-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''m trying to set up Shorewall to support dial-IN networking via ppp0. I''ve got a 5 usable IP''s and a DSL bridge on eth1, my local private-address net on eth0, and I''ve set up pppd to give dialup users an "external" proxy arp address on the eth1 side. Packets from ppp0 actually make it out the eth1 interface; no problem. But returning traffic is blocked. I know how to brute-force (policy) Shorewall to allow all traffic from the eth1 zone to the ppp0 zone. But I do *not* know how to make Shorewall play nice with a not-always-up interface like ppp0. It always crashes and burns on me, leaving the whole machine dead and unaddressable (even with routestopped), unless I make sure to bring up *all* the interfaces first, before starting Shorewall. That is quite impossibile in this case. Maybe (hopefully!) I''m missing something obvious. This must be an unattended-reboot machine, and ppp0 will almost certainly *not* be alive if the machine ever reboots or I have to administratively restart Shorewall. I can''t have Shorewall just give up when it doesn''t find a ppp0. So, can I do this with Shorewall? If not, how can I hack around it? Thanks. - -ken - -- - --------------- The world''s most affordable web hosting. http://www.nearlyfreespeech.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE/J2tCe8HF+6xeOIcRAvj2AKDSTSviesUeQe6PZKB/KwXSPXtDjACgh18t OsVag5jOCSORQ+FypBuG7/M=4zlA -----END PGP SIGNATURE-----
On Tue, 29 Jul 2003, Ken Restivo wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I''m trying to set up Shorewall to support dial-IN networking via ppp0. > > I''ve got a 5 usable IP''s and a DSL bridge on eth1, my local > private-address net on eth0, and I''ve set up pppd to give dialup users > an "external" proxy arp address on the eth1 side. > > > I know how to brute-force (policy) Shorewall to allow all traffic from > the eth1 zone to the ppp0 zone. But I do *not* know how to make > Shorewall play nice with a not-always-up interface like ppp0. It always > crashes and burns on me, leaving the whole machine dead and > unaddressable (even with routestopped), unless I make sure to bring up > *all* the interfaces first, before starting Shorewall.I''d like to have a trace of the "shorewall start" in that case -- see http://shorewall.net/troubleshoot.htm under the heading "If the firewall fails to start".> That is quite impossibile in this case. Maybe (hopefully!) I''m missing > something obvious.You have. For each occurance of ''ppp0'' in your configuration files, review the related shorewall documentation and pay attention to "the interface must be up before shorewall starts" And PLEASE configure your mailer to fold lines.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK. My apologies. I''m an idiot, and after reading through my Shorewall docs AGAIN, I found no reference to the "the interface must be up before shorewall starts". I then upgraded to 1.4.5, and read the documentation for that version, and still didn''t see any mention of what to do if my interface cannot be up before Shorewall starts. Can you point me perhaps to what *section* of the docs in which this wisdom resides? I would guess it would be in the docs for the "interfaces" file, or in the "Shorewall fails to start" FAQ entry, but, no such luck. My apologies for being such a goddamned moron. - -ken - ------ On Wed, Jul 30, 2003 at 11:59:12AM -0700, Tom Eastep wrote:> On Tue, 29 Jul 2003, Ken Restivo wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I''m trying to set up Shorewall to support dial-IN networking via ppp0. > > > > I''ve got a 5 usable IP''s and a DSL bridge on eth1, my local > > private-address net on eth0, and I''ve set up pppd to give dialup users > > an "external" proxy arp address on the eth1 side. > > > > > > I know how to brute-force (policy) Shorewall to allow all traffic from > > the eth1 zone to the ppp0 zone. But I do *not* know how to make > > Shorewall play nice with a not-always-up interface like ppp0. It always > > crashes and burns on me, leaving the whole machine dead and > > unaddressable (even with routestopped), unless I make sure to bring up > > *all* the interfaces first, before starting Shorewall. > > I''d like to have a trace of the "shorewall start" in that case -- see > http://shorewall.net/troubleshoot.htm under the heading "If the firewall > fails to start". > > > That is quite impossibile in this case. Maybe (hopefully!) I''m missing > > something obvious. > > You have. For each occurance of ''ppp0'' in your configuration > files, review the related shorewall documentation and pay attention to > "the interface must be up before shorewall starts" > > And PLEASE configure your mailer to fold lines.... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net- -- - --------------- The world''s most affordable web hosting. http://www.nearlyfreespeech.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE/LGOQe8HF+6xeOIcRAurZAKC/tLtu+GwmnCHlzd+soakLPGM+5ACg77eY mEE6V8wenZvGQa3pZ9ZCOF8=rPpj -----END PGP SIGNATURE-----
I don''t know about the FAQ, but for me all you need to do is make sure ppp0 or ppp1 etc doesn''t have a detect line in the interfaces file dave ----- Original Message ----- From: "Ken Restivo" <ken@restivo.org>> OK. My apologies. I''m an idiot, and after reading through my Shorewalldocs AGAIN, I found no reference to the "the interface must be up before shorewall starts". I then upgraded to 1.4.5, and read the documentation for that version, and still didn''t see any mention of what to do if my interface cannot be up before Shorewall starts.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yep. That did it. And, looking in the comments in the interfaces file under "detect", I found the phrase Tom was talking about: "If you select this option, the interface must be up before the firewall is started, you must have iproute installed and the interface must only be associated with a single subnet." I definitely wouldn''t have found it if I didn''t know exactly where to look for it. Duh. Everything works now. Thanks for your help and your time! - -ken - ------- On Sun, Aug 03, 2003 at 12:07:45PM +1000, David Kempe wrote:> I don''t know about the FAQ, but for me all you need to do is make sure ppp0 > or ppp1 etc doesn''t have a detect line in the interfaces file > > dave > > ----- Original Message ----- > From: "Ken Restivo" <ken@restivo.org> > > > OK. My apologies. I''m an idiot, and after reading through my Shorewall > docs AGAIN, I found no reference to the "the interface must be up before > shorewall starts". I then upgraded to 1.4.5, and read the documentation for > that version, and still didn''t see any mention of what to do if my interface > cannot be up before Shorewall starts. >- -- - --------------- The world''s most affordable web hosting. http://www.nearlyfreespeech.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE/LH9fe8HF+6xeOIcRAnSgAKCKlT3/VcvaHoK2qfZJj6Ar7cap1gCgtCBb 1bVndaU+VNpadkQ7SSE0eaI=LSYR -----END PGP SIGNATURE-----
On Sat, 2 Aug 2003 20:19:59 -0700, Ken Restivo <ken@restivo.org> wrote:> > I definitely wouldn''t have found it if I didn''t know exactly where to > look for it. Duh.Ken - I told you to find all references to ppp0 in your configuration and then check the related documentation. If you had done as I recommended, you would have found that reference in minutes (if not seconds). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your instructions were fine. I followed them. And then read through all docs all over again when I didn''t notice the "detect" stuff. Ticket closed. Problem Existed Between Eyeballs And Brain. Thanks again for the help. - -ken - -------- On Sun, Aug 03, 2003 at 03:54:01PM -0700, Tom Eastep wrote:> On Sat, 2 Aug 2003 20:19:59 -0700, Ken Restivo <ken@restivo.org> wrote: > > > > > >I definitely wouldn''t have found it if I didn''t know exactly where to > >look for it. Duh. > > Ken - I told you to find all references to ppp0 in your configuration and > then check the related documentation. If you had done as I recommended, you > would have found that reference in minutes (if not seconds). > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net- -- - --------------- The world''s most affordable web hosting. http://www.nearlyfreespeech.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE/Ld2qe8HF+6xeOIcRAp17AJ95QoRh6r5p6m0MbXnnDg3YWlSjaACg6AsS vQlI59w2tbAcUdPA6jUBVvs=BgJY -----END PGP SIGNATURE-----