Re: 2.6.11, pppoe, iptables
According to Michael Flaig, on Sun, 24 Apr 2005 12:30:21 +0200,
>Hi,
>
>my firewall is a duron 800 with sarge and 2.6.11 ...
>my dsl connection does work only after I did run pppoeconfig.
>If I reboot (without changes to pppoe settings) it doesn't work anymore.
>ppp starts and quits, no other message logged.
Did this problem appeared with 2.6.10/11?
>Is this the same problem as yours?
I don't think so.
>
>But I think your problem may be another one...
>As on the Interface (eth0 in your case) the firewall policy is already
>set when you start dialing, i think the pppoe traffic gets dropped. If
>your policy sets the filters for eth0 (in case you use ethernet), you
>have to disable these policies before dialing out and set the policy
>again after connection is established...
Firestarter configure the firewall for ppp0, and start when the connection is started.
The connexion works, I received an IP and DNS server, DNS and ping packet go through. Only
tcp part is out.
When I try setting the firewall by hand, everything get locked as soon as I put a rule
which filter tcp packet according to their state (syn, invalid,...), even if it is only
to accept all packets, whatever their state.
>firestarter has to set the default action for the interface to deny or
>reject and let ports through that you have allowed. I think the pppoe
>protocol is not tcp/ip and can not be filtered corretly by iptables. So
>the packages get dropped because of the default action.
No I don't think so. At least, it would not explain why this changed fron 2.6.8 to
2.6.10/11. With 2.6.8 everything work fine.
>
>do you have anything in your log when you start dialing?
>anything useful to build an rule?
No, with 2.6.8, the rejected packet appear in syslog. with 2.6.11 they don't.
>
>If you do not use ethernet in a local area network you should set the
>firewall policy on ppp0 instead of the ethernet interface. For pppoe to
>work the eth0 interface shouldn't be configured and have an default
>policy action like drop or reject, AFAIK...
It is on ppp0.
>
>If firestarter doesn't give you enough options to configure the iptables
>rules maybe fwbuilder (http://www.fwbuilder.org) is something for you.
>
I'll have a look to that. Thanks for your advice.
--
Cedric
Reply to: