[Shorewall-devel] Support for inbound traffic from multiple ISPs in CVS

Tom Eastep teastep at shorewall.net
Tue May 17 08:22:03 PDT 2005

The Shorewall2/ project in CVS contains my initial attempt to establish
correct routing for traffic forwarded from two different ISPs to
internal servers.

>From the release notes:

   Shorewall 2.3.2 includes support for multiple Internet interfaces to
   different ISPs. This feature is enabled by setting the "default"
   option for each Internet interface in /etc/shorewall/interfaces.

   This feature requires a number of extensions in your kernel and

   - Extended MARK support.
   - ROUTE Target support.
   - CONNMARK Target support and conntrack match support.

   Each interface with the 'default' option given must have a default
   route in the main routing table and must be up when
   Shorewall is [re]started.

   When you specify 'default' on two or more entries in
   /etc/shorewall/interfaces, replies to connections from these
   interfaces are routed back out of the same interface and through the
   correct gateway.

The restriction that marks set in /etc/shorewall/tcrules is now strictly
enforced, thus allowing Shorewall to employ mark values >= 256 for its
own use.

Setting up the correct routing for outbound traffic is still your
responsibility. I'm working on that next...

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

More information about the Shorewall-devel mailing list