Add tip for identifying external interface

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-22 06:10:42 +01:00 · 2007-02-14 16:35:26 +00:00 · 2007-02-14 16:35:26 +00:00 · 07308373de
commit 07308373de
parent e43c2287d4
4 changed files with 72 additions and 2 deletions
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -909,7 +909,7 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
        test for <filename class="devicefile">eth1</filename> is inserted
        before the fwmark tests.</para>

-        <para>Example 2: You use OpenVPN (routed setup /tunX) in combination
+        <para>Example 2: You use OpenVPN (routed setup w/tunX) in combination
        with multiple providers. In this case you have to set up a rule to
        ensure that the OpenVPN traffic is routed back through the tunX
        interface(s) rather than through any of the providers. 10.8.0.0/24 is
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@ -338,6 +338,28 @@ all            all                REJECT   info</programlisting>
    are there, you may wish to review the list of options that are specified
    for the interface. Some hints:</para>

+    <tip>
+      <para>Be sure you know which interface is your external interface. Many
+      hours have been spent floundering by users who have configured the wrong
+      interface. If you are unsure, then as root type "ip route ls" at the
+      command line. The device listed in the last (default) route should be
+      your external interface.</para>
+
+      <para>Example:</para>
+
+      <programlisting>root@lists:~# ip route ls
+192.168.2.2 dev tun0  proto kernel  scope link  src 192.168.2.1 
+10.13.10.0/24 dev tun1  scope link 
+192.168.2.0/24 via 192.168.2.2 dev tun0 
+206.124.146.0/24 dev eth0  proto kernel  scope link  src 206.124.146.176 
+10.10.10.0/24 dev tun1  scope link 
+default via 206.124.146.254 dev <emphasis role="bold">eth0</emphasis> 
+root@lists:~# </programlisting>
+
+      <para>In that example, <filename class="devicefile">eth0</filename> is
+      the external interface.</para>
+    </tip>
+
    <tip>
      <para>If your external interface is <filename
      class="devicefile">ppp0</filename> or <filename
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@ -429,6 +429,31 @@ $FW        net         ACCEPT</programlisting>
    are there, you may wish to review the list of options that are specified
    for the interfaces. Some hints:</para>

+    <tip>
+      <para>Be sure you know which interface is your external interface. Many
+      hours have been spent floundering by users who have configured the wrong
+      interface. If you are unsure, then as root type "ip route ls" at the
+      command line. The device listed in the last (default) route should be
+      your external interface.</para>
+
+      <para>Example:</para>
+
+      <programlisting>root@lists:~# ip route ls
+192.168.1.1 dev eth0  scope link 
+192.168.2.2 dev tun0  proto kernel  scope link  src 192.168.2.1 
+192.168.3.0/24 dev br0  proto kernel  scope link  src 192.168.3.254 
+10.13.10.0/24 dev tun1  scope link 
+192.168.2.0/24 via 192.168.2.2 dev tun0 
+192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.254 
+206.124.146.0/24 dev eth0  proto kernel  scope link  src 206.124.146.176 
+10.10.10.0/24 dev tun1  scope link 
+default via 206.124.146.254 dev <emphasis role="bold">eth0</emphasis> 
+root@lists:~# </programlisting>
+
+      <para>In that example, <filename class="devicefile">eth0</filename> is
+      the external interface.</para>
+    </tip>
+
    <tip>
      <para>If your external interface is <filename
      class="devicefile">ppp0</filename> or <filename
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -387,7 +387,30 @@ $FW        net         ACCEPT</programlisting> The above policy will:
    <filename
    class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
    file accordingly. While you are there, you may wish to review the list of
-    options that are specified for the interfaces. Some hints: <tip>
+    options that are specified for the interfaces. Some hints:<tip>
+        <para>Be sure you know which interface is your external interface.
+        Many hours have been spent floundering by users who have configured
+        the wrong interface. If you are unsure, then as root type "ip route
+        ls" at the command line. The device listed in the last (default) route
+        should be your external interface.</para>
+
+        <para>Example:</para>
+
+        <programlisting>root@lists:~# ip route ls
+192.168.1.1 dev eth0  scope link 
+192.168.2.2 dev tun0  proto kernel  scope link  src 192.168.2.1 
+192.168.3.0/24 dev br0  proto kernel  scope link  src 192.168.3.254 
+10.13.10.0/24 dev tun1  scope link 
+192.168.2.0/24 via 192.168.2.2 dev tun0 
+192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.254 
+206.124.146.0/24 dev eth0  proto kernel  scope link  src 206.124.146.176 
+10.10.10.0/24 dev tun1  scope link 
+default via 206.124.146.254 dev <emphasis role="bold">eth0</emphasis> 
+root@lists:~# </programlisting>
+
+        <para>In that example, <filename class="devicefile">eth0</filename> is
+        the external interface.</para>
+      </tip><tip>
        <para>If your external interface is <filename
        class="devicefile">ppp0</filename> or <filename
        class="devicefile">ippp0</filename>, you can replace the