On 11/15/10 8:11 PM, Alan Madill wrote: > > > On 11/15/2010 11:16 AM, Tom Eastep wrote: >> >>> That was the fix, thank you. I had turned off USE_DEFAULT_RT so that >>> systems on >>> the PROC (industrial) side of the network would have no knowledge of the >>> routes >>> on the CORP (business) side. >> How would they get this knowledge? If your firewall rules prohibit such >> traffic, why does the existence of these routes matter? > > They would get this knowledge by hitting the "main" table before the CORP or > PROC tables if the routing was in "main".
So what? Again, if your firewall rules prohibit such traffic then "They" gain no additional knowledge. > > As for why... Efficiency? Because some of these IPs are accessible when > routed > via the Internet and they are not allowed via the corporate side? > > That's why I asked... > > Is there any harm or advantage in using route_rules to accomplish the same > thing? ie, instead of having the corporate routes in route-eth1.2 so that > they > end up in the main table? > > Is there an additional processing cost for the router? > > Perhaps I am not understanding the flow. Does it work like... > > 0: from all lookup 255 > 999: from all lookup main > 1000: from all iif eth1.2 lookup CORP > 1000: from all iif eth1.3 lookup CORP > > 1000: from all iif eth1.4 lookup WRLS > > ^ The packet arrived via eth1.4 destined for 198.162.160.xxx and Table WRLS: > says > > 204.244.116.190 dev eth0 scope link src 204.244.116.180 > default via 204.244.116.190 dev eth0 src 204.244.116.180 > > ^ so send it out via the default Yes. > > 1000: from all iif eth1.5 lookup WRLS > 1001: from all to 198.162.160.0/19 lookup CORP > > ^ Never getting here That's correct -- routing rules are "first match wins". > > Which would mean adding any additional routing beyond the default is > redundant. > (If the defaults cover it) Am I getting it? Additional routing *rules*, yes. Shorewall's 'provider' mechanism isn't designed to allow arbitrary routes to be defined in the provider tables. The only way to add routes to one of these tables is to add them to the main table and have them copied from there. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
