[Shorewall-users] Re: RoutesKeeper
teastep at shorewall.net
Thu Feb 10 12:12:23 PST 2005
Adam Sherman wrote:
> Further looking at the way RoutesKeeper and Shorewall would interact,
> the only issue I can see that would really stop me is DNAT. RoutesKeeper
> seems to use CONNMARK to track incoming DNATs so they go back out the
> correct link. I think CONNMARK requires a patch too, which is aggravating.
> The author mentions:
>> Unfortunately, shorewall can't help you doing DNAT with multiple
>> internet connections. You have to use DNAT feature of rk because a
>> special technique is required for DNAT to work properly. It's to mark
>> incoming connection (by CONNMARK) and later, use that mark to send
>> responding packets via the correct link.
> This doesn't make sense to me, as the multipath section of the Shorewall
> documentation doesn't mention this at all. Is this something I should
> be worried about?
Adam; MY DOCUMENTATION DOESN'T COVER MULTI-ISP DNAT CONFIGURATION so the
fact that it doesn't mention this point is irrelevant.
You either have to mark packets as the RoutesKeeper author describes
(although as of 2.2.0, Shorewall can perform such marking) or you need
to configure your servers with two IP addresses as one of the articles
linked from FAQ 32 suggests.
CONNMARK is included in the kernel.org releases as of 2.6.10.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
More information about the Shorewall-users