shorewall-providers.5

sharewall is very good

.\"     Title: shorewall-providers
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
.\"      Date: 03/19/2009
.\"    Manual: [FIXME: manual]
.\"    Source: [FIXME: source]
.\"  Language: English
.\"
.TH "SHOREWALL\-PROVIDERS" "5" "03/19/2009" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * (re)Define some macros
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" toupper - uppercase a string (locale-aware)
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de toupper
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
\\$*
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH-xref - format a cross-reference to an SH section
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de SH-xref
.ie n \{\
.\}
.toupper \\$*
.el \{\
\\$*
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH - level-one heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SH
.\" put an extra blank line of space above the head in non-TTY output
.if t \{\
.sp 1
.\}
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[an-margin]u
.ti 0
.HTML-TAG ".NH \\n[an-level]"
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
\." make the size of the head bigger
.ps +3
.ft B
.ne (2v + 1u)
.ie n \{\
.\" if n (TTY output), use uppercase
.toupper \\$*
.\}
.el \{\
.nr an-break-flag 0
.\" if not n (not TTY), use normal case (not uppercase)
\\$1
.in \\n[an-margin]u
.ti 0
.\" if not n (not TTY), put a border/line under subheading
.sp -.6
\l'\n(.lu'
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SS - level-two heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SS
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[IN]u
.ti \\n[SN]u
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.ps \\n[PS-SS]u
\." make the size of the head bigger
.ps +2
.ft B
.ne (2v + 1u)
.if \\n[.$] \&\\$*
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BB/BE - put background/screen (filled box) around block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BB
.if t \{\
.sp -.5
.br
.in +2n
.ll -2n
.gcolor red
.di BX
.\}
..
.de EB
.if t \{\
.if "\\$2"adjust-for-leading-newline" \{\
.sp -1
.\}
.br
.di
.in
.ll
.gcolor
.nr BW \\n(.lu-\\n(.i
.nr BH \\n(dn+.5v
.ne \\n(BHu+.5v
.ie "\\$2"adjust-for-leading-newline" \{\
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.el \{\
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.in 0
.sp -.5v
.nf
.BX
.in
.sp .5v
.fi
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BM/EM - put colored marker in margin next to block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BM
.if t \{\
.br
.ll -2n
.gcolor red
.di BX
.\}
..
.de EM
.if t \{\
.br
.di
.ll
.gcolor
.nr BH \\n(dn
.ne \\n(BHu
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
.in 0
.nf
.BX
.in
.fi
.\}
..
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "Name"
providers \- Shorewall Providers file
.SH "Synopsis"
.fam C
.HP \w'\fB/etc/shorewall/providers\fR\ 'u
\fB/etc/shorewall/providers\fR
.fam
.SH "Description"
.PP
This file is used to define additional routing tables\&. You will want to define an additional table if:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You have connections to more than one ISP or multiple connections to the same ISP
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You run Squid as a transparent proxy on a host other than the firewall\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You have other requirements for policy routing\&.
.RE
.PP
Each entry in the file defines a single routing table\&.
.PP
If you wish to omit a column entry but want to include an entry in the next column, use "\-" for the omitted entry\&.
.PP
The columns in the file are as follows\&.
.PP
\fBNAME\fR \- \fIname\fR
.RS 4
The provider
\fIname\fR\&. Must be a valid shell variable name\&. The names \'local\', \'main\', \'default\' and \'unspec\' are reserved and may not be used as provider names\&.
.RE
.PP
\fBNUMBER\fR \- \fInumber\fR
.RS 4
The provider number \-\- a number between 1 and 15\&. Each provider must be assigned a unique value\&.
.RE
.PP
\fBMARK\fR (Optional) \- \fIvalue\fR
.RS 4
A FWMARK
\fIvalue\fR
used in your
\m[blue]\fBshorewall\-tcrules(5)\fR\m[]\&\s-2\u[1]\d\s+2
file to direct packets to this provider\&.
.sp
If HIGH_ROUTE_MARKS=Yes in
\m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[2]\d\s+2, then the value must be a multiple of 256 between 256 and 65280 or their hexadecimal equivalents (0x0100 and 0xff00 with the low\-order byte of the value being zero)\&. Otherwise, the value must be between 1 and 255\&. Each provider must be assigned a unique mark value\&. This column may be omitted if you don\'t use packet marking to direct connections to a particular provider and you don\'t specify
\fBtrack\fR
in the OPTIONS column\&.
.RE
.PP
\fBDUPLICATE\fR \- \fIrouting\-table\-name\fR
.RS 4
The name of an existing table to duplicate to create this routing table\&. May be
\fBmain\fR
or the name of a previously listed provider\&. You may select only certain entries from the table to copy by using the COPY column below\&. This column should contain a dash ("\-\') when USE_DEFAULT_RT=Yes in
\m[blue]\fBshorewall\&.conf(5)\fR\m[]\&\s-2\u[2]\d\s+2\&.
.RE
.PP
\fBINTERFACE\fR \- \fIinterface\fR[:\fIaddress\fR]
.RS 4
The name of the network interface to the provider\&. Must be listed in
\m[blue]\fBshorewall\-interfaces(5)\fR\m[]\&\s-2\u[3]\d\s+2\&.
.sp
Where more than one provider is serviced through a single interface, the
\fIinterface\fR
must be followed by a colon and the IP
\fIaddress\fR
of the interface that is supplied by the associated provider\&.
.RE
.PP
\fBGATEWAY\fR \- {\fB\-\fR|\fIaddress\fR|\fBdetect\fR}
.RS 4
The IP address of the provider\'s gateway router\&.
.sp
You can enter "detect" here and Shorewall will attempt to detect the gateway automatically\&.
.sp
For PPP devices, you may omit this column\&.
.RE
.PP
\fBOPTIONS\fR (Optional) \- [\fB\-\fR|\fIoption\fR[\fB,\fR\fIoption\fR]\&.\&.\&.]
.RS 4
A comma\-separated list selected from the following\&. The order of the options is not significant but the list may contain no embedded whitespace\&.
.PP
\fBtrack\fR
.RS 4
If specified, inbound connections on this interface are to be tracked so that responses may be routed back out this same interface\&.
.sp
You want to specify
\fBtrack\fR
if internet hosts will be connecting to local servers through this provider\&.
.RE
.PP
\fBbalance[=\fR\fB\fIweight\fR\fR\fB]\fR
.RS 4
The providers that have
\fBbalance\fR
specified will get outbound traffic load\-balanced among them\&. By default, all interfaces with
\fBbalance\fR
specified will have the same weight (1)\&. You can change the weight of an interface by specifiying
\fBbalance=\fR\fIweight\fR
where
\fIweight\fR
is the weight of the route out of this interface\&.
.RE
.PP
\fBloose\fR
.RS 4
Shorewall normally adds a routing rule for each IP address on an interface which forces traffic whose source is that IP address to be sent using the routing table for that interface\&. Setting
\fBloose\fR
prevents creation of such rules on this interface\&.
.RE
.PP
\fBoptional\fR
.RS 4
If the interface named in the INTERFACE column is not up and configured with an IPv4 address then ignore this provider\&. If not specified, the value of the
\fBoptional\fR
option for the INTERFACE in
\m[blue]\fBshorewall\-interfaces(5)\fR\m[]\&\s-2\u[3]\d\s+2
is assumed\&.
.RE
.PP
\fBsrc=\fR\fIsource\-address\fR
.RS 4
Added in Shorewall\-perl 4\&.1\&.5\&. Specifies the source address to use when routing to this provider and none is known (the local client has bound to the 0 address)\&. May not be specified when an
\fIaddress\fR
is given in the INTERFACE column\&. If this option is not used, Shorewall substitutes the primary IP address on the interface named in the INTERFACE column\&.
.RE
.PP
\fBmtu=\fR\fInumber\fR
.RS 4
Added in Shorewall\-perl 4\&.1\&.5\&. Specifies the MTU when forwarding through this provider\&. If not given, the MTU of the interface named in the INTERFACE column is assumed\&.
.RE
.PP
\fBfallback[=\fR\fB\fIweight\fR\fR\fB]\fR
.RS 4
Added in Shorewall\-perl 4\&.2\&.5\&. Indicates that a default route through the provider should be added to the default routing table (table 253)\&. If a
\fIweight\fR
is given, a balanced route is added with the weight of this provider equal to the specified
\fIweight\fR\&. If the option is given without a
\fIweight\fR, an separate default route is added through the provider\'s gateway; the route has a metric equal to the provider\'s NUMBER\&. The option is ignored with a warning message if USE_DEFAULT_RT=Yes in
\FCshorewall\&.conf\F[]\&.
.RE
.RE
.PP
\fBCOPY\fR \- [{\fBnone\fR|\fIinterface\fR\fB[,\fR\fIinterface\fR]\&.\&.\&.}]
.RS 4
A comma\-separated list of other interfaces on your firewall\&. Wildcards specified using an asterisk ("*") are permitted (e\&.g\&., tun* )\&. Usually used only when DUPLICATE is
\fBmain\fR\&. Only copy routes through INTERFACE and through interfaces listed here\&. If you only wish to copy routes through INTERFACE, enter
\fBnone\fR
in this column\&.
.RE
.SH "Examples"
.PP
Example 1:
.RS 4
You run squid in your DMZ on IP address 192\&.168\&.2\&.99\&. Your DMZ interface is eth2
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY       OPTIONS
        Squid   1       1    \-          eth2      192\&.168\&.2\&.99  \-
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.PP
Example 2:
.RS 4
eth0 connects to ISP 1\&. The IP address of eth0 is 206\&.124\&.146\&.176 and the ISP\'s gateway router has IP address 206\&.124\&.146\&.254\&.
.sp
eth1 connects to ISP 2\&. The IP address of eth1 is 130\&.252\&.99\&.27 and the ISP\'s gateway router has IP address 130\&.252\&.99\&.254\&.
.sp
eth2 connects to a local network\&.
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY          OPTIONS            COPY
        ISP1  1       1    main      eth0      206\&.124\&.146\&.254 track,balance      eth2
        ISP2  2       2    main      eth1      130\&.252\&.99\&.254  track,balance      eth2
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.RE
.SH "FILES"
.PP
/etc/shorewall/providers
.SH "See ALSO"
.PP
\m[blue]\fBhttp://shorewall\&.net/MultiISP\&.html\fR\m[]
.PP
shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall\-interfaces(5), shorewall\-ipsec(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-proxyarp(5), shorewall\-route_rules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "Notes"
.IP " 1." 4
shorewall-tcrules(5)
.RS 4
\%http://www.shorewall.net/manpages/shorewall-tcrules.html
.RE
.IP " 2." 4
shorewall.conf(5)
.RS 4
\%http://www.shorewall.net/manpages/shorewall.conf.html
.RE
.IP " 3." 4
shorewall-interfaces(5)
.RS 4
\%http://www.shorewall.net/manpages/shorewall-interfaces.html
.RE