Brian J. Murrell wrote:
On Sun, 2008-06-29 at 14:06 -0700, Tom Eastep wrote:I believe that it doesn't work at all. You have to know where a packet is going before you mark it.Does changing up the order of the routing table traversal change that? Actual marking is done in the mangle table right? In my case for example I have: Chain routemark (2 references)pkts bytes target prot opt in out source destination 3484 458K MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x200 21601 3378K MARK all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x100 25085 3836K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xff00 CONNMARK save mask 0xff00But that's based on source interfaces, which I don't think routing table/rule reorganization would alter.
Those are Shorewall-generated rules from specifying 'track' on your providers. Those won't work under your scheme because your provider routing tables wouldn't have a route to your local network or to your DMZ!
Try creating marking rules that work in your scheme where the firewall has a DMZ, a LOC zone and a two NET interfaces and you will see what I mean.Unfortunately I don't easily have a testbed where I can do that easily and I can't say that I've seen what shorewall will do to the routing and marking rules in that case. It would be interesting to look at though, indeed. Anyone have such a configuration you can send me the output of your routing rules, tables and mangle table?
Just something simple like "I want all SMTP traffic to go out of provider 1 (with mark 1)" is not straightforward under your scheme.
You would like to add this marking rule: 1:P 0.0.0.0/0 0.0.0.0/0 tcp 25But suppose that you have an mail server in your DMZ. Packets marked by that rule will be sent through provider 1's routing table *which doesn't have a route to your DMZ". So you find yourself having to replicate your routing in your marking rules:
1:P 0.0.0.0/0 !xxx.xxx.xxx.xxx tcp 25 where xxx.xxx.xxx.xxx is the IP address of your DMZ mail server.I think that adding routing rules for things that need to use the main table is more straightforward. Plus your scheme would be incompatible with current configurations. Which is also a problem. Because that means that we get to support both the current scheme and your scheme.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users