-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well I'm *almost* there with this... it's certainly been an adventure and I have learned a TON over the last week.
My final (working) config for /etc/shorewall/providers ended up like this: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY CenturyLink 1 1 main eth0 76.5.159.161 track,balance eth2 Comcast 2 2 main eth1 192.168.10.2 track,fallback eth2 (sorry for the wrap, but hopefully you get the idea) If I manually bring eth0 down (CenturyLink) and restart shorewall, I get this message: bubastis:/home/sbrown# shorewall -f restart Restarting Shorewall.... Initializing... Setting up Route Filtering... Setting up Martian Logging... Adding Providers... WARNING: Interface eth0 is not usable -- Provider CenturyLink (1) not Added WARNING: No Default route added (all 'balance' providers are down) Setting up Traffic Control... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled done. I'm assuming the warning is just that, and can be safely ignored, but I don't understand a default route not being added? I am however able to keep traffic flowing bidirectional with eth0 being down so I can't really figure that one out, unless it's hitting the gateway as defined in providers (192.168.10.2 in my case) Just trying to understand how this is working.... My next step is to get lsm working satisfactorily to automate this, anything else I could potentially be missing? I am also using packet marking for my VoIP traffic and it's working great :) Thanks, Stephen On 7/27/10 11:12 AM, Tom Eastep wrote: > On 7/27/10 6:21 AM, Stephen Brown Jr wrote: >> Thanks Tom... this appears to work as intended now, but I need >> clarification on one additional item. >> >> I simulated a DSL outage by shutting the modem off and restarting >> shorewall, however I can not route via the cable connection? My initial >> thought is that Shorewall does not (and has no way of knowing) that eth0 >> is now dead without testing it, but I'm not sure honestly, would LSM (or >> another type of method) be beneficial to deal with this? > > Yes. And you need to define both interfaces as 'optional' in shorewall.conf. > > -Tom > > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://ad.doubleclick.net/clk;226879339;13503038;l? > http://clk.atdmt.com/CRS/go/247765532/direct/01/ > > > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxXEfAACgkQ3sJXNEncx7gPQgCcDUnPOjQPLHflfnhqStPSvZW4 2R4An0WdgKsownHItdRfONwOZUkCtPtX =D/v+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
