extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

More document tweaks

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9255 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-07 16:25:14 +00:00
parent 7dd04d8460
commit ba8a0976f1
1 changed files with 37 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
docs/MultiISP.xml
View File

@ -306,8 +306,8 @@
<para>You want to specify 'track' if Internet hosts will be <para>You want to specify 'track' if Internet hosts will be
connecting to local servers through this provider. Any time connecting to local servers through this provider. Any time
that you specify 'track', you will also want to specify that you specify 'track', you will normally want to also
'balance' (see below).</para> specify 'balance' (see below).</para>
<para>Use of this feature requires that your kernel and <para>Use of this feature requires that your kernel and
iptables include CONNMARK target and connmark match support iptables include CONNMARK target and connmark match support
@ -371,9 +371,10 @@
specify 'balance' even if you don't need it. You can still specify 'balance' even if you don't need it. You can still
use entries in <filename>/etc/shorewall/tcrules</filename> use entries in <filename>/etc/shorewall/tcrules</filename>
to force all traffic to one provider or another.<note> to force all traffic to one provider or another.<note>
<para>If you don't heed this advice then be prepared <para>If you don't heed this advice then please read
to read <ulink url="FAQ.htm#faq57">FAQ 57</ulink> and and follow the advice in <ulink
<ulink url="FAQ.htm#faq58">FAQ 58</ulink>.</para> url="FAQ.htm#faq57">FAQ 57</ulink> and <ulink
url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
</note></para> </note></para>
</important> </important>
@ -469,11 +470,15 @@
(Added in Shorewall-perl 4.2.5)</emphasis></term> (Added in Shorewall-perl 4.2.5)</emphasis></term>
<listitem> <listitem>
<para>Indicates that a balanced default route through the <para>Indicates that a default route through the provider
provider should be added to the default routing table (table should be added to the default routing table (table 253). If
253). The route is added with a weight equal to the a <replaceable>weight</replaceable> is given, a balanced
specified <replaceable>weight</replaceable> (default 1). The route is added with the weight of this provider equal to the
option is ignored with a warning message if specified <replaceable>weight</replaceable>. If the option
is given without a <replaceable>weight</replaceable>, an
separate default route is added through the provider's
gateway; the route has a metric equal to the provider's
NUMBER. The option is ignored with a warning message if
USE_DEFAULT_RT=Yes in USE_DEFAULT_RT=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
</listitem> </listitem>
@ -1324,7 +1329,7 @@ wlan0 192.168.0.0/24</programlisting><note>
</listitem> </listitem>
<listitem> <listitem>
<para>Connections initiated by the server and connection requested by <para>Connections initiated by the server and connections requested by
clients on the firewall that have bound their local socket to one of clients on the firewall that have bound their local socket to one of
the DSL IP addresses. Two entries in the DSL IP addresses. Two entries in
<filename>/etc/shorewall/route_rules</filename> take care of that <filename>/etc/shorewall/route_rules</filename> take care of that
@ -1335,18 +1340,22 @@ wlan0 192.168.0.0/24</programlisting><note>
<para>As a consequence, I have disabled all route filtering on the <para>As a consequence, I have disabled all route filtering on the
firewall and do not use the <emphasis role="bold">balance</emphasis> firewall and do not use the <emphasis role="bold">balance</emphasis>
option in <filename>/etc/shorewall/providers</filename>. The default route option in <filename>/etc/shorewall/providers</filename>. The default route
in the main table is established by DHCP. By specifying the in the main table is established by DHCP. By specifying the <emphasis
<emphasis>default_rt</emphasis> option on Avvanta, I ensure that there is role="bold">fallback</emphasis> option on Avvanta, I ensure that there is
a default route when Comcast is down.</para> still a default route if Comcast is down.</para>
<para><filename>/etc/sysctl.conf</filename>:</para> <para><filename>/etc/sysctl.conf</filename>:</para>
<programlisting>net.ipv4.conf.all.rp_filter = 0</programlisting> <programlisting>net.ipv4.conf.all.rp_filter = 0</programlisting>
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
<programlisting>ROUTE_FILTER=No</programlisting>
<para><filename>/etc/shorewall/providers</filename>:</para> <para><filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Avvanta 1 0x100 main eth0 206.124.146.254 track,loose,default_rt eth2,eth4,tun* Avvanta 1 0x100 main eth0 206.124.146.254 track,loose,fallback eth2,eth4,tun*
Comcast 2 0x200 main eth3 detect track eth2,eth4,tun* Comcast 2 0x200 main eth3 detect track eth2,eth4,tun*
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
@ -1355,11 +1364,14 @@ Comcast 2 0x200 main eth3 detect track
traffic from Avvanta-assigned IP addresses is sent via the Avvanta traffic from Avvanta-assigned IP addresses is sent via the Avvanta
provider. Note that because the Comcast line has a dynamic IP address, I provider. Note that because the Comcast line has a dynamic IP address, I
am not able to use USE_DEFAULT_RT=Yes in am not able to use USE_DEFAULT_RT=Yes in
<filename>/etc/shorewall/shorewall.conf</filename>.</para> <filename>/etc/shorewall/shorewall.conf</filename>. The 'tun*' included in
the COPY column is there because I run a routed OpenVPN server on the
firewall.</para>
<para><filename>/etc/shorewall/route_rules</filename>:</para> <para><filename>/etc/shorewall/route_rules</filename>:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY <programlisting>#SOURCE DEST PROVIDER PRIORITY
- 162.20.0.0.24 main 1000 # Addresses assigned by routed OpenVPN server
206.124.146.176/30 - Avvanta 26000 206.124.146.176/30 - Avvanta 26000
206.124.146.180 - Avvanta 26000 206.124.146.180 - Avvanta 26000
- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address - 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address
@ -1379,6 +1391,7 @@ Comcast 2 0x200 main eth3 detect track
<programlisting>Routing Rules <programlisting>Routing Rules
0: from all lookup local 0: from all lookup local
1000: from all to 172.20.0.0/24 lookup main
10000: from all fwmark 0x100 lookup Avvanta 10000: from all fwmark 0x100 lookup Avvanta
10001: from all fwmark 0x200 lookup Comcast 10001: from all fwmark 0x200 lookup Comcast
20256: from 71.227.156.229 lookup Comcast 20256: from 71.227.156.229 lookup Comcast
@ -1462,7 +1475,8 @@ eth0 !206.124.146.0/24 206.124.146.179
<para>All traffic leaving eth3 must use the dynamic IP address assigned to <para>All traffic leaving eth3 must use the dynamic IP address assigned to
that interface as the SOURCE address. All traffic leaving eth0 that does that interface as the SOURCE address. All traffic leaving eth0 that does
not have an address falling within the Avvanta subnet (206.124.146.0/24) not have a SOURCE address falling within the Avvanta subnet
must have its SOURCE address changed to 206.124.146.179.</para> (206.124.146.0/24) must have its SOURCE address changed to
206.124.146.179.</para>
</section> </section>
</article> </article>