Re: 2.6.11, pppoe, iptables

To: debian-powerpc@lists.debian.org
Subject: Re: 2.6.11, pppoe, iptables
From: Cedric Pradalier <cedric.pradalier@inrialpes.fr>
Date: Mon, 25 Apr 2005 18:06:04 +1000
Message-id: <[🔎] 20050425180604.071437c4.cedric.pradalier@inrialpes.fr>
In-reply-to: <[🔎] 1114338621.5913.22.camel@localhost>
References: <[🔎] 20050422083347.03e8529c.cedric.pradalier@inrialpes.fr> <[🔎] 1114338621.5913.22.camel@localhost>

According to Michael Flaig, on Sun, 24 Apr 2005 12:30:21 +0200, 
>Hi,
>
>my firewall is a duron 800 with sarge and 2.6.11 ...
>my dsl connection does work only after I did run pppoeconfig.
>If I reboot (without changes to pppoe settings) it doesn't work anymore.
>ppp starts and quits, no other message logged.

Did this problem appeared with 2.6.10/11?

>Is this the same problem as yours?

I don't think so. 

>
>But I think your problem may be another one...
>As on the Interface (eth0 in your case) the firewall policy is already
>set when you start dialing, i think the pppoe traffic gets dropped. If
>your policy sets the filters for eth0 (in case you use ethernet), you
>have to disable these policies before dialing out and set the policy
>again after connection is established... 

Firestarter configure the firewall for ppp0, and start when the connection is started. 
The connexion works, I received an IP and DNS server, DNS and ping packet go through. Only
tcp part is out.

When I try setting the firewall by hand, everything get locked as soon as I put a rule
which filter tcp packet according to their state (syn, invalid,...), even if it is only
to accept all packets, whatever their state.

>firestarter has to set the default action for the interface to deny or
>reject and let ports through that you have allowed. I think the pppoe
>protocol is not tcp/ip and can not be filtered corretly by iptables. So
>the packages get dropped because of the default action.

No I don't think so. At least, it would not explain why this changed fron 2.6.8 to
2.6.10/11. With 2.6.8 everything work fine.

>
>do you have anything in your log when you start dialing? 
>anything useful to build an rule?

No, with 2.6.8, the rejected packet appear in syslog. with 2.6.11 they don't.


>
>If you do not use ethernet in a local area network you should set the
>firewall policy on ppp0 instead of the ethernet interface.  For pppoe to
>work the eth0 interface shouldn't be configured and have an default
>policy action like drop or reject, AFAIK...

It is on ppp0.

>
>If firestarter doesn't give you enough options to configure the iptables
>rules maybe fwbuilder (http://www.fwbuilder.org) is something for you.
>

I'll have a look to that. Thanks for your advice.

--
Cedric

Reply to:

References:
- 2.6.11, pppoe, iptables
  - From: Cedric Pradalier <cedric.pradalier@inrialpes.fr>
- Re: 2.6.11, pppoe, iptables
  - From: Michael Flaig <mflaig@uni.de>

Prev by Date: Re: shutting down mac mini
Next by Date: Re: shutting down mac mini
Previous by thread: Re: 2.6.11, pppoe, iptables
Next by thread: alias module hell
Index(es):
- Date
- Thread