More Multi-ISP doc updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2157 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-05-22 01:28:41 +00:00 · 2005-05-22 01:28:41 +00:00 · 4b7d64be55
commit 4b7d64be55
parent 2e0abc0089
1 changed files with 89 additions and 13 deletions
--- a/Shorewall-docs2/Shorewall_and_Routing.xml
+++ b/Shorewall-docs2/Shorewall_and_Routing.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-05-20</pubdate>
+    <pubdate>2005-05-21</pubdate>

    <copyright>
      <year>2005</year>
@ -184,12 +184,13 @@
  <section>
    <title>Routing and Proxy ARP</title>

-    <para>There is one instance where Shorewall creates routing table entries.
-    When an entry in <filename>/etc/shorewall/proxyarp</filename> contains
-    "No" in the HAVEROUTE column then Shorewall will create a host route to
-    the IP address listed in the ADDRESS column through the interface named in
-    the INTERFACE column. <emphasis role="bold">This is the only case where
-    Shorewall directly manipulates the routing table</emphasis>.</para>
+    <para>There is one instance where Shorewall creates main routing table
+    entries. When an entry in <filename>/etc/shorewall/proxyarp</filename>
+    contains "No" in the HAVEROUTE column then Shorewall will create a host
+    route to the IP address listed in the ADDRESS column through the interface
+    named in the INTERFACE column. <emphasis role="bold">This is the only case
+    where Shorewall directly manipulates the main routing
+    table</emphasis>.</para>

    <para>Example:</para>

@ -270,7 +271,7 @@
          </listitem>

          <listitem>
-            <para>You man not use connection marking.</para>
+            <para>You may not use connection marking.</para>
          </listitem>
        </itemizedlist>
      </caution>
@ -282,8 +283,9 @@
      <warning>
        <para>The current version of iptables (1.3.1) is broken with respect
        to CONNMARK and iptables-save/iptables-restore. This means that if you
-        configure multiple ISPs, <command>shorewall restore</command> will
-        fail. You must patch your iptables using the patch at <ulink
+        configure multiple ISPs, <command>shorewall restore</command> may
+        fail. If it does, you may patch your iptables using the patch at
+        <ulink
        url="http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff">http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff</ulink>.</para>
      </warning>

@ -358,6 +360,13 @@

            <glossdef>
              <para>The IP address of the provider's Gateway router.</para>
+
+              <para>Users with point-to-point dynamic connections such as
+              PPPoE, PPPoA or PPTP can enter <emphasis
+              role="bold">detect</emphasis> here and Shorewall will
+              automatically determine the gateway IP address. You must of
+              course configure your ppp service to restart Shorewall when you
+              connect or when the gateway IP address changes.</para>
            </glossdef>
          </glossentry>

@ -399,6 +408,73 @@
      </glossary>
    </section>

+    <section>
+      <title>What an entry in the Providers File Does</title>
+
+      <para>Adding another entry in the providers file simply creates an
+      alternate routing table for you. In addition:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>An ip rule is generated for each IP address on the INTERFACE
+          that routes traffic from that address through the associated routing
+          table.</para>
+        </listitem>
+
+        <listitem>
+          <para>If you specify <emphasis role="bold">track</emphasis>, then
+          connections which have had at least one packet arrive on the
+          interface listed in the INTERFACE column have their connection mark
+          set to the value in the MARK column. In the PREROUTING chain,
+          packets with that connmark have their packet mark set to that value;
+          packets so marked then bypass any prerouting rules that you create
+          in <filename>/etc/shorewall/tcrules</filename>. This ensures that
+          packets associated with connections from outside are always routed
+          out of the correct interface.</para>
+        </listitem>
+
+        <listitem>
+          <para>If you specify <emphasis role="bold">balance</emphasis>, then
+          Shorewall will replace the 'default' route in the 'main' routing
+          table with a load-balancing route among those gateways where
+          <emphasis role="bold">balance</emphasis> was specified.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>That's <emphasis role="bold">all</emphasis> that these entries do.
+      You still have to follow the principle stated at the top of this
+      article:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>Routing determines where packets are to be sent.</para>
+        </listitem>
+
+        <listitem>
+          <para>Once routing determines where the packet is to go, the
+          firewall (Shorewall) determines if the packet is allowed to go
+          there.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>The bottom line is that if you want traffic to go out through a
+      particular provider then you <emphasis>must </emphasis>mark that traffic
+      with the provider's MARK value in
+      <filename>/etc/shorewall/tcrules</filename> and you must do that marking
+      in the PREROUTING chain.</para>
+
+      <warning>
+        <para>Entries in <filename>/etc/shorewall/providers</filename>
+        permanently alter your firewall/gateway's routing; that is, the effect
+        of these changes is not reversed by <command>shorewall stop</command>
+        or <command>shorewall clear</command>. To restore routing to its
+        original state, you will have to restart your network. This can
+        usually be done by <command>/etc/init.d/network restart</command> or
+        <command>/etc/init.d/networking restart</command>. Check your
+        distribution's networking documentation.</para>
+      </warning>
+    </section>
+
    <section>
      <title>Example</title>

@ -432,15 +508,15 @@ net        net            DROP</programlisting>
 eth0             eth2              206.124.146.176
 eth1             eth2              130.252.99.27</programlisting>

-      <para>Now suppose that you want to route all outgoing SMTP traffic
-      through ISP 2. You would make this entry in <ulink
+      <para>Now suppose that you want to route all outgoing SMTP traffic from
+      your local network through ISP 2. You would make this entry in <ulink
      url="traffic_shaping.htm">/etc/shorewall/tcrules</ulink> (and you would
      set TC_ENABLED=Yes in <ulink
      url="???">/etc/shorewall/shorewall.conf</ulink>).</para>

      <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                               PORT(S)
-2               &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>
+2:P             &lt;local network&gt; 0.0.0.0/0       tcp     25</programlisting>
    </section>
  </section>