Rags wrote: > On Thu, Oct 1, 2009 at 8:41 PM, Jerry Vonau <jvo...@shaw.ca > <mailto:jvo...@shaw.ca>> wrote: > > 192.168.32.0 is your local lan right? Did you really intend to masq just > 192.168.32.1 or is that meant for the entire local lan connected to > eth0? If it's the entire lan you want, think you may want to use > 192.168.32.0/ <http://192.168.32.0/><mask of lan> instead. Replace > <mask of lan> with what your > network on eth0 needs to use. > > Perhaps you would have better luck using 'detect' in place of $PPPX_IP > something like: > ppp0 0.0.0.0/0 <http://0.0.0.0/0> > detect > > ppp1 0.0.0.0/0 <http://0.0.0.0/0> > detect > > Your local lan and the firewall's external ip addresses are covered with > less rules this way.' > > > That did the trick! So i had to use the detect option instead of the > macros. I've added the proper lan network address as well. > > The weird thing is I never touched those lines, they worked perfectly > fine before. So removing the interface name messed with the macros I > suppose.
No chance!
>
> Thank you for your help.
>
> > Like so :
> >
> > PPP0_IP=$(find_first_interface_address_if_any ppp0)
> > PPP1_IP=$(find_first_interface_address_if_any ppp1)
> >
> > Thanks,
> >
>
> find_first_interface_address_if_any ppp0 will return 0.0.0.0 if the
> interface is non-existent.
>
>
> So does this mean that the "find_first_interface_address_if_any" can't
> be used now?
find_first_interface_address_if_any() hasn't changed since it was
originally written.
The symptoms that you originally reported have *nothing* to do with the
/etc/shorewall/masq file. Your problem was that both of your providers
were being reported as down; that occurs well before the rules in the
masq file are instantiated and the logic is independent of the masq file.
Your problem likely had something to do with lsm and/or the status files
that the 'isusable' script looks for. One possibility is that you copied
the lib.private example in the MultiISP document verbatim; that script
previously had an incorrect directory name (/etc/shorewall vs ${VARDIR}).
Regarding your question about 'loose' -- 'loose' omits the routing rules
necessary for certain applications[1] running on the firewall to work
correctly. My configuration (the one in the "Complete Example") uses
'loose' because without 'loose', there is one routing rule generated per
external IP address. I prefer to hand-code a single rule in
/etc/shorewall/route_rules.
-Tom
[1] - Those applications that bind to a specific IP address like openvpn.
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
