Brian J. Murrell wrote:
On Sun, 2008-06-29 at 14:06 -0700, Tom Eastep wrote:
I believe that it doesn't work at all. You have to know where a packet is going before you mark it.

Does changing up the order of the routing table traversal change that?
Actual marking is done in the mangle table right?  In my case for
example I have:

Chain routemark (2 references)
pkts bytes target prot opt in out source destination 3484 458K MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x200 21601 3378K MARK all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x100 25085 3836K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xff00 CONNMARK save mask 0xff00
But that's based on source interfaces, which I don't think routing
table/rule reorganization would alter.

Those are Shorewall-generated rules from specifying 'track' on your providers. Those won't work under your scheme because your provider routing tables wouldn't have a route to your local network or to your DMZ!


Try creating marking rules that work in your scheme where the firewall has a DMZ, a LOC zone and a two NET interfaces and you will see what I mean.

Unfortunately I don't easily have a testbed where I can do that easily
and I can't say that I've seen what shorewall will do to the routing and
marking rules in that case.  It would be interesting to look at though,
indeed.  Anyone have such a configuration you can send me the output of
your routing rules, tables and mangle table?

Just something simple like "I want all SMTP traffic to go out of provider 1 (with mark 1)" is not straightforward under your scheme.

You would like to add this marking rule:

1:P     0.0.0.0/0       0.0.0.0/0       tcp     25

But suppose that you have an mail server in your DMZ. Packets marked by that rule will be sent through provider 1's routing table *which doesn't have a route to your DMZ". So you find yourself having to replicate your routing in your marking rules:

1:P     0.0.0.0/0       !xxx.xxx.xxx.xxx        tcp     25

where xxx.xxx.xxx.xxx is the IP address of your DMZ mail server.

I think that adding routing rules for things that need to use the main table is more straightforward. Plus your scheme would be incompatible with current configurations. Which is also a problem. Because that means that we get to support both the current scheme and your scheme.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to