On 3/17/2014 8:12 AM, Tom Eastep wrote: > On 3/17/2014 5:15 AM, Angela Williams wrote: >> Hi All! >> when I used to train Burroughs/Unisys engineers I would always start >> with pointing out that the only stupid or foolish question is the one >> they would make them look a bit dof (dumb IOW). I always made the point >> about how their "dumb" question almost always helps others! My past >> experience anyway! > > I myself spent 11 years working for Burroughs :-) > >> >> Okay on to the documentation "features"! The web page says 4.4 and 4.5 >> yet when you look at the Multi ISP Connections on a single firewall and >> how to get a local service like smtp to use a specific provider the chat >> is all about the nice new mangle file! My Gentoo provided 4.5.18 does >> not have anything called mangle! I would assume the we non beta users >> would only come across it in 4.6! It really confused me! Why must I now >> put my rule in as MARK(xx) ... into my tcrules! You get used the >> filenames and it's only when digging a bit deeper by reading a bit >> deeper and more carefully the "mangle" pops up! >> >> Which now leads me on to my problem! >> >> I have a site that has just had a shiny new 5M fibre connection >> installed. I need to toss out my old script based firewall as it cannot >> handle multiple isp connections! >> >> Because of the new connection being 5 time faster than the old leased >> line and the need to do some heavy traffic shaping I have opted to use >> WIDE_TC_MARKS=Yes and HIGH_ROUTE_MARKS=Yes which I figured out that they >> need to be translated to the new config variables! Again the >> documentation is none to clear! A few errors on another site sorted that >> out! I decided that I need to give myself lots of room to play. My only >> other multi isp site turned into a dogs breakfast as the one ISP could >> not get their WiFi connection working and reliable! >> >> So my providers file looks like this. >> digi 1 0x10000 - $DIGI_IF x.x.x.x loose,balance=1 >> adsl 2 0x20000 - $ADSL_IF 10.10.117.254 >> fibre 3 0x30000 - $FIBRE_IF y.y.y.y loose,balance=4 >> >> Now that dumb question! >> >> I need to get smtp traffic from postfix on the firewall to only use the >> digi provider! >> Here it comes! >> What am I meant to put into tcrules to do it! >> Do I use the provider number or MARK of 0x10000? >> >> I have read and reread the docs on the website plus the good man pages >> but I either dof and don't see something I should or I'm just getting >> past this stuff! All a bit confusing really! >> >> My tcrules snippet looks like this! Even ready for mangle! >> >> # Send smtp out the Digi line >> 1 $FW 0.0.0.0/0 tcp 25 > > The mark for digi is 0x10000; so your rule in /etc/shorewall/tcrules > would be: > > 0x100000 $FW 0.0.0.0/0 tcp 25 >
I should add, however, that a much better way to do that is to configure your MTA to bind to the 'digi' local address when sending. As pointed out at http://www.shorewall.org/MultiISP.html#Local, marking is unreliable when the source is $FW. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
