mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Revise USE_DEFAULT_RT and single-interface sections
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8874 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
367ceb179c
commit
da103abe81
@ -973,6 +973,84 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="USE_DEFAULT_RT">
|
||||
<title>USE_DEFAULT_RT</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.2.0 Beta3, Shorewall-perl has supported
|
||||
a USE_DEFAULT_RT option in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
|
||||
<para>One of the drawbacks of the Mulit-ISP support as described in the
|
||||
preceding sections is that changes to the main table made by
|
||||
applications are not added to the individual provider tables. This makes
|
||||
route rules such as described in <link linkend="Openvpn">one of the
|
||||
examples above</link> necessary.</para>
|
||||
|
||||
<para>USE_DEFAULT_RT=Yes works around that problem by passing packets
|
||||
through the main table first rather than last. This has a number of
|
||||
implications:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Both the DUPLICATE and the COPY columns in the providers file
|
||||
must remain empty or contain "-". The individual provider routing
|
||||
tables generated when USE_DEFAULT_RT=Yes contain only a host route
|
||||
to the gateway and a default route via the gateway.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">balance</emphasis> option is assumed
|
||||
for all interfaces that do not have the <emphasis
|
||||
role="bold">loose</emphasis> option. When you want both <emphasis
|
||||
role="bold">balance</emphasis> and <emphasis
|
||||
role="bold">loose</emphasis>, both must be specified.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The default route generated by Shorewall is added to the
|
||||
<emphasis>default</emphasis> routing table (253) rather than to the
|
||||
main routing table (254).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets are sent through the main routing table by a routing
|
||||
rule with priority 999. In ), the priority range 1-998 may be used
|
||||
for inserting rules that bypass the main table.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>All provider gateways must be specified explicitly in the
|
||||
GATEWAY column. 'detect' may not be specified. Note that for ppp
|
||||
interfaces, the GATEWAY may remain unspecified ("-").</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You should disable all default route management outside of
|
||||
Shorewall. If a default route is inadvertently added to the main
|
||||
table while Shorewall is started, then all policy routing will stop
|
||||
working except for those routing rules in the priority range
|
||||
1-998.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Although 'balance' is automatically assumed when
|
||||
USE_DEFAULT_RT=Yes, you can easily cause all traffic to use one provider
|
||||
except when you explicitly direct it to use the other provider via
|
||||
<ulink
|
||||
url="manpages/shorewall-route_rules.html">shorewall-route_rules</ulink>
|
||||
(5) or <ulink
|
||||
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Example (send all traffic through the 'shorewall' provider unless
|
||||
otherwise directed).</para>
|
||||
|
||||
<para>/etc/shorewall/providers:<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
|
||||
linksys 1 1 - wlan0 172.20.1.1 track,balance=1,optional
|
||||
shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional</programlisting>/etc/shorewall/route_rules:<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
- - shorewall 11999</programlisting></para>
|
||||
</section>
|
||||
|
||||
<section id="Shared">
|
||||
<title>Two Providers Sharing an Interface</title>
|
||||
|
||||
@ -1062,12 +1140,12 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
|
||||
<para>The local wired network in my office is connected to both gateways
|
||||
and uses the private (RFC 1918) network 172.20.1.0/24. The Comcast
|
||||
gateway has local IP address 172.20.1.1 while the Avvanta gateway has
|
||||
local IP address 172.20.1.1. Ursa's eth0 interface has a single IP
|
||||
local IP address 172.20.1.254. Ursa's eth0 interface has a single IP
|
||||
address (172.20.1.130).</para>
|
||||
|
||||
<para>This configuration uses USE_DEFAULT_RT=Yes in
|
||||
<filename>shorewall.conf </filename>(see <link
|
||||
linkend="USE_DEFAULT_RT">below</link>).</para>
|
||||
linkend="USE_DEFAULT_RT">above</link>).</para>
|
||||
|
||||
<para>Here is the <filename>providers</filename> file:</para>
|
||||
|
||||
@ -1103,8 +1181,8 @@ wireless 3 3 - wlan0 172.20.1.1 track,o
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">wireless</emphasis> provider is
|
||||
never used when the laptop is connected to the wired network.</para>
|
||||
<para>I always disable the <emphasis role="bold">wireless</emphasis>
|
||||
interface when the laptop is connected to the wired network.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -1172,83 +1250,5 @@ wlan0 192.168.0.0/24</programlisting><note>
|
||||
don't need to specify the providers in the masq rules.</para>
|
||||
</note></para>
|
||||
</section>
|
||||
|
||||
<section id="USE_DEFAULT_RT">
|
||||
<title>USE_DEFAULT_RT</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.2.0 Beta3, Shorewall-perl has supported
|
||||
a USE_DEFAULT_RT option in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
|
||||
<para>One of the drawbacks of the Mulit-ISP support as described in the
|
||||
preceding section is that changes to the main table made by applications
|
||||
are not added to the individual provider tables. This makes route rules
|
||||
such as described in <link linkend="Openvpn">one of the examples
|
||||
above</link> necessary.</para>
|
||||
|
||||
<para>USE_DEFAULT_RT=Yes works around that problem by passing packets
|
||||
through the main table first rather than last. This has a number of
|
||||
implications:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Both the DUPLICATE and the COPY columns in the providers file
|
||||
must remain empty or contain "-". The individual provider routing
|
||||
tables generated when USE_DEFAULT_RT=Yes contain only a host route
|
||||
to the gateway and a default route via the gateway.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">balance</emphasis> option is assumed
|
||||
for all interfaces that do not have the <emphasis
|
||||
role="bold">loose</emphasis> option. When you want both <emphasis
|
||||
role="bold">balance</emphasis> and <emphasis
|
||||
role="bold">loose</emphasis>, both must be specified.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The default route generated by Shorewall is added to the
|
||||
<emphasis>default</emphasis> routing table (253) rather than to the
|
||||
main routing table (254).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Packets are sent through the main routing table by a routing
|
||||
rule with priority 999. In ), the priority range 1-998 may be used
|
||||
for inserting rules that bypass the main table.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>All provider gateways must be specified explicitly in the
|
||||
GATEWAY column. 'detect' may not be specified. Note that for ppp
|
||||
interfaces, the GATEWAY may remain unspecified ("-").</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You should disable all default route management outside of
|
||||
Shorewall. If a default route is inadvertently added to the main
|
||||
table while Shorewall is started, then all policy routing will stop
|
||||
working except for those routing rules in the priority range
|
||||
1-998.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Although 'balance' is automatically assumed when
|
||||
USE_DEFAULT_RT=Yes, you can easily cause all traffic to use one provider
|
||||
except when you explicitly direct it to use the other provider via
|
||||
<ulink
|
||||
url="manpages/shorewall-route_rules.html">shorewall-route_rules</ulink>
|
||||
(5) or <ulink
|
||||
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Example (send all traffic through the 'shorewall' provider unless
|
||||
otherwise directed).</para>
|
||||
|
||||
<para>/etc/shorewall/providers:<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
|
||||
linksys 1 1 - wlan0 172.20.1.1 track,balance=1,optional
|
||||
shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional</programlisting>/etc/shorewall/rules:<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
- - shorewall 11999</programlisting></para>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
Loading…
Reference in New Issue
Block a user