JC Putter | 9 Apr 22:32 2014

Multi-ISP Port Forwarding

According to http://shorewall.net/MultiISP.html#PortForwarding port
forwarding works across a multiwan config.

However it seems that i am only able to connect using one of the WAN

i am using track and balance options in providers

Attached is the shorewall dump.
Attachment (shorewall.tar.gz): application/x-gzip, 17 KiB
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
Simon Hobson | 9 Apr 11:52 2014

Clarification on Multi-ISP

I'm just setting up multi-ISP and I just want to check if I have things right. I'm using Shorewall on
Debian Wheezy.

I have two internal networks ( and, a connection via ethernet and another
via dsl. In my providers file I've put :
> isp1	1	1	-	ethext	a.b.c.1	track,balance
> isp2	2	2	-	ppp10	-	track,balance

In interfaces :
> ext     ethext          detect          tcpflags,nosmurfs,dhcp
> int     ethint          detect		tcpflags,routeback,nosmurfs,dhcp
> wifi    ethwifi         detect          tcpflags,nosmurfs,dhcp
> fttc    ethfttc         detect          tcpflags,nosmurfs
> dsl     ppp10           detect          tcpflags,nosmurfs,optional,wait=15

(The PPPoE for the DSL runs over the ethfttc interface)

And in masq I have(*) :
> ethext:!a.b.c.9	a.b.c.4
> ppp10	w.x.y.2
> ethext:!a.b.c.9	a.b.c.3
> ppp10	w.x.y.1

The intention is that all the internal network traffic should do via the DSL line (except that destined for
the a.b.c.n subnet), so is it just a matter of adding rtrules :
>	-		isp2	1000
>	-		isp2	1000

And do I need to include a line
> -		a.b.c.0/n	isp1	1000
(Continue reading)

Simon Hobson | 9 Apr 11:13 2014

Documentation error ? Shorewall mangle

While in the process of setting up multi-ISP, I observe that in
http://shorewall.net/manpages/shorewall-mangle.html it says :
> This file was introduced in Shorewall 4.6.0 and is intended to replace shorewall-rules(5).

and shorewall-rules(5) is a link to http://shorewall.net/manpages/shorewall-mangle.html

Should shorewall-rules(5) be shorewall-tcrules(5) and the link be
http://shorewall.net/manpages/shorewall-tcrules.html ?

C.f. in http://shorewall.net/MultiISP.html it says :
> Use of /etc/shorewall/mangle (or /etc/shorewall/tcrules) is not required
for/etc/shorewall/providers to work, but ...

Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
Christian Rößner | 6 Apr 22:59 2014

How to detect RTP traffic


I am looking for a way to detect RTP traffic. Currently I asked some SIP providers to tell me their networks
and set up some rules in tcrules. But I would like a more generic version, where I am provider independent.

My router is a border router and connects PPPoE customers with the internet. What I want to achieve is to
detect SIP/RTP and do QoS/DSCP on these packets.

The default ploicy is to allow trafic between WAN and PPPoE and vice versa. All public IPs. No NATing.

This is, how I currently did it:


COMMENT Copy connmark to packet mark
		-		-		all
DSCP(CS3):T	-		-		udp	5060:5076 \
								-	-	0x1
DSCP(CS3):T	-		-		udp	-	5060:5076 \
									-	0x1
CONTINUE:T	-		-		udp	5060:5076 \
								-	-	0x1
(Continue reading)

Bruno Friedmann | 3 Apr 15:00 2014

Help with configuration bridge/kvm vnet host

Dear shorewall users, I'm at a point I need a bit of help on the following configuration

A main host directly connected to internet with one physical interface eth0 use a bridge
I've setup libvirtd/qemu-kvm on it with one vhost using br0/vnet0 

The vm has also a public ipv4 address (see k* config in zip)

I'm using shorewall from long time now, in 3 interfaces modes or 1 interface from years.
But even after digging in documentation, ml archives or google. It seem I miss something.

Can an hawk expert eyes have a look, and give me feedback about what I've build (but not work as expected)

Summary of what should be working : 
pub/net should only be allowed on specific protocol to fw (main host) or dmz (the vm)
fw and dmz have free access to internet out.

I've certainly lost myself in the different approach, and finally have choose the wrong one.

At the end I will also have ipv6 (but should be able to adapt the v4 to v6)

Thanks for any pointers, or advise you could offer.

[1] zipped file with configuration, ip information & shorewall dump 
obione is the main host, k is the kvm guest


Bruno Friedmann 
Ioda-Net Sàrl www.ioda-net.ch

(Continue reading)

İlker Aktuna | 2 Apr 21:39 2014

Re: multi ISP - port based routing



From: Lee Brown [mailto:leeb <at> ratnaling.org]
Sent: Wednesday, April 02, 2014 12:49 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] multi ISP - port based routing




On Tue, Apr 1, 2014 at 2:25 PM, İlker Aktuna <ilkera <at> kobiline.com> wrote:

Yes. In fact, that's my real problem.
When I try to connect to my SIP proxy (Asterisk) from internet, I come from ppp0 address.
However, Asterisk decides to reply with ppp1 address sometimes. And then I can not register, because my sip client does not accept the reply from ppp1 address.

-----Original Message-----
From: Tom Eastep [mailto:teastep <at> shorewall.net]
Sent: Tuesday, April 01, 2014 10:33 PM
To: shorewall-users <at> lists.sourceforge.net
Subject: Re: [Shorewall-users] multi ISP - port based routing

On 4/1/2014 12:18 PM, İlker Aktuna wrote:
> Exactly; the packet going out from wrong interface (ppp1) also has  wrong IP address (ppp1).

Even if the connection was from the net and entered on ppp0?

Try ensuring the following two modules are disabled.  For me if they are enabled, it breaks SIP.  I see I have this disabled on both the firewall machine and the asterisk machine (CentOS5, 2.6.18-348.18.1.el5 kernel)


# grep sip /etc/modprobe.d/blacklist.conf

install ip_nat_sip /bin/false

install ip_conntrack_sip /bin/false



Does that really help about my problem ?

I don’t see them in my “lsmod” output. So they are already disabled ??



I.S.C. William | 1 Apr 18:42 2014

Shorewall 4.5.21 for amd64?

The time available Shorewall 4.5.21 for platforms amd64?

In my server i have shorewall, and do not have update.

To look this list in not available ...

Thanks !! .. 
JC Putter | 1 Apr 12:14 2014

shorewall rpm's


What is the difference between the standard RPM's and the RPM's
provided by here

I am using CentOS 6.5 which RPM set is recommended ?


Tom Eastep | 31 Mar 19:56 2014


Shorewall is now available for download.

Problems corrected:

1)  The output of 'shorewall show capabilities' always showed the
    'Recent match --reap option' as 'Not Available'. 'shorewall show -f
    capabilities' correctly reported the capability.

2)  When a rules file section other than NEW began with a ?COMMENT
    directive, the comment would erroneously appear in the rule which
    jumps to the section chain as well as in the rules directly related
    to the following entries.

3)  Rule comments were omitted from the compiler's 'trace' output in
    some cases.

4)  When FASTACCEPT=Yes, ESTABLISHED,RELATED accept rules were
    incorrectly omitted from an interfaces's _in and _fwd chains when
    'rpfilter' was specified in the interfaces's entry in

Thank you for using Shorewall,

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Hervé Werner | 31 Mar 14:38 2014

Re: Using rpfilter prevents outgoing access

> Unfortunately, the messages were logged before the firewall was
> reloaded:
> State:Started (jeudi 27 mars 2014, 18:23:57 (UTC+0100))
> from /etc/shorewall/
> Mar 27 18:23:13 net-fw:DROP  IN=eth0 OUT= SRC=
> DST= LEN=84 TOS=00 PREC=0x00 TTL=54 ID=765 PROTO=ICMP
> TYPE=0 CODE=0 ID=8127 SEQ=15 MARK=0
> Mar 27 18:23:14 net-fw:DROP  IN=eth0 OUT= SRC=
> DST= LEN=84 TOS=00 PREC=0x00 TTL=54 ID=766 PROTO=ICMP
> TYPE=0 CODE=0 ID=8127 SEQ=16 MARK=0
> NAT Table
> So the firewall was reloaded at 18:23:57 but the last message was
> logged
> at 18:23:14. As a consequence, the dump doesn't show the state of the
> firewall when the messages were being logged.

Hello Tom,

I actually restarted Shorewall to get a working internet connection back
and did the dump afterwards because I knew the issue were already
logged. I understand your process but I can swear you I'm not trying to
fool you ;)

Please find enclosed a proper dump as well as additional information on
my software system. 
This time I was trying to ping DNS server

Please note an error about module 'sch_tbf' when recompiling the policy
(shorewall_restart.txt). Don't know if it is tied to rpfilter.

I also would like to thank you about the 2 patches you wrote, I can
confirm that Shorewall is now working as expected.


Attachment (shorewall.tar.xz): application/x-xz-compressed-tar, 80 KiB
Robert Recchia | 28 Mar 13:14 2014

weird log messages

So lately I have been playing with docker and lxc containers on my centos 6 server.  Right around that time I started getting very weird shore-wall log messages like this

 C110DT2.98.9LN8 O=x0PE=x0TL6 D0D RT=CPTP= OE0I=09 E= <6>Shorewall:fw2net:ACCEPT:IN= OUT=eth0 SRC=xxxxxx  DST=xxxxxxx LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=64768 PROTO=UDP SPT=37867 DPT=53 LEN=61

62e:CETI=OTeh R=9.6..2 S=4152512LN8 O=x0PE=x0TL6 D0D RT=CPTP= OE0I=08SQ1

antACP:N U=t0SC1218110DT2.5.3.4 E=4TS00 RC00 T=4I= FPOOIM YE8CD= D112SQ1

There are more but what do these messages mean 

Robert Recchia