SHOREWALL-PROVIDERS(5)

Configuration Files

SHOREWALL-PROVIDERS(5)

NAME¶

providers - Shorewall Providers file

SYNOPSIS¶

/etc/shorewall/providers

DESCRIPTION¶

This file is used to define additional routing tables. You will want to define an additional table if:

•You have connections to more than one ISP or multiple connections to the same ISP

•You run Squid as a transparent proxy on a host other than the firewall.

•You have other requirements for policy routing.

Each entry in the file defines a single routing table.

If you wish to omit a column entry but want to include an entry in the next column, use "-" for the omitted entry.

The columns in the file are as follows.

NAME - name

The provider name. Must be a valid shell variable name. The names 'local', 'main', 'default' and 'unspec' are reserved and may not be used as provider names.

NUMBER - number

The provider number -- a number between 1 and 15. Each provider must be assigned a unique value.

MARK (Optional) - value

A FWMARK value used in your shorewall-mangle(5)[1] file to direct packets to this provider.

If PROVIDER_OFFSET is non-zero in shorewall.conf(5)[2], then the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the number of significant bits may not exceed PROVIDER_OFFSET + PROVIDER_BITS.

DUPLICATE - routing-table-name

The name of an existing table to duplicate to create this routing table. May be main or the name of a previously listed provider. You may select only certain entries from the table to copy by using the COPY column below. This column should contain a dash ("-') when USE_DEFAULT_RT=Yes in shorewall.conf(5)[2].

INTERFACE - interface[:address]

The name of the network interface to the provider. Must be listed in shorewall-interfaces(5)[3]. In general, that interface should not have the proxyarp or proxyndp option specified unless loose is given in the OPTIONS column of this entry.

Important
For IPv6, if the interface is an Ethernet device and an IP address is supplied, it should be the upstream router's link-level address, not its global address.

Where more than one provider is serviced through a single interface, the interface must be followed by a colon and the IP address of the interface that is supplied by the associated provider.

GATEWAY - {-|address[,mac]|detect|none}

The IP address of the provider's gateway router. Beginning with Shorewall 4.6.2, you may also specify the MAC address of the gateway when there are multiple providers serviced through the same interface. When the MAC is not specified, Shorewall will detect the MAC during firewall start or restart.

You can enter detect here and Shorewall will attempt to detect the gateway automatically.

Beginning with Shorewall 5.0.6, you may also enter none. This causes creation of a routing table with no default route in it.

For PPP devices, you may omit this column.

OPTIONS (Optional) - [-|option[,option]...]

A comma-separated list selected from the following. The order of the options is not significant but the list may contain no embedded white-space.

autosrc

Added in Shorewall 4.5.17. Causes a host route to the provider's gateway router to be added to the provider's routing table. This is the default behavior unless overridden by a following noautosrc option.

track

If specified, inbound connections on this interface are to be tracked so that responses may be routed back out this same interface.

You want to specify track if internet hosts will be connecting to local servers through this provider.

Beginning with Shorewall 4.4.3, track defaults to the setting of the TRACK_PROVIDERS option in shorewall.conf[2] (5). If you set TRACK_PROVIDERS=Yes and want to override that setting for an individual provider, then specify notrack (see below).

balance[=weight]

The providers that have balance specified will get outbound traffic load-balanced among them. By default, all interfaces with balance specified will have the same weight (1). You can change the weight of an interface by specifying balance=weight where weight is the weight of the route out of this interface.

Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes, balance=1 is assumed unless the fallback, loose, load or tproxy option is specified. Beginning with Shorewall 5.1.1, when BALANCE_PROVIDERS=Yes, balance=1 is assumed unless the fallback, loose, load or tproxy option is specified.I

Caution
In IPV6, the balance option does not cause balanced default routes to be created; it rather causes a sequence of default routes with different metrics to be created.

loose

Shorewall normally adds a routing rule for each IP address on an interface which forces traffic whose source is that IP address to be sent using the routing table for that interface. Setting loose prevents creation of such rules on this interface.

load=probability

Added in Shorewall 4.6.0. This option provides an alternative method of load balancing based on probabilities. Providers to be balanced are given a probability (a number 0 > n >= 1) with up to 8 digits to the right of the decimal point. Beginning with Shorewall 4.6.10, a warning is issued if the sum of the probabilities is not 1.00000000.

noautosrc

Added in Shorewall 4.5.17. Prevents the addition of a host route to the provider's gateway router from being added to the provider's routing table. This option must be used with caution as it can cause start and restart failures.

notrack

Added in Shorewall 4.4.3. When specified, turns off track.

optional (deprecated for use with providers that do not share an interface)

If the interface named in the INTERFACE column is not up and configured with an IPv4 address then ignore this provider. If not specified, the value of the optional option for the INTERFACE in shorewall-interfaces(5)[3] is assumed. Use of that option is preferred to this one, unless an address is provider in the INTERFACE column.

primary

Added in Shorewall 4.6.6, primary is equivalent to balance=1 and is preferred when the remaining providers specify fallback or tproxy.

src=source-address

Specifies the source address to use when routing to this provider and none is known (the local client has bound to the 0 address). May not be specified when an address is given in the INTERFACE column. If this option is not used, Shorewall substitutes the primary IP address on the interface named in the INTERFACE column.

mtu=number

Specifies the MTU when forwarding through this provider. If not given, the MTU of the interface named in the INTERFACE column is assumed.

fallback[=weight]

Indicates that a default route through the provider should be added to the default routing table (table 253). If a weight is given, a balanced route is added with the weight of this provider equal to the specified weight. If the option is given without a weight, a separate default route is added through the provider's gateway; the route has a metric equal to the provider's NUMBER.

Prior to Shorewall 4.4.24, the option is ignored with a warning message if USE_DEFAULT_RT=Yes in shorewall.conf.

Caution
In IPV6, specifying the fallback option on multiple providers does not cause balanced fallback routes to be created; it rather causes a sequence of fallback routes with different metrics to be created.

tproxy

Added in Shorewall 4.5.4. Used for supporting the TPROXY action in shorewall-mangle(5). See https://shorewall.org/Shorewall_Squid_Usage.html[4]. When specified, the MARK, DUPLICATE and GATEWAY columns should be empty, INTERFACE should be set to 'lo' and tproxy should be the only OPTION. Only one tproxy provider is allowed.

hostroute

Added in Shorewall 4.5.21. This is the default behavior that results in a host route to the defined GATEWAY being inserted into the main routing table and into the provider's routing table. hostroute is required for older distributions but nohostroute (below) is appropriate for recent distributions. hostroute may interfere with Zebra's ability to add routes on some distributions such as Debian 7. This option defaults to on when BALANCE_PROVIDERS=Yes, in shorewall.conf(5)[2].

nohostroute

Added in Shorewall 4.5.21. nohostroute inhibits addition of a host route to the defined GATEWAY being inserted into the main routing table and into the provider's routing table. nohostroute is not appropriate for older distributions but is appropriate for recent distributions. nohostroute allows Zebra's to correctly add routes on some distributions such as Debian 7. This option defaults to off when BALANCE_PROVIDERS=Yes, in shorewall.conf(5)[2].

persistent

Added in Shorewall 5.0.2 and alters the behavior of the disable command:

•The provider's routing table still contains the apprioriate default route.

•Unless the noautosrc option is specified, routing rules are generated to route traffic from the interfaces address(es) out of the provider's routing table.

•Persistent routing rules in shorewall-rtrules(5)[5] are present.

Note
The generated script will attempt to reenable a disabled persistent provider during execution of the start, restart and reload commands. When persistent is not specified, only the enable and reenable commands can reenable the provider.

Important
RESTORE_DEFAULT_ROUTE=Yes in shorewall[6].conf is not recommended when the persistent option is used, as restoring default routes to the main routing table can prevent link status monitors such as foolsm from correctly detecting non-working providers.

COPY - [{none|interface[,interface]...}]

A comma-separated list of other interfaces on your firewall. Wildcards specified using an asterisk ("*") are permitted (e.g., tun* ). Usually used only when DUPLICATE is main. Only copy routes through INTERFACE and through interfaces listed here. If you only wish to copy routes through INTERFACE, enter none in this column.

Beginning with Shorewall 4.5.17, blackhole, unreachable and prohibit routes are no longer copied by default but may be copied by including blackhole,unreachable and prohibit respectively in the COPY list.

EXAMPLES¶

IPv4 Example 1:

You run squid in your DMZ on IP address 192.168.2.99. Your DMZ interface is eth2



        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY       OPTIONS


        Squid   1       1    -          eth2      192.168.2.99  -

IPv4 Example 2:

eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and the ISP's gateway router has IP address 206.124.146.254.

eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the ISP's gateway router has IP address 130.252.99.254.

eth2 connects to a local network.



        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY          OPTIONS            COPY


        ISP1  1       1    main      eth0      206.124.146.254 track,balance      eth2


        ISP2  2       2    main      eth1      130.252.99.254  track,balance      eth2

IPv6 Example 1:

You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2. Your DMZ interface is eth2



        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY              OPTIONS


        Squid   1       1    -          eth2      2002:ce7c:92b4:1::2  -

IPv6 Example 2:

eth0 connects to ISP 1. The ISP's gateway router has IP address 2001:ce7c:92b4:1::2.

eth1 connects to ISP 2. The ISP's gateway router has IP address 2001:d64c:83c9:12::8b.

eth2 connects to a local network.



        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY               OPTIONS    COPY


        ISP1  1       1    main      eth0     2001:ce7c:92b4:1::2   track      eth2


        ISP2  2       2    main      eth1     2001:d64c:83c9:12::8b track      eth2