I'm afraid I'm still struggling with this, though I made a minor
breakthrough when I realised I hadn't added a masq rule for the raw
interface, and the ppp0 not useable problem has gone away. (It seems I
have to connect it with shorewall clear then start shorewall.) Anyway,
my home test setup now seems to be working like the school firewall.
(To recap, Raspberry Pis on zone pinet are accessed by PCs in zone schl
using ssh and vnc, and access the Internet via schl and the school
gateway. Traceroute traffic (only) from Pis and the firewall is to be
routed to a 3rd zone containing a mobile data dongle to give unfiltered
Internet access.)
Traceroute is now routed correctly from the Pis, but on the firewall
traceroute reports Send: Operation not permitted. (I have the same rules
with pinet and $FW as source to allow traceroute.) Also, web access from
both the Pis and the firewall is now broken. However a PC on schl can
still access a Pi.
My providers file is now:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
raw 1 1 - ppp0 -
school 2 - - eno1 192.168.1.1 primary
If I add option fallback to provider raw, that fixes web from both the
Pis and the firewall but breaks traceroute. (I didn't think it was a
good idea but tried it anyway.)
I've read providers(5) and Multiple Internet Connections several times
and spent a good few hours trying to get it to work but there seems to
be something that I still haven't correctly understood. Any help would
be greatly appreciated.
For reference, my other relevant shorewall files are:
mangle:
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
MARK(1) enx00e04c534458 - udp 33434:33523 - - -
MARK(1) enx00e04c534458 - 253 - - - -
MARK(1) $FW - udp 33434:33523 - - -
MARK(1) $FW - 253 - - - -
rtrules:
#SOURCE DEST PROVIDER PRIORITY MARK
enx00e04c534458 - raw 11000 1
lo - raw 11000 1
zones:
fw firewall
schl ipv4
pinet ipv4
inet ipv4
interfaces:
schl eno1
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
pinet enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians
inet ppp0
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
Regards - Philip
On 06/01/2017 11:52, Philip Le Riche wrote:
> Thanks, Tom, for the rapid response.
>
> I don't have easy access to the firewall in question so I've set up an
> equivalent network at home. In the providers file I've added the
> primary option to the school network and fallback to the mobile data,
> though I don't actually want it to fall back.
<snip snip>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
