JC Putter | 1 Apr 12:14 2014
Picon

shorewall rpm's

Hi

What is the difference between the standard RPM's and the RPM's
provided by here
http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-6/noarch/

I am using CentOS 6.5 which RPM set is recommended ?

Thanks

------------------------------------------------------------------------------
Tom Eastep | 31 Mar 19:56 2014
Picon

Shorewall 4.5.21.9

Shorewall 4.5.21.9 is now available for download.

Problems corrected:

1)  The output of 'shorewall show capabilities' always showed the
    'Recent match --reap option' as 'Not Available'. 'shorewall show -f
    capabilities' correctly reported the capability.

2)  When a rules file section other than NEW began with a ?COMMENT
    directive, the comment would erroneously appear in the rule which
    jumps to the section chain as well as in the rules directly related
    to the following entries.

3)  Rule comments were omitted from the compiler's 'trace' output in
    some cases.

4)  When FASTACCEPT=Yes, ESTABLISHED,RELATED accept rules were
    incorrectly omitted from an interfaces's _in and _fwd chains when
    'rpfilter' was specified in the interfaces's entry in
    /etc/shorewall[6]/interfaces.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

(Continue reading)

Hervé Werner | 31 Mar 14:38 2014

Re: Using rpfilter prevents outgoing access

> Unfortunately, the messages were logged before the firewall was
> reloaded:
> 
> State:Started (jeudi 27 mars 2014, 18:23:57 (UTC+0100))
> from /etc/shorewall/
> 
> Mar 27 18:23:13 net-fw:DROP  IN=eth0 OUT= SRC=173.194.40.151
> DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 ID=765 PROTO=ICMP
> TYPE=0 CODE=0 ID=8127 SEQ=15 MARK=0
> Mar 27 18:23:14 net-fw:DROP  IN=eth0 OUT= SRC=173.194.40.151
> DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 ID=766 PROTO=ICMP
> TYPE=0 CODE=0 ID=8127 SEQ=16 MARK=0
> 
> NAT Table
> 
> So the firewall was reloaded at 18:23:57 but the last message was
> logged
> at 18:23:14. As a consequence, the dump doesn't show the state of the
> firewall when the messages were being logged.

Hello Tom,

I actually restarted Shorewall to get a working internet connection back
and did the dump afterwards because I knew the issue were already
logged. I understand your process but I can swear you I'm not trying to
fool you ;)

Please find enclosed a proper dump as well as additional information on
my software system. 
This time I was trying to ping DNS server 8.8.8.8.
(Continue reading)

Robert Recchia | 28 Mar 13:14 2014
Picon

weird log messages

So lately I have been playing with docker and lxc containers on my centos 6 server.  Right around that time I started getting very weird shore-wall log messages like this



 C110DT2.98.9LN8 O=x0PE=x0TL6 D0D RT=CPTP= OE0I=09 E= <6>Shorewall:fw2net:ACCEPT:IN= OUT=eth0 SRC=xxxxxx  DST=xxxxxxx LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=64768 PROTO=UDP SPT=37867 DPT=53 LEN=61


62e:CETI=OTeh R=9.6..2 S=4152512LN8 O=x0PE=x0TL6 D0D RT=CPTP= OE0I=08SQ1

antACP:N U=t0SC1218110DT2.5.3.4 E=4TS00 RC00 T=4I= FPOOIM YE8CD= D112SQ1

There are more but what do these messages mean 



Robert Recchia
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Christian Rößner | 28 Mar 09:10 2014
Picon

shore wall, pop an ip-up.d/*; TC filter question

Hi,

first of all, thanks that there exists Shorewall! I really, really love that project (since many years).

I have set up an ISP router gateway with advanced routing and TC stuff using shorewall. There are 2 things
that I do not know how to solve directly in shorewall, so I have used a hand made TC script and some rules in /etc/shorewall/started.

My question is, if there exists a way do do it directly with shorewall.

If a clinet connect with PPPoE, accel-ppp (the PPPoE server) call /etc/ppp/ip-up/somescript and sets TC
rules for each new pppX interface. It reads its up and down values from /var/run/radattr.pppX, which is
written by the RADIUS server on connect.

This is my ip-up script:

--------------------------------------------------------------
PPP_IFACE="$1"
PPP_TTY="$2"
PPP_SPEED="$3"
PPP_LOCAL="$4"
PPP_REMOTE="$5"
PPP_IPPARAM="$6"

# Lock this resource
for wait_for_lock in $(seq 1 60); do
        if [ -e /tmp/lock-$PPP_IFACE ]; then
                sleep 1
        else
                touch /tmp/lock-$PPP_IFACE
                break
        fi
done

IP=/bin/ip
TC=/sbin/tc
BANDUP=`grep RP-Upstream-Speed-Limit /var/run/radattr.${PPP_IFACE} | cut -d " " -f 2`
BANDDOWN=`grep RP-Downstream-Speed-Limit /var/run/radattr.${PPP_IFACE} | cut -d " " -f 2`

# deltaweb-services
MAXDOWN=81920
MAXUP=${MAXDOWN}

echo -n "   Clearing tc root, ingress... "
${TC} qdisc del dev ${PPP_IFACE} root    2> /dev/null > /dev/null
${TC} qdisc del dev ${PPP_IFACE} ingress 2> /dev/null > /dev/null
echo "done."

echo -n "   Adding tc classes... "

# add HFSC root qdisc
${TC} qdisc add dev ${PPP_IFACE} root handle 1: hfsc default 121

# add main rate limit class
${TC} class add dev ${PPP_IFACE} parent 1:0 classid 1:1 hfsc \
  sc rate ${MAXDOWN}kibit \
  ul rate ${MAXDOWN}kibit

# interactive
${TC} class add dev ${PPP_IFACE} parent 1:1 classid 1:11 hfsc \
  sc umax 1500b dmax 30ms rate $[${BANDDOWN}/20]kibit \
  ul rate $[${BANDDOWN}/20]kibit

${TC} class add dev ${PPP_IFACE} parent 1:1 classid 1:12 hfsc \
  sc rate $[${BANDDOWN}*3/4]kibit \
  ul rate ${BANDDOWN}kibit

# ultraFast
${TC} class add dev ${PPP_IFACE} parent 1:1 classid 1:13 hfsc \
  sc rate $[${MAXDOWN}/2]kibit \
  ul rate ${MAXDOWN}kibit

# default
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:121 hfsc \
  sc umax 1500b dmax 53ms rate $[${BANDDOWN}/2]kibit \
  ul rate ${BANDDOWN}kibit

# large downloads 50Mb - 1000Mb
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:122 hfsc \
  sc rate $[${BANDDOWN}/2]kibit \
  ul rate $[${BANDDOWN}/2]kibit

# large downloads 1000Mb+
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:123 hfsc \
  sc rate $[${BANDDOWN}/10]kibit \
  ul rate $[${BANDDOWN}/5]kibit

# P2P
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:124 hfsc \
  sc rate 64kibit \
  ul rate 64kibit

echo "done."

echo -n "   Adding tc qdiscs... "
${TC} qdisc add dev ${PPP_IFACE} parent 1:11 sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:121 handle 121: sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:122 sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:123 sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:124 pfifo
${TC} qdisc add dev ${PPP_IFACE} parent 1:13 sfq perturb 10
echo "done."

echo -n "   Adding tc filters... "
${TC} filter add dev ${PPP_IFACE} parent 1:0 protocol ip prio 10 u32 \
  match ip tos 0x10 0xff \
  flowid 1:13

# marked interactive traffic
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 20 handle 0x1 fw classid 1:11

# ultraFast
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 20 handle 0xc fw classid 1:13

# large downloads 50Mb - 1000Mb
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 40 handle 0x2 fw classid 1:122

# large downloads 1000Mb+
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 50 handle 0x3 fw classid 1:123

# P2P
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 60 handle 0x4 fw classid 1:124
echo "done."

echo -n "   Adding tc ingress, filters... "
${TC} qdisc add dev ${PPP_IFACE} handle ffff: ingress

# deltaweb server - 1. subnet
${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip dst 193.239.107.16/28 \
  police rate $[${MAXUP}]kibit \
  burst 80kb drop \
  flowid :1

# deltaweb server - 2. subnet
${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip dst 193.239.107.48/28 \
  police rate $[${MAXUP}]kibit \
  burst 80kb drop \
  flowid :1

# RNS server
${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip dst 193.239.107.32/28 \
  police rate $[${MAXUP}]kibit \
  burst 80kb drop \
  flowid :1

${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip src 0.0.0.0/0 \
  police rate $[${BANDUP}]kibit \
  burst 80kb drop \
  flowid :1
echo "done."

# Remove (stale) lock file
rm -f /tmp/lock-$PPP_IFACE
--------------------------------------------------------------

Shorewall is doing the MARKing in tcrules:
--------------------------------------------------------------
##
## PPPoE:
##

COMMENT Copy connmark to packet mark
RESTORE/0x00FF:F \
		-		-		all
COMMENT SIP
CONTINUE:F	-		-		all	-	-	-	0x1
COMMENT P2P
CONTINUE:F	-		-		all	-	-	-	0x4
COMMENT Services deltaweb/RNS
CONTINUE:F	-		-		all	-	-	-	0xC
COMMENT Sipgate
0x1:F		$DWNET		$SIPGATE1	udp
COMMENT Sipgate
0x1:F		$DWNET		$SIPGATE2	udp
COMMENT Sipgate
0x1:F		$DWNET		$SIPGATE3	udp
COMMENT Easybell
0x1:F		$DWNET		$EASYBELL	udp
COMMENT
0x1:F		-		-		udp	5060:5076
0x1:F		-		-		udp	-	5060:5076
0x1:F		-		-		udp	5004:5020
0x1:F		-		-		udp	-	5004:5020
SAVE/0x00FF:F	-		-		udp	-	-	-	0x1
CONTINUE:F	-		-		udp	-	-	-	0x1

0xC:F		$KVM1		$DWNET		all
0xC:F		$KVM2		$DWNET		all
0xC:F		$RNS		$DWNET		all
SAVE/0x00FF:F	-		-		all	-	-	-	0xC
CONTINUE:F	-		-		all	-	-	-	0xC

0x2:F		-		-		tcp	-	-	-	-	-	-	52428800:1048576000
0x2:F		-		-		udp	-	!$UDP_EXCEPTIONS \
									-	-	-	-	52428800:1048576000
0x3:F		-		-		tcp	-	-	-	-	-	-	1048576000:
0x3:F		-		-		udp	-	!$UDP_EXCEPTIONS \
									-	-	-	-	1048576000:

0x4:F		-		-		ipp2p:all \
							edk,dc,gnu,kazaa,bit,apple,winmx,soul,ares
SAVE/0x00FF:F	-		-		all	-	-	-	0x4
CONTINUE:F	-		-		all	-	-	-	0x4
--------------------------------------------------------------

On shorewall restart, started is called:
--------------------------------------------------------------
#!/bin/bash

###############################################################################
# DO NOT EDIT THIS FILE!! UNDER SALTSTACK CONTROL!!                           #
###############################################################################

TC=/sbin/tc

for ppp in $(ip -4 add list | grep "global ppp" | awk '{ print $7; }')
do
	echo "${ppp}:"
	/etc/ppp/ip-up.d/99-rns-limits ${ppp}
done

echo -n "Adding filters to bond1.108, ifb0..."
${TC} filter del dev bond1.108 protocol all parent 1:0 prio 5 handle 0x1 fw classid 1:110 >/dev/null 2>&1
${TC} filter del dev ifb0 protocol all parent 2:0 prio 5 handle 0x1 fw classid 2:110 >/dev/null 2>&1
${TC} filter del dev bond1.108 protocol all parent 1:0 prio 5 handle 0x4 fw classid 1:150 >/dev/null 2>&1
${TC} filter del dev ifb0 protocol all parent 2:0 prio 5 handle 0x4 fw classid 2:150 >/dev/null 2>&1

${TC} filter add dev bond1.108 protocol all parent 1:0 prio 5 handle 0x1 fw classid 1:110
${TC} filter add dev ifb0 protocol all parent 2:0 prio 5 handle 0x1 fw classid 2:110
${TC} filter add dev bond1.108 protocol all parent 1:0 prio 5 handle 0x4 fw classid 1:150
${TC} filter add dev ifb0 protocol all parent 2:0 prio 5 handle 0x4 fw classid 2:150
echo " done"

return 0
--------------------------------------------------------------

So now the first question is, can I somehow call shorewall from inside the ip-up script and set up all TC
directly in shorewall, as I already have done for the internet connection? So I could replace my script and
let shorewall do the job.

The other question is already visible in my started script. It’s the TC filter rules.

I have set up an ifb0 interface, which mirrors the outgoing line (tcclasses):
--------------------------------------------------------------
#NUMBER:	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS		REDIRECTED
#INTERFACE							INTERFACES
1:bond1.108	-		10mbit		classify
2:ifb0		-		10mbit		-		bond1.108

3:bond1.200	50mbit		10mbit
4:bond1.201	25mbit		5mbit
--------------------------------------------------------------

So with shorewall I have set most of my rules in tcfilters. But I could not find a way to set filters based on
packet marks, so I added the lines above in started, which of course is not so great.

I could not find any good reason on the net, why setting such rules on ifb0 woul not make sense. Both rules use
egress and on www.linuxfoundation.org I also found examples like the one in my started script. So
basically settings such filters should be possivle, should it?

0x1 mark in the example above is traffic that is SIP and has its on class. 0x5 are all the ipp2p things, which we
do not really want and so we shape it down:

--------------------------------------------------------------
#INTERFACE:CLASS	MARK	RATE:			CEIL	PRIORITY	OPTIONS
#                               DMAX:UMAX

# bond1.108
1:110			-	2mbit			2mbit	1		tos=0x68/0xfc,tos=0xb8/0xfc
1:120			-	512kbit			2mbit	2		tcp-ack,tos-minimize-delay
1:130			-	5mbit			6mbit	3
1:140			-	2mbit			6mbit	4		default
1:150			-	128kbit			128kbit	5		pfifo

# ifb0
2:110			-	2mbit			2mbit	1		tos=0x68/0xfc,tos=0xb8/0xfc
2:120			-	512kbit			2mbit	2		tcp-ack,tos-minimize-delay
2:130			-	5mbit			6mbit	3
2:140			-	2mbit			6mbit	4		default
2:150			-	128kbit			128kbit	5		pfifo

3:110			0x20	10mbit			10mbit	1		default
4:110			0x20	5mbit			5mbit	1		default
--------------------------------------------------------------

I hope my questions are okay. I really do not want to waste anybodys time. It is just that I am not sure, if I
already found the optimal way of doing things. And it already has some complexity. At least for me :)

Ah, just forgot: this is all on Debian Wheezy, shorewall version:

lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 7.4 (wheezy)
Release:	7.4
Codename:	wheezy

shorewall version: 4.5.5.3

I also put all shorewall stuff together and attached it to this mail.

Kind regards

-Christian Rößner

Attachment (shorewall.tar.bz2): application/x-bzip2, 54 KiB

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

-Christian Rößner

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Rich Wales | 28 Mar 05:54 2014

Set up arbitrary routes in Shorewall?

Is there any way to specify arbitrary host or network routes to be added to a firewall's routing tables in Shorewall?

I have a list of individual destinations (external to my LAN) which I need to reach via a bastion host connected to my firewall via a VPN.  Up till now, I've been adding host routes for these destinations by running a shell script when my firewall starts up -- but I'd prefer to accomplish this in Shorewall if there is a way to do it.

I'm running Shorewall 4.5.16.1 on an Ubuntu 13.10 system.
--
Rich Wales
richw <at> richw.org
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Rich Wales | 27 Mar 20:47 2014

Address ranges in proxyarp?

I'm running Shorewall 4.5.16.1 on an Ubuntu 13.10 system.

Is it possible to specify a CIDR range in the proxyarp file?  Or do I really need to list each individual IP address separately?
--
Rich Wales
richw <at> richw.org
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Angela Williams | 27 Mar 16:53 2014
Picon

Pptp gre problem

Hi All!
I've no hit the same problem I hit quite some time back in trying to 
replace a rather limited script based iptables rule generator. Now I 
have no option really. The customer now has add a nice new 5M fibre 
connection to supplement the existing 1< leased line as well as an adsl 
link that is only for emergencies!

Okay! The Problem! There are a few staff members the need to use a 
standard M$ PPiP vpn to connect to their biggest and almost only 
customers tracking system. I know the ideal is to set it up on the 
firewall but that will be a future project!  Right now I need to get it 
working! I ran a tcpdump on the old script based system and the tcp 1723 
and GRE  packets just hapily fly back and forth!
Stopped the old service and started shorewall. Another tcpdump showed no 
GRE packets being masq'd out. I can rule out anything with the kernel as 
that is the same for both firewall generators!

Maybe it's just me misreading or misunderstanding the docs!
Or maybe I just need my bum kicked!

I have bziped up the shorewall dump and it is attached as ross.dump.bz2/

Ang

--

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Yeshua Loves You!

Attachment (ross.dump.bz2): application/x-bzip, 18 KiB
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Hervé Werner | 26 Mar 16:19 2014

Using rpfilter prevents outgoing access

Hello.

As soon as I add the rpfilter option to my single interface, any
outgoing traffic is blocked.

Here is my interface file :
net     eth0
dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,rpfilter

When taking a look at the logs, I notice packets have been blocked by
the net-fw rule :

Mar 26 15:46:44 MyPC net-fw:DROP  IN=eth0 OUT= MAC=XXXXX
SRC=173.194.40.159 DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54
ID=35571 PROTO=ICMP TYPE=0 CODE=0 ID=30205 SEQ=16 MARK=0

This message has been triggered by pinging google.fr.

Note that it works properly when using rp_filter.

Please find attached my configuration files.

Version information : 4.5.21.7

Hervé
Attachment (shorewall.tar.xz): application/x-xz-compressed-tar, 27 KiB
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
Hervé Werner | 25 Mar 18:46 2014

Comment not binded to the right rule & accounting zone

Hello.

I discovered something wrong in comments generated by the rules file :
I had an issue with a software triggering INVALID packets (gnome-shell
weather extension), didn't manage to figure out why, so I just
configured Shorewall to DROP them all by adding lines in the INVALID
section of the rules file and it worked as expected :

?COMMENT Drop invalid packets generated by weather applet
Invalid(DROP)	$FW			net:98.137.200.255	tcp
Invalid(DROP)	net:98.137.200.255	$FW			tcp
?COMMENT

But the comment is binded to the rule matching all INVALID packets :

$ sudo shorewall show | grep applet
   51  2652 _fw-net    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* Drop invalid packets generated by weather
applet */
    0     0 _net-fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* Drop invalid packets generated by weather
applet */

and there isn't any comment next to the IP 98.137.200.255 :

$ sudo shorewall show | grep 98.137.200.255
   51  2652 DROP       tcp  --  *      *       0.0.0.0/0
98.137.200.255      
    0     0 DROP       tcp  --  *      *       98.137.200.255
0.0.0.0/0  

When adding a second rule below in the INVALID section embedded by a new
comment, I can notice this second comment is not present.
I think the comment should be binded to the effective DROP rule.

I also played a bit with accounting, unfortunately it is not possible to
specify zones. Is it a technical limitation from iptables ?

Hervé

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
John Doe | 25 Mar 16:44 2014
Picon

Internal traffic shapping...

Hi,

I am trying to switch on internal traffic shaping and I am wondering 
if I set it up correctly...  I have clients behind a firewall connected 
to 3 providers.

I have 1 SDSL and 2 ADSL:

  tcdevices:
    eth1  4mbit  4mbit
    eth2  6mbit  796kbit
    eth3  6mbit  796kbit

I setup 4 classes for eth1, 3 for eth2 and 3 for eth3:

  tcclasses:
    eth1  1   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth1  2   full*60/100   full*95/100   2            # web
    eth1  3   full*10/100   full*95/100   3            # email
    eth1  4   full*10/100   full*95/100   3  default
    eth2  5   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth2  6   full*60/100   full*95/100   2            # web/email
    eth2  7   full*20/100   full*95/100   3  default
    eth3  8   full*20/100   full*95/100   1            # ping/ssh[/dns]
    eth3  9   full*60/100   full*95/100   2            # web/email
    eth3  10  full*20/100   full*95/100   3  default

For the rules:
1. ping, ssh and dns from the firewall are priority 1
2. forwarded clients traffic (192.168.16.0/20) is split as:
   ssh, web [, email for eth1], default

  tcrules:

    # --- eth1 ---
    1    0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    1    0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    1    0.0.0.0/0           0.0.0.0/0           tcp     22
    1    0.0.0.0/0           0.0.0.0/0           tcp     53
    1    0.0.0.0/0           0.0.0.0/0           udp     53
    # --- eth1 FORWARD ---
    1:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    1:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    1:F  192.168.16.0/20     123.123.123.0/23    tcp     22
    2:F  192.168.16.0/20     123.123.123.0/23    tcp     80,443
    3:F  192.168.16.0/20     123.123.123.0/23    tcp     25,465,993
    # --- eth2 ---
    5    0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    5    0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    5    0.0.0.0/0           0.0.0.0/0           tcp     22
    5    0.0.0.0/0           0.0.0.0/0           tcp     53
    5    0.0.0.0/0           0.0.0.0/0           udp     53
    # --- eth2 FORWARD ---
    5:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    5:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    5:F  192.168.16.0/20     123.123.123.0/23    tcp     22
    6:F  192.168.16.0/20     123.123.123.0/23    tcp     80,443
    6:F  192.168.16.0/20     123.123.123.0/23    tcp     25,465,993
    # --- eth3 ---
    8    0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    8    0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    8    0.0.0.0/0           0.0.0.0/0           tcp     22
    8    0.0.0.0/0           0.0.0.0/0           tcp     53
    8    0.0.0.0/0           0.0.0.0/0           udp     53
    # --- eth3 FORWARD ---
    8:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-request
    8:F  0.0.0.0/0           0.0.0.0/0           icmp    echo-reply
    8:F  192.168.16.0/20     123.123.123.0/23    tcp     22
    9:F  192.168.16.0/20     123.123.123.0/23    tcp     80,443
    9:F  192.168.16.0/20     123.123.123.0/23    tcp     25,465,993

Does everything look ok?
Do I need to put "reverse rules" for the traffic coming back?
By example, if I have:
  1:F  192.168.16.0/20     123.123.123.0/23    tcp     22
Do I need the following?
  1:F  123.123.123.0/23    192.168.16.0/20     tcp     -     22

Thx,
JD

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

Gmane