Date: Mon, 1 Dec 2008 23:34:59 +0700 From: Pongthep Kulkrisada <ptkrisada@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: Andrew <awd@awdcomp.net>, freebsd-questions@freebsd.org, Fbsd1 <fbsd1@a1poweruser.com>, Manolis Kiagias <sonic2000gr@gmail.com> Subject: Re: Problem about ppp -nat Message-ID: <20081201163459.GA964@gmail.com> In-Reply-To: <20081201235157.J34249@sola.nimnet.asn.au> References: <20081123120013.8EDF310657E3@hub.freebsd.org> <20081124012858.J43853@sola.nimnet.asn.au> <20081128163044.GA1850@gmail.com> <20081129222143.R34249@sola.nimnet.asn.au> <20081130142757.GA926@gmail.com> <20081201235157.J34249@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> > # ppp -background isp > > Loading /lib/libalias_cuseeme.so > > Loading /lib/libalias_ftp.so > > Loading /lib/libalias_irc.so > > Loading /lib/libalias_nbt.so > > Loading /lib/libalias_pptp.so > > Loading /lib/libalias_skinny.so > > Loading /lib/libalias_smedia.so > > I'm surprised ppp would load these unless -nat was specified somewhere? It is just ppp -background isp. > I spent about 15 years debugging user problems with dialup modems; it > can be really difficult without first knowing the modem type and it's > internal config - however that doesn't seem to be your problem here. Modem type... it is just a normal external serial modem. Internal config... I don't know I lost its manual, sorry. > That is, on connect it should then procede to authentication. There's > no sign of that. Whether failing at your end or the other is unclear; > maybe logging LCP might provide more of a clue, but I'm not sure .. I also don't know about this. > > At boot time ... > > Flush all rules. > > ipfw: unknown interface name tun0 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > Hmm. I have rules for natd via ng0, which also doesn't exist at boot, > without any such complaints, but that's on a 5.5-STABLE box. > > > 00100 check-state > > ... > > > > After presence of tun0 (after dialing) ... > > # sh /etc/ipfw.rules > > Flush all rules. > > ipfw: ipfw_ctl invalid option 56 > > What's that about? You haven't shown the rule that produced that .. root@bsdhost:~# cat /etc/ipfw.rules # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Define our outside interface. With userland-ppp this # defaults to tun0. Or just define ethernet device. oif="tun0" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Do NAT before check-state $fwcmd nat 123 config if $oif log deny_in same_ports unreg_only reset $fwcmd add nat 123 ip4 from any to any via $oif # Check the state of all packets. $fwcmd add check-state # Allow all internal traffics, it is dangerous but just for testing. $fwcmd add allow all from any to any via fxp0 # Allow IPv6 tunneling $fwcmd add allow udp from any 3653 to any 3653 via $oif $fwcmd add allow tcp from any 3653 to any 3653 via $oif # The following line is for user-ppp. $fwcmd add allow ipv6 from any to any via gif0 # The following line is for UDP encapsulation (machine behind NAT). # $fwcmd add allow ipv6 from any to any via tun1 # Stop spoofing on the outside interface. $fwcmd add deny ip from any to any in via $oif not verrevpath # Allow all connections that we initiate, and keep their state. # but deny established connections that don't have a dynamic rule. $fwcmd add allow ip from me to any out via $oif keep-state $fwcmd add deny tcp from any to any established in via $oif # Allow all local traffic. $fwcmd add allow all from any to any via lo0 $fwcmd add deny all from any to 127.0.0.0/8 $fwcmd add deny ip from 127.0.0.0/8 to any # Allow internet users to connect to the port 21, 23 and 80. # We specifically allow connections to the ftpd, telnetd and a webserver. $fwcmd add allow tcp from any to me dst-port 21,23,80 in via $oif setup keep-state # Allow ICMP packets: remove type 8 if you don't want your host # to be pingable. $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12 # Deny and log all the rest. $fwcmd add deny log ip from any to any > > 5. Then insert these commands to /etc/ipfw.rules as the first two rules. > > /sbin/ipfw add divert natd all from any to any via tun0 > > /sbin/ipfw add pass all from any to any > > then run the ipfw script to load the new rules. > > sh /etc/ipfw.rules > > Which other rules? Please see above. > > But I just can't pass step 3, unless I unload ipdivert. > > And your ppp.conf or ppp command definitely doesn't mention -nat? Not at all. As said above only ``ppp -background isp''. /etc/rc.conf and /etc/ppp/ppp.conf do not store anything about -nat. > > Please don't suspect my system. It had just been very freshly > > installed from CDs before I tried everything. And without ipdivert > > being loaded into the kernel, I can dial and browse any sites and > > very fast with my /etc/ppp/ppp.conf. Should note a bug? > > Maybe it is. I'm out of ideas anyway, and noone else has come forward. I have been using *Unix for 7 years (2 years for linux and 5 years for FreeBSD). I haven't found such things. Even with noisy telephone line, I could always dial isp. (But link down sometimes, of course it is found everywhere.) I think it is a bug. > Well I'm pretty sure you shouldn't load ipdivert as well as using ipfw > nat, but I've been almost 100% wrong so far so perhaps best ignore me :) I may go on with ppp -nat, but when I have time. I am always busy... Lastly, thank you very much for your kind response. Cheers, Pongthep
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081201163459.GA964>