On Sun, 2008-06-29 at 14:06 -0700, Tom Eastep wrote: > > I believe that it doesn't work at all. You have to know where a packet is > going before you mark it.
Does changing up the order of the routing table traversal change that?
Actual marking is done in the mangle table right? In my case for
example I have:
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
3484 458K MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
MARK set 0x200
21601 3378K MARK all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
MARK set 0x100
25085 3836K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK match !0x0/0xff00 CONNMARK save mask 0xff00
But that's based on source interfaces, which I don't think routing
table/rule reorganization would alter.
> Try creating marking rules that work in your
> scheme where the firewall has a DMZ, a LOC zone and a two NET interfaces and
> you will see what I mean.
Unfortunately I don't easily have a testbed where I can do that easily
and I can't say that I've seen what shorewall will do to the routing and
marking rules in that case. It would be interesting to look at though,
indeed. Anyone have such a configuration you can send me the output of
your routing rules, tables and mangle table?
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
