[Firehol-support] marks and speed

Whit Blauvelt whit at transpect.com
Sat Jan 24 13:50:20 GMT 2015

On Sat, Jan 24, 2015 at 03:12:30PM +0200, Tsaousis, Costa wrote:

> The FireHOL suite (firehol, fireqos, link-balancer) now supports
> internally 2 types of marks: usermarks and connmarks.


The way I've been enabling Openswan IPsec to work from a server with the
previous FireHOL is like this (in firehol.conf ahead of the standard stuff):
  # IPsec mangling
  # Mark IPsec, and allow decrypted IPsec
  iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
  iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
  iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
  iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
  iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT
  # don't SNAT IPsec
  rightsubnets=( )
  for rightsubnet in "${rightsubnets[@]}"; do
          iptables -t nat -I POSTROUTING -d $rightsubnet -j ACCEPT

What would the translation of that to the new FireHOL syntax look like?



More information about the Firehol-support mailing list