'\" t .\" Title: shorewall6-providers .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 .\" Date: 10/19/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-PROVIDER" "5" "10/19/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" providers \- Shorewall6 Providers file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/providers\fR\ 'u \fB/etc/shorewall6/providers\fR .SH "DESCRIPTION" .PP This file is used to define additional routing tables\&. You will want to define an additional table if: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You have connections to more than one ISP or multiple connections to the same ISP .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You run Squid as a transparent proxy on a host other than the firewall\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} You have other requirements for policy routing\&. .RE .PP Each entry in the file defines a single routing table\&. .PP If you wish to omit a column entry but want to include an entry in the next column, use "\-" for the omitted entry\&. .PP The columns in the file are as follows\&. .PP \fBNAME\fR \- \fIname\fR .RS 4 The provider \fIname\fR\&. Must be a valid shell variable name\&. The names \*(Aqlocal\*(Aq, \*(Aqmain\*(Aq, \*(Aqdefault\*(Aq and \*(Aqunspec\*(Aq are reserved and may not be used as provider names\&. .RE .PP \fBNUMBER\fR \- \fInumber\fR .RS 4 The provider number \-\- a number between 1 and 15\&. Each provider must be assigned a unique value\&. .RE .PP \fBMARK\fR (Optional) \- \fIvalue\fR .RS 4 A FWMARK \fIvalue\fR used in your \m[blue]\fBshorewall6\-mangle\fR\m[]\&\s-2\u[1]\d\s+2(5) file to direct packets to this provider\&. .sp If HIGH_ROUTE_MARKS=Yes in \m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5), then the value must be a multiple of 256 between 256 and 65280 or their hexadecimal equivalents (0x0100 and 0xff00 with the low\-order byte of the value being zero)\&. Otherwise, the value must be between 1 and 255\&. Each provider must be assigned a unique mark value\&. This column may be omitted if you don\*(Aqt use packet marking to direct connections to a particular provider\&. .RE .PP \fBDUPLICATE\fR \- \fIrouting\-table\-name\fR .RS 4 The name of an existing table to duplicate to create this routing table\&. May be \fBmain\fR or the name of a previously listed provider\&. You may select only certain entries from the table to copy by using the COPY column below\&. .RE .PP \fBINTERFACE\fR \- \fIinterface\fR .RS 4 The name of the network interface to the provider\&. Must be listed in \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2(5)\&. .RE .PP \fBGATEWAY\fR \- {\fB\-\fR|\fIaddress\fR|\fBdetect\fR} .RS 4 The IP address of the provider\*(Aqs gateway router\&. .sp You can enter "detect" here and Shorewall6 will attempt to detect the gateway automatically\&. .sp For PPP devices, you may omit this column\&. .RE .PP \fBOPTIONS\fR (Optional) \- [\fB\-\fR|\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.] .RS 4 A comma\-separated list selected from the following\&. The order of the options is not significant but the list may contain no embedded white\-space\&. .PP autosrc .RS 4 Added in Shorewall 4\&.5\&.17\&. Causes a host route to the provider\*(Aqs gateway router to be added to the provider\*(Aqs routing table\&. This is the default behavior unless overridden by a following \fBnoautosrc\fR option\&. .RE .PP \fBbalance\fR .RS 4 Added in Shorewall 4\&.4\&.25\&. Causes a default route to this provider\*(Aqs gateway to be added to the \fBmain\fR routing table (USE_DEFAULT_RT=No) or to the \fBbalance\fR routing table (USE_DEFAULT_RT=Yes)\&. At most one provider can specify this option\&. .RE .PP \fBfallback\fR .RS 4 Added in Shorewall 4\&.4\&.25\&. Causes a default route to this provider\*(Aqs gateway to be added to the \fBdefault\fR routing table\&.At most one provider can specify this option\&. .RE .PP \fBtrack\fR .RS 4 If specified, inbound connections on this interface are to be tracked so that responses may be routed back out this same interface\&. .sp You want to specify \fBtrack\fR if internet hosts will be connecting to local servers through this provider\&. .sp Beginning with Shorewall 4\&.4\&.3, \fBtrack\fR defaults to the setting of the TRACK_PROVIDERS option in \m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[4]\d\s+2 (5)\&. If you set TRACK_PROVIDERS=Yes and want to override that setting for an individual provider, then specify \fBnotrack\fR (see below)\&. .RE .PP \fBloose\fR .RS 4 Shorewall6 normally adds a routing rule for each IP address on an interface which forces traffic whose source is that IP address to be sent using the routing table for that interface\&. Setting \fBloose\fR prevents creation of such rules on this interface\&. .RE .PP noautosrc .RS 4 Added in Shorewall 4\&.5\&.17\&. Prevents the addition of a host route to the provider\*(Aqs gateway router from being added to the provider\*(Aqs routing table\&. This option must be used with caution as it can cause start and restart failures\&. .RE .PP \fBnotrack\fR .RS 4 Added in Shorewall 4\&.4\&.3\&. When specified, turns off \fBtrack\fR\&. .RE .PP \fBoptional\fR (deprecated for use with providers that do not share an interface) .RS 4 If the interface named in the INTERFACE column is not up and configured with an IPv4 address then ignore this provider\&. If not specified, the value of the \fBoptional\fR option for the INTERFACE in \m[blue]\fBshorewall6\-interfaces(5)\fR\m[]\&\s-2\u[3]\d\s+2 is assumed\&. Use of that option is preferred to this one, unless an \fIaddress\fR is provider in the INTERFACE column\&. .RE .PP src=\fIsource\-address\fR .RS 4 Specifies the source address to use when routing to this provider and none is known (the local client has bound to the 0 address)\&. May not be specified when an \fIaddress\fR is given in the INTERFACE column\&. If this option is not used, Shorewall6 substitutes the primary IP address on the interface named in the INTERFACE column\&. .RE .PP mtu=\fInumber\fR .RS 4 Specifies the MTU when forwarding through this provider\&. If not given, the MTU of the interface named in the INTERFACE column is assumed\&. .RE .PP \fBtproxy\fR .RS 4 Added in Shorewall 4\&.5\&.4\&. Used for supporting the TPROXY action in shorewall\-tcrules(5)\&. See \m[blue]\fBhttp://www\&.shorewall\&.net/Shorewall_Squid_Usage\&.html\fR\m[]\&\s-2\u[5]\d\s+2\&. When specified, the MARK, DUPLICATE and GATEWAY columns should be empty, INTERFACE should be set to \*(Aqlo\*(Aq and \fBtproxy\fR should be the only OPTION\&. Only one \fBtproxy\fR provider is allowed\&. .RE .PP \fBhostroute\fR .RS 4 Added in Shorewall 4\&.5\&.21\&. This is the default behavior that results in a host route to the defined \fBGATEWAY\fR being inserted into the main routing table and into the provider\*(Aqs routing table\&. \fBhostroute\fR is required for older distributions but \fBnohostroute\fR (below) is appropriate for recent distributions\&. \fBhostroute\fR may interfere with Zebra\*(Aqs ability to add routes on some distributions such as Debian 7\&. .RE .PP \fBnohostroute\fR .RS 4 Added in Shorewall 4\&.5\&.21\&. nohostroute inhibits addition of a host route to the defined \fBGATEWAY\fR being inserted into the main routing table and into the provider\*(Aqs routing table\&. \fBnohostroute\fR is not appropriate for older distributions but is appropriate for recent distributions\&. \fBnohostroute\fR allows Zebra\*(Aqs to correctly add routes on some distributions such as Debian 7\&. .RE .RE .PP \fBCOPY\fR \- [{\fBnone\fR|\fIinterface\fR\fB[,\fR\fIinterface\fR]\&.\&.\&.}] .RS 4 A comma\-separated list of other interfaces on your firewall\&. Wildcards specified using an asterisk ("*") are permitted (e\&.g\&., tun* )\&. Usually used only when DUPLICATE is \fBmain\fR\&. Only copy routes through INTERFACE and through interfaces listed here\&. If you only wish to copy routes through INTERFACE, enter \fBnone\fR in this column\&. .sp Beginning with Shorewall 4\&.5\&.17, blackhole, unreachable and prohibit routes are no longer copied by default but may be copied by including \fBblackhole\fR,\fBunreachable\fR and \fBprohibit\fR respectively in the COPY list\&. .RE .SH "EXAMPLES" .PP Example 1: .RS 4 You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2\&. Your DMZ interface is eth2 .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Squid 1 1 \- eth2 2002:ce7c:92b4:1::2 \- .fi .if n \{\ .RE .\} .RE .PP Example 2: .RS 4 eth0 connects to ISP 1\&. The ISP\*(Aqs gateway router has IP address 2001:ce7c:92b4:1::2\&. .sp eth1 connects to ISP 2\&. The ISP\*(Aqs gateway router has IP address 2001:d64c:83c9:12::8b\&. .sp eth2 connects to a local network\&. .sp .if n \{\ .RS 4 .\} .nf #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track eth2 ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track eth2 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall6/providers .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/MultiISP\&.html\fR\m[]\&\s-2\u[6]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[7]\d\s+2 .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-maclist(5), shorewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-mangle(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall6\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall6-mangle .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-mangle.html .RE .IP " 2." 4 shorewall6.conf .RS 4 \%http://www.shorewall.net/manpages6/shorewall6.conf.html .RE .IP " 3." 4 shorewall6-interfaces .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-interfaces.html .RE .IP " 4." 4 shorewall6.conf .RS 4 \%http://www.shorewall.net/manpages6/shorwewall6.conf.html .RE .IP " 5." 4 http://www.shorewall.net/Shorewall_Squid_Usage.html .RS 4 \%http://www.shorewall.net/Shorewall_Squid_Usage.html .RE .IP " 6." 4 http://www.shorewall.net/MultiISP.html .RS 4 \%http://www.shorewall.net/MultiISP.html .RE .IP " 7." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs .RE