I was bored tonight, so, after requesting an additional IP address from RR, I put my NetScreen 5GT in parallel with my Linux box, right on the internet.  I'll eventually get a IPSec extention of my network going with one of my friends from home, but until then, I figured I'd have the NetScreen share some of the load with my Linux box.

I got the 5GT into the OSPF backbone area, so it could see everything and added a couple policies.  Also added an additional routing table on the Linux box with a default to the NetScreen.  Added a couple firewall rules to mark HTTP and SSH connections and send 'em over to the NetScreen.

Seems to work nicely, and now I can do some easy-ish QoS on the NetScreen to prevent my RTT from climbing when I use the 384kb of upstream RR gives me.  I've messed with tc on Linux awhile back, but I thought it was complete overkill, and a little too complex.

When playing with iptables, I found some options in the iptables(8) manpage that I hadn't seen before:

   ROUTE
       This  is  used  to explicitly override the core network stack's routing
       decision.  mangle table.

       --oif ifname
              Route the packet through `ifname' network interface

       --iif ifname
              Change the packet's incoming interface to `ifname'

       --gw IP_address
              Route the packet via this gateway

       --continue
              Behave like a non-terminating target and continue traversing the
              rules.  Not valid in combination with `--iif'

That just saddens me.  There's already a mechanism for that, the mangle table!  It just seems like this option is there purely for messing up and complicating configurations.  Looks like it provides a messy way out for incorrect firewalling/routing configurations.

Ah well, time to hit the sack.

New comments are currently disabled for this entry.