Tom,Yes indeed, I figured that out last night. I changed my configuration as follows (after reading more docs):
tcrules: 1 $FW 0.0.0.0/0 udp 4569 1 $FW 0.0.0.0/0 tcp 4569 1 $FW 0.0.0.0/0 udp 5060 1 $FW 0.0.0.0/0 tcp 5060 2 0.0.0.0/0 0.0.0.0/0 icmp echo-request 2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 3 0.0.0.0/0 0.0.0.0/0 tcp 20 3 0.0.0.0/0 0.0.0.0/0 tcp 21 3 0.0.0.0/0 0.0.0.0/0 tcp 22 Which results in a shorewall show mangle: Chain tcout (1 references)pkts bytes target prot opt in out source destination 4431 1015K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 MARK set 0x1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4569 MARK set 0x1 115 65437 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 MARK set 0x1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 MARK set 0x1
Chain tcpost (1 references)pkts bytes target prot opt in out source destination 4531 1073K CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x1/0xff CLASSIFY set 1:11 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x2/0xff CLASSIFY set 1:12 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x3/0xff CLASSIFY set 1:13 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x4/0xff CLASSIFY set 1:14
Chain tcpre (1 references)pkts bytes target prot opt in out source destination 2159 180K MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 MARK set 0x2 565 47460 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 MARK set 0x2 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 MARK set 0x3 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 MARK set 0x3 410 16768 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 MARK set 0x3
l Does this look more reasonable? I have attached an update status.txt Thanks for the help. Jim Tom Eastep wrote:
Jim Duda wrote:David,When I do shorewall show ipmangle, I see that packets are getting marked with "1", however, should I expect a non zero pkt number in the CLASSIFY section?Chain tcout (1 references)pkts bytes target prot opt in out source destination 456 100K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 MARK set 0x1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4569 MARK set 0x1 15 8202 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 MARK set 0x1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 MARK set 0x1 27 2268 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 MARK set 0x2 12 912 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 MARK set 0x2 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 MARK set 0x3 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 MARK set 0x3 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 MARK set 0x3 510 112K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xffff MARK set 0x4The last rule is nonsensical. It says that if you have set the mark to any non-zero value (1-3) then set it to 4!!!! So all of your outgoing packets have either mark=0 or mark=4. That's what your CLASSIFY rules are telling you also. I think you wanted '0' in the MATCH column rather than '!0'. -Tom ------------------------------------------------------------------------ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
status.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
