1SHOREWALL-PROVIDERS(5) Configuration Files SHOREWALL-PROVIDERS(5)
2
6 providers - Shorewall Providers file
7
9 /etc/shorewall/providers
10
12 This file is used to define additional routing tables. You will want to
13 define an additional table if:
14 · You have connections to more than one ISP or multiple connections
16 to the same ISP
17 · You run Squid as a transparent proxy on a host other than the
19 firewall.
20 · You have other requirements for policy routing.
22 Each entry in the file defines a single routing table.
24 If you wish to omit a column entry but want to include an entry in the
26 next column, use "-" for the omitted entry.
27 The columns in the file are as follows.
29 NAME - name
31 The provider name. Must be a valid shell variable name. The names
32 'local', 'main', 'default' and 'unspec' are reserved and may not be
33 used as provider names.
34 NUMBER - number
36 The provider number -- a number between 1 and 15. Each provider
37 must be assigned a unique value.
38 MARK (Optional) - value
40 A FWMARK value used in your shorewall-mangle(5)[1] file to direct
41 packets to this provider.
42 If PROVIDER_OFFSET is non-zero in shorewall.conf(5)[2], then the
44 value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the
45 number of significant bits may not exceed PROVIDER_OFFSET +
46 PROVIDER_BITS.
47 DUPLICATE - routing-table-name
49 The name of an existing table to duplicate to create this routing
50 table. May be main or the name of a previously listed provider. You
51 may select only certain entries from the table to copy by using the
52 COPY column below. This column should contain a dash ("-') when
53 USE_DEFAULT_RT=Yes in shorewall.conf(5)[2].
54 INTERFACE - interface[:address]
56 The name of the network interface to the provider. Must be listed
57 in shorewall-interfaces(5)[3]. In general, that interface should
58 not have the proxyarp or proxyndp option specified unless loose is
59 given in the OPTIONS column of this entry.
60 Important
62 For IPv6, if the interface is an Ethernet device and an IP
63 address is supplied, it should be the upstream router's
64 link-level address, not its global address.
65 Where more than one provider is serviced through a single
66 interface, the interface must be followed by a colon and the IP
67 address of the interface that is supplied by the associated
68 provider.
69 GATEWAY - {-|address[,mac]|detect|none}
71 The IP address of the provider's gateway router. Beginning with
72 Shorewall 4.6.2, you may also specify the MAC address of the
73 gateway when there are multiple providers serviced through the same
74 interface. When the MAC is not specified, Shorewall will detect the
75 MAC during firewall start or restart.
76 You can enter detect here and Shorewall will attempt to detect the
78 gateway automatically.
79 Beginning with Shorewall 5.0.6, you may also enter none. This
81 causes creation of a routing table with no default route in it.
82 For PPP devices, you may omit this column.
84 OPTIONS (Optional) - [-|option[,option]...]
86 A comma-separated list selected from the following. The order of
87 the options is not significant but the list may contain no embedded
88 white-space.
89 autosrc
91 Added in Shorewall 4.5.17. Causes a host route to the
92 provider's gateway router to be added to the provider's routing
93 table. This is the default behavior unless overridden by a
94 following noautosrc option.
95 track
97 If specified, inbound connections on this interface are to be
98 tracked so that responses may be routed back out this same
99 interface.
100 You want to specify track if internet hosts will be connecting
102 to local servers through this provider.
103 Beginning with Shorewall 4.4.3, track defaults to the setting
105 of the TRACK_PROVIDERS option in shorewall.conf[2] (5). If you
106 set TRACK_PROVIDERS=Yes and want to override that setting for
107 an individual provider, then specify notrack (see below).
108 balance[=weight]
110 The providers that have balance specified will get outbound
111 traffic load-balanced among them. By default, all interfaces
112 with balance specified will have the same weight (1). You can
113 change the weight of an interface by specifying balance=weight
114 where weight is the weight of the route out of this interface.
115 Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes, balance=1 is
117 assumed unless the fallback, loose, load or tproxy option is
118 specified. Beginning with Shorewall 5.1.1, when
119 BALANCE_PROVIDERS=Yes, balance=1 is assumed unless the
120 fallback, loose, load or tproxy option is specified.I
121 Caution
123 In IPV6, the balance option does not cause balanced default
124 routes to be created; it rather causes a sequence of
125 default routes with different metrics to be created.
126 loose
128 Shorewall normally adds a routing rule for each IP address on
129 an interface which forces traffic whose source is that IP
130 address to be sent using the routing table for that interface.
131 Setting loose prevents creation of such rules on this
132 interface.
133 load=probability
135 Added in Shorewall 4.6.0. This option provides an alternative
136 method of load balancing based on probabilities. Providers to
137 be balanced are given a probability (a number 0 > n >= 1) with
138 up to 8 digits to the right of the decimal point. Beginning
139 with Shorewall 4.6.10, a warning is issued if the sum of the
140 probabilities is not 1.00000000.
141 noautosrc
143 Added in Shorewall 4.5.17. Prevents the addition of a host
144 route to the provider's gateway router from being added to the
145 provider's routing table. This option must be used with caution
146 as it can cause start and restart failures.
147 notrack
149 Added in Shorewall 4.4.3. When specified, turns off track.
150 optional (deprecated for use with providers that do not share an
152 interface)
153 If the interface named in the INTERFACE column is not up and
154 configured with an IPv4 address then ignore this provider. If
155 not specified, the value of the optional option for the
156 INTERFACE in shorewall-interfaces(5)[3] is assumed. Use of that
157 option is preferred to this one, unless an address is provider
158 in the INTERFACE column.
159 primary
161 Added in Shorewall 4.6.6, primary is equivalent to balance=1
162 and is preferred when the remaining providers specify fallback
163 or tproxy.
164 src=source-address
166 Specifies the source address to use when routing to this
167 provider and none is known (the local client has bound to the 0
168 address). May not be specified when an address is given in the
169 INTERFACE column. If this option is not used, Shorewall
170 substitutes the primary IP address on the interface named in
171 the INTERFACE column.
172 mtu=number
174 Specifies the MTU when forwarding through this provider. If not
175 given, the MTU of the interface named in the INTERFACE column
176 is assumed.
177 fallback[=weight]
179 Indicates that a default route through the provider should be
180 added to the default routing table (table 253). If a weight is
181 given, a balanced route is added with the weight of this
182 provider equal to the specified weight. If the option is given
183 without a weight, an separate default route is added through
184 the provider's gateway; the route has a metric equal to the
185 provider's NUMBER.
186 Prior to Shorewall 4.4.24, the option is ignored with a warning
188 message if USE_DEFAULT_RT=Yes in shorewall.conf.
189 Caution
191 In IPV6, specifying the fallback option on multiple
192 providers does not cause balanced fallback routes to be
193 created; it rather causes a sequence of fallback routes
194 with different metrics to be created.
195 tproxy
197 Added in Shorewall 4.5.4. Used for supporting the TPROXY action
198 in shorewall-mangle(5). See
199 http://www.shorewall.net/Shorewall_Squid_Usage.html[4]. When
200 specified, the MARK, DUPLICATE and GATEWAY columns should be
201 empty, INTERFACE should be set to 'lo' and tproxy should be the
202 only OPTION. Only one tproxy provider is allowed.
203 hostroute
205 Added in Shorewall 4.5.21. This is the default behavior that
206 results in a host route to the defined GATEWAY being inserted
207 into the main routing table and into the provider's routing
208 table. hostroute is required for older distributions but
209 nohostroute (below) is appropriate for recent distributions.
210 hostroute may interfere with Zebra's ability to add routes on
211 some distributions such as Debian 7.
212 nohostroute
214 Added in Shorewall 4.5.21. nohostroute inhibits addition of a
215 host route to the defined GATEWAY being inserted into the main
216 routing table and into the provider's routing table.
217 nohostroute is not appropriate for older distributions but is
218 appropriate for recent distributions. nohostroute allows
219 Zebra's to correctly add routes on some distributions such as
220 Debian 7.
221 persistent
223 Added in Shorewall 5.0.2 and alters the behavior of the disable
224 command:
225 · The provider's routing table still contains the apprioriate
227 default route.
228 · Unless the noautosrc option is specified, routing rules are
230 generated to route traffic from the interfaces address(es)
231 out of the provider's routing table.
232 · Persistent routing rules in shorewall-rtrules(5)[5] are
234 present.
235 Note
238 The generated script will attempt to reenable a disabled
239 persistent provider during execution of the start, restart
240 and reload commands. When persistent is not specified, only
241 the enable and reenable commands can reenable the provider.
242 Important
244 RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
245 recommended when the persistent option is used, as
246 restoring default routes to the main routing table can
247 prevent link status monitors such as foolsm from correctly
248 detecting non-working providers.
249 COPY - [{none|interface[,interface]...}]
251 A comma-separated list of other interfaces on your firewall.
252 Wildcards specified using an asterisk ("*") are permitted (e.g.,
253 tun* ). Usually used only when DUPLICATE is main. Only copy routes
254 through INTERFACE and through interfaces listed here. If you only
255 wish to copy routes through INTERFACE, enter none in this column.
256 Beginning with Shorewall 4.5.17, blackhole, unreachable and
258 prohibit routes are no longer copied by default but may be copied
259 by including blackhole,unreachable and prohibit respectively in the
260 COPY list.
261
263 IPv4 Example 1:
264 You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
265 interface is eth2
266 #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
268 Squid 1 1 - eth2 192.168.2.99 -
269 IPv4 Example 2:
271 eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176
272 and the ISP's gateway router has IP address 206.124.146.254.
273 eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and
275 the ISP's gateway router has IP address 130.252.99.254.
276 eth2 connects to a local network.
278 #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
280 ISP1 1 1 main eth0 206.124.146.254 track,balance eth2
281 ISP2 2 2 main eth1 130.252.99.254 track,balance eth2
282 IPv6 Example 1:
284 You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2. Your
285 DMZ interface is eth2
286 #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
288 Squid 1 1 - eth2 2002:ce7c:92b4:1::2 -
289 IPv6 Example 2:
291 eth0 connects to ISP 1. The ISP's gateway router has IP address
292 2001:ce7c:92b4:1::2.
293 eth1 connects to ISP 2. The ISP's gateway router has IP address
295 2001:d64c:83c9:12::8b.
296 eth2 connects to a local network.
298 #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
300 ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track eth2
301 ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track eth2
302
304 /etc/shorewall/providers
305 /etc/shorewall6/providers
307
309 http://www.shorewall.net/MultiISP.html[6]
310 http://www.shorewall.net/configuration_file_basics.htm#Pairs[7]
312 shorewall(8)
314
316 1. shorewall-mangle(5)
317 http://www.shorewall.net/manpages/shorewall-mangle.html
318 2. shorewall.conf(5)
320 http://www.shorewall.net/manpages/shorewall.conf.html
321 3. shorewall-interfaces(5)
323 http://www.shorewall.net/manpages/shorewall-interfaces.html
324 4. http://www.shorewall.net/Shorewall_Squid_Usage.html
326 http://www.shorewall.net/Shorewall_Squid_Usage.html
327 5. shorewall-rtrules(5)
329 http://www.shorewall.netshorewall-rtrules.html
330 6. http://www.shorewall.net/MultiISP.html
332 http://www.shorewall.net/MultiISP.html
333 7. http://www.shorewall.net/configuration_file_basics.htm#Pairs
335 http://www.shorewall.net/configuration_file_basics.htm#Pairs
336Configuration Files 08/05/2018 SHOREWALL-PROVIDERS(5)