of shorewall status. Vikas: >From your "shorewall status": Sep 30 10:31:01 rfc1918:DROP:IN=eth2 OUT= SRC=192.168.100.192 DST=255.255.255.255 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=31892 PROTO=UDP SPT=1807 DPT=14010 LEN=84 Sep 30 10:31:01 rfc1918:DROP:IN=eth1 OUT= SRC=192.168.100.192 DST=255.255.255.255 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=31892 PROTO=UDP SPT=1807 DPT=14010 LEN=84 This indicates that traffic from 192.168.100.192 is appearing on both eth1 and eth2. Yet: 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:13:20:49:42:62 brd ff:ff:ff:ff:ff:ff inet 192.168.100.17/21 brd 192.168.103.255 scope global eth0 inet6 fe80::213:20ff:fe49:4262/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:95:f2:cc:e5 brd ff:ff:ff:ff:ff:ff inet 202.56.224.94/29 brd 202.56.224.95 scope global eth1 inet6 fe80::211:95ff:fef2:cce5/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:95:f2:cc:e2 brd ff:ff:ff:ff:ff:ff inet 203.129.192.78/28 brd 203.129.192.79 scope global eth2 inet6 fe80::211:95ff:fef2:cce2/64 scope link valid_lft forever preferred_lft forever This indicates that 192.168.96.0/21 is attached to eth0!!!! Do you have eth0, eth1 and eth2 all connected to the same switch? If not, what is the explaination for the traffic being logger? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
From: Vikas K. <vkh...@im...> - 2005-10-03 12:37:04
|
Hi Tom, Yes, all NIC are connected on the same switch. currently using this box in testing environment only. --Vikas ----- Original Message ----- -- From: "Tom Eastep" <te...@sh...> To: <sho...@li...> Sent: Saturday, October 01, 2005 3:34 AM Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup |
From: Tom E. <te...@sh...> - 2005-10-03 14:03:40
Attachments:
signature.asc
|
Vikas Khandelwal wrote: > Hi Tom, > Yes, all NIC are connected on the same switch. currently using this box= > in testing environment only. The following is included in MANY articles within the Shorewall documentation (this one is from the Troubleshooting Guide which you should have read carefully before posting a problem report): -------------------------------------------------------------------------= -- Many times when people have problems with Shorewall, the problem is actually an ill-conceived network setup. Here are several popular snafus:= =2E.. - Multiple interfaces connected to the same HUB or Switch. Given the way that the Linux kernel respond to ARP =93who-has=94 requests, this type of setup does NOT work the way that you expect it to. If you are running Shorewall version 1.4.7 or later, you can test using this kind of configuration if you specify the arp_filter option in /etc/shorewall/interfaces for all interfaces connected to the common hub/switch. Using such a setup with a production firewall is strongly recommended against. -------------------------------------------------------------------------= --- That won't stop the broadcast packets from being logged due to 'norfc1918' (you might want to remove those options temporarily) but it will stop many other confusing problems. -Tom --=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |
From: Jerry V. <jv...@sh...> - 2005-10-01 06:20:07
|
> Hi Jerry, > I have attached the output of shorewall status. > Is there any way I can configure these links as failover link so that = the=20 > other ISP is used if one of the ISP is not available? >=20 > Thanks for your help. > Vikas Is it just me or is this status corrupt? It appears that some of the = info is missing. Jerry |