SRXs now have built-in support for virtual routers which can create an asymmetric flow easily. This was never an issue when everyone was single-homed and all the routers had only one routing table. There shouldn’t be single-sided stateless NAT happening on the route.The packets from A to B and the packets from B to A must all go through the firewall at some point.For the connection (flow) tracking to work, all the packets in a connection must go through the same device, and the 5-tuple of all the packets in a connection must be of expected values, which usually means: This unique functionality is the fundamental building block of every “advanced” security feature offered by a firewall: dynamic NAT (PAT/NPT), zone-based firewall (ZBFW), ACLs for in or out connections only, L7 filtering, etc. Modern layer-3 firewalls route packets just like a router, but unlike a router, a firewall can organize packets into connections (flows) and run ACLs on the entire flow. Sudo systemctl status systemctl status all done.A SRX is a “security device”, or as we call it conventionally, a firewall. The status of shadowsocks-libev instances could be checked with the following commands: 1 Then enable and start the systemd services using the following commands: 1 In this case, they could simply create cloud.json and tifa.json configurations with different ports, passwords and encryption methods in /etc/shadowsocks-libev directory. For example, Cloud and Tifa, two AVALANCHE members, are planning to deploy shadowsocks-libev services on the same VPS to bypass the firewall of Shinra Inc. With the help of template unit files, service instances could be deployed and managed easily. The following template unit files are installed in the /lib/systemd/system directory: a look at the template unit file 1ĭescription=Shadowsocks-Libev Custom Server Service for %IĬapabilityBoundingSet=CAP_NET_BIND_SERVICEĮxecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/%i.json I choose to use systemctl to manage the systemd instances of shadowsocks-libev. As a result, this kind of multi processes should only introduce slight overhead and even works well for low end boxes. Furthermore, this approach enables us to manage users with legacy control panels, for example old SSH / VHOST panels with each user’s ss-server running in its own space.Ĭompared to other implementations, shadowsocks-libev uses much fewer resources (about 1MB memory and hundreds of file descriptors in a typical usage). For example: 1Īs the best practice we recommend for shadowsocks-libev, it helps to isolate each user in different processes and reconfigure each user’s port/password/encryption/timeout without reload/restart the whole service. Actually you can use multiple instances instead. Sorry, we have no plan to support multi port configuration. And I also need to support the usage of multiple users. According to Madeye’s reply to the GitHub Issue, shadowsocks-libev does not support multi-port configuration: 1Ĭurrently I am using shadowsocks-libev, which is the libev port of shadowsocks. The original Python release of shadowsocks supports multiple users through configuration, by assigning different passwords on multiple ports. $ ln -sf libmbedcrypto.so.1 libmbedcrypto.so.0Ĭonfigure Multiple Users for Shadowsocks-libev Ss-local: error while loading shared libraries: libmbedcrypto.so.0: cannot open shared object file: No such file or directory Ss-server -c /etc/shadowsocks-libev/config.json Shadowsocks is an open-source encrypted proxy project,