https://lwn.net/Articles/385045/ This is a special feed containing comments posted to the individual LWN article titled "IPFire 2.5: Firewalls and more". en-us Mon, 27 Oct 2025 01:21:28 +0000 Mon, 27 Oct 2025 01:21:28 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/385800/ https://lwn.net/Articles/385800/ dmag <div class="FormattedComment"> Not to turn LWN into a help site, but you don't need anything fancy, just basic IPTables to mark packets and routing based on marked packets.<br> <p> <a href="http://marc.info/?l=sg-dc&amp;m=102738963506440&amp;w=2">http://marc.info/?l=sg-dc&amp;m=102738963506440&amp;w=2</a><br> <p> I really wish there were GOOD documentation on IPTables. It's hard to find a comprehensive list of modules, let alone really good examples on how to use them. IPTables is under-used, especially for system administration tasks. I run HAProxy, which doesn't do graceful restarts (like Apache/Nginx which has a master process that doesn't exit). So to prevent the OS from dropping packets when nobody is listening, I used IPTables to short-circuit HAProxy to the first backend. So new connections are temporarily 'shunted' while HAProxy is restarting. The only annoying bit is you have to guess how long before HAProxy is ready.<br> <p> (Hey, does anyone remember a newsgroup (I think it was alt.hackers) where you had to not only figure out how to forge a post, but your post had to be about an interesting hack? Ah, the good old days before eternal September.)<br> <p> </div> Sun, 02 May 2010 13:24:52 +0000 https://lwn.net/Articles/385477/ https://lwn.net/Articles/385477/ JohnLenz One way is to use shorewall which supports this. See <a href="http://www.shorewall.net/MultiISP.html">MultiISP</a> and <a href="http://www.shorewall.net/traffic_shaping.htm">Traffic Shaping</a>. You define two providers and are able to mark which packets should go to which provider. The rules to mark which packets go where can be as complex as you want to define. No need for tun-tap. Fri, 30 Apr 2010 02:10:00 +0000 https://lwn.net/Articles/385350/ https://lwn.net/Articles/385350/ felixfix <div class="FormattedComment"> I am my own reluctant sysadmin and sometimes do not take the time to understand things as well as I should, so perhaps I am overlooking something which already exists.<br> <p> When I have my own firewall computer, I like the fact that it can reroute things from one side to the other based on ports etc. For a while, I had a system with dialup (low bandwidth but reasonable latency) and satellite (reasonable bandwidth but miserable latency) and it was nice to be able to route ssh over dialup and most other things over the satellite.<br> <p> Is there any way to create virtual network devices which would allow this on a machine which is its own firewall? For simplicitiy sake, suppose the dialup device was /dev/eth0 and the satellite was /dev/eth1. What I would like to do is create /dev/eth2 as a single device used by all programs, and have iptables rules which would steer the outbound traffic to eth0 or eth1 as appropriate. With a separate firewall computer, this is the only way you can do it, and it was easy to understand.<br> <p> VPNs use tun/tap devices -- are those virtual devices of the sort I would need? Or is there some way to simply make one up?<br> </div> Thu, 29 Apr 2010 15:12:20 +0000