Good resource Wayne. Can you (or Tuomi) comment on how mature foomuuri
is for multi-ISP? Here is my usecase:
1. ISP 1 is slow static IPv4 on PPPoE. IPv6/56 available via dhcp6 but
not enabled due to my not being able to get it working along with IPv6
on ISP 2 with Shorewall6 (incoming packets on one and returning the
other). It is the static external IPv4 interface for my domain (e.g.
SMTP, IMAPS, HTTP, OpenVPN, etc) as well as SIP trunk. Otherwise
"fallback".
2. ISP 2 is fast dynamic IPv4 on cable, but with usual commercial ISP
port blocking. Used for all outgoing traffic ("primary") except SIP.
Also provides an IPv6/56 range using dhcp6, so that's where my inbound
IPv6 comes in.
Thanks
On 2025-02-08 10:56 a.m., Wayne Shumaker wrote:
At 2/6/2025 02:25 PM, Winston wrote:
Shorewall (and Shorewall6) has been fantastic to me, as a multi-ISP
user. I'm deeply indebted to Tom for this fantastic tool, and all
the work he put into the documentation especially. Nothing else seems
to come close to ease-of-configuration and maintenance. I'm
dreading the day when Debian (or the kernel itself) moves iptables
from deprecated to discarded, and I know that nftables is the future,
but I'm still yet waiting for something that even comes close before
I risk destablizing everything my home system relies upon. Tom, if
you're reading this, can I ask - are you still running your own
systems, and what you expect to be shifting to yourself?
I have used shorewall since I can't remember. I struggled quite a
while (4 years) trying to find an alternative to shorewall. Nothing
was right for me and nothing compared to shorewall, until foomuuri
came along. Yes, systemd is likely needed. foomuuri is still young but
I see it as my path forward with nftables.
As for iptables going obsolete, on my previous debian (bookworm)
router using shorewall, typing:
nft list ruleset
I see that the shorewall iptables was converted to nftables anyway via
iptables-nft. So as long as iptables-nft exists, shorewall should be
converting to nftables.
I have now converted to foomuuri and find it was relatively painless,
including ulogd2 logging. I also found adding blocklists fairly
convenient with automatic daily updates.
https://blog.frehi.be/2024/11/30/protecting-your-server-from-known-bad-ips-with-foomuuri-iplists/
and other things from https://blog.frehi.be/ - a former shorewall user.
Wayne
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
