On 11/15/2010 11:16 AM, Tom Eastep wrote: > >> That was the fix, thank you. I had turned off USE_DEFAULT_RT so that >> systems on >> the PROC (industrial) side of the network would have no knowledge of the >> routes >> on the CORP (business) side. > How would they get this knowledge? If your firewall rules prohibit such > traffic, why does the existence of these routes matter?
They would get this knowledge by hitting the "main" table before the CORP or PROC tables if the routing was in "main". As for why... Efficiency? Because some of these IPs are accessible when routed via the Internet and they are not allowed via the corporate side? That's why I asked... Is there any harm or advantage in using route_rules to accomplish the same thing? ie, instead of having the corporate routes in route-eth1.2 so that they end up in the main table? Is there an additional processing cost for the router? Perhaps I am not understanding the flow. Does it work like... 0: from all lookup 255 999: from all lookup main 1000: from all iif eth1.2 lookup CORP 1000: from all iif eth1.3 lookup CORP 1000: from all iif eth1.4 lookup WRLS ^ The packet arrived via eth1.4 destined for 198.162.160.xxx and Table WRLS: says 204.244.116.190 dev eth0 scope link src 204.244.116.180 default via 204.244.116.190 dev eth0 src 204.244.116.180 ^ so send it out via the default 1000: from all iif eth1.5 lookup WRLS 1001: from all to 198.162.160.0/19 lookup CORP ^ Never getting here Which would mean adding any additional routing beyond the default is redundant. (If the defaults cover it) Am I getting it? Thanks for your patience. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
