From owner-freebsd-questions@FreeBSD.ORG Mon Dec 1 16:35:19 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B28B106564A for ; Mon, 1 Dec 2008 16:35:19 +0000 (UTC) (envelope-from ptkrisada@gmail.com) Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.191]) by mx1.freebsd.org (Postfix) with ESMTP id EE5BB8FC1C for ; Mon, 1 Dec 2008 16:35:18 +0000 (UTC) (envelope-from ptkrisada@gmail.com) Received: by ti-out-0910.google.com with SMTP id a1so1593854tib.3 for ; Mon, 01 Dec 2008 08:35:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mail-followup-to:references:mime-version:content-type :content-disposition:in-reply-to:user-agent; bh=w7+cqXwRKkkXh8OOASOZ7xtEf4qEtd32M3HjTOW0+fw=; b=S/gKlUDirpMhE1xecj8rlWaEQbJ3+vZqlYsvCuZxiqiU/iZBr1MGHaELFllVwqx1E9 OHbKCE+aYbcO/8XoGL9axJ2WkFQfgL5iAIcsdL2AaGr5Cy1y/JJ9o4LlSmhqmSBGTd9S gMXQQulpahkxWGRAjhQHhfw/VQR/K+B4siGHo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; b=MPVw5BIZayGy96jvv3wfxUfxAR2Y4dQBTmvJ6JTJpbutz74zhER6uWvQA5cKKZh4Oh F1vfabz0tJjJC34HfBZVjgdMEj7kNrC7CQSs3oBrXtlG94QTA2TWQ7TzDoJXGpZwFfxH tm+fGjibHt2CG9MI8d4YEMznFi2AKhhtXsx28= Received: by 10.110.62.4 with SMTP id k4mr16750864tia.17.1228149317660; Mon, 01 Dec 2008 08:35:17 -0800 (PST) Received: from gmail.com ([203.153.170.119]) by mx.google.com with ESMTPS id 2sm1774777tif.0.2008.12.01.08.35.04 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 01 Dec 2008 08:35:16 -0800 (PST) Date: Mon, 1 Dec 2008 23:34:59 +0700 From: Pongthep Kulkrisada To: Ian Smith Message-ID: <20081201163459.GA964@gmail.com> Mail-Followup-To: Ian Smith , freebsd-questions@freebsd.org, Manolis Kiagias , Andrew , Fbsd1 References: <20081123120013.8EDF310657E3@hub.freebsd.org> <20081124012858.J43853@sola.nimnet.asn.au> <20081128163044.GA1850@gmail.com> <20081129222143.R34249@sola.nimnet.asn.au> <20081130142757.GA926@gmail.com> <20081201235157.J34249@sola.nimnet.asn.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081201235157.J34249@sola.nimnet.asn.au> User-Agent: Mutt/1.4.2.3i Cc: Andrew , freebsd-questions@freebsd.org, Fbsd1 , Manolis Kiagias Subject: Re: Problem about ppp -nat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 16:35:19 -0000 > > # ppp -background isp > > Loading /lib/libalias_cuseeme.so > > Loading /lib/libalias_ftp.so > > Loading /lib/libalias_irc.so > > Loading /lib/libalias_nbt.so > > Loading /lib/libalias_pptp.so > > Loading /lib/libalias_skinny.so > > Loading /lib/libalias_smedia.so > > I'm surprised ppp would load these unless -nat was specified somewhere? It is just ppp -background isp. > I spent about 15 years debugging user problems with dialup modems; it > can be really difficult without first knowing the modem type and it's > internal config - however that doesn't seem to be your problem here. Modem type... it is just a normal external serial modem. Internal config... I don't know I lost its manual, sorry. > That is, on connect it should then procede to authentication. There's > no sign of that. Whether failing at your end or the other is unclear; > maybe logging LCP might provide more of a clue, but I'm not sure .. I also don't know about this. > > At boot time ... > > Flush all rules. > > ipfw: unknown interface name tun0 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > Hmm. I have rules for natd via ng0, which also doesn't exist at boot, > without any such complaints, but that's on a 5.5-STABLE box. > > > 00100 check-state > > ... > > > > After presence of tun0 (after dialing) ... > > # sh /etc/ipfw.rules > > Flush all rules. > > ipfw: ipfw_ctl invalid option 56 > > What's that about? You haven't shown the rule that produced that .. root@bsdhost:~# cat /etc/ipfw.rules # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Define our outside interface. With userland-ppp this # defaults to tun0. Or just define ethernet device. oif="tun0" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Do NAT before check-state $fwcmd nat 123 config if $oif log deny_in same_ports unreg_only reset $fwcmd add nat 123 ip4 from any to any via $oif # Check the state of all packets. $fwcmd add check-state # Allow all internal traffics, it is dangerous but just for testing. $fwcmd add allow all from any to any via fxp0 # Allow IPv6 tunneling $fwcmd add allow udp from any 3653 to any 3653 via $oif $fwcmd add allow tcp from any 3653 to any 3653 via $oif # The following line is for user-ppp. $fwcmd add allow ipv6 from any to any via gif0 # The following line is for UDP encapsulation (machine behind NAT). # $fwcmd add allow ipv6 from any to any via tun1 # Stop spoofing on the outside interface. $fwcmd add deny ip from any to any in via $oif not verrevpath # Allow all connections that we initiate, and keep their state. # but deny established connections that don't have a dynamic rule. $fwcmd add allow ip from me to any out via $oif keep-state $fwcmd add deny tcp from any to any established in via $oif # Allow all local traffic. $fwcmd add allow all from any to any via lo0 $fwcmd add deny all from any to 127.0.0.0/8 $fwcmd add deny ip from 127.0.0.0/8 to any # Allow internet users to connect to the port 21, 23 and 80. # We specifically allow connections to the ftpd, telnetd and a webserver. $fwcmd add allow tcp from any to me dst-port 21,23,80 in via $oif setup keep-state # Allow ICMP packets: remove type 8 if you don't want your host # to be pingable. $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12 # Deny and log all the rest. $fwcmd add deny log ip from any to any > > 5. Then insert these commands to /etc/ipfw.rules as the first two rules. > > /sbin/ipfw add divert natd all from any to any via tun0 > > /sbin/ipfw add pass all from any to any > > then run the ipfw script to load the new rules. > > sh /etc/ipfw.rules > > Which other rules? Please see above. > > But I just can't pass step 3, unless I unload ipdivert. > > And your ppp.conf or ppp command definitely doesn't mention -nat? Not at all. As said above only ``ppp -background isp''. /etc/rc.conf and /etc/ppp/ppp.conf do not store anything about -nat. > > Please don't suspect my system. It had just been very freshly > > installed from CDs before I tried everything. And without ipdivert > > being loaded into the kernel, I can dial and browse any sites and > > very fast with my /etc/ppp/ppp.conf. Should note a bug? > > Maybe it is. I'm out of ideas anyway, and noone else has come forward. I have been using *Unix for 7 years (2 years for linux and 5 years for FreeBSD). I haven't found such things. Even with noisy telephone line, I could always dial isp. (But link down sometimes, of course it is found everywhere.) I think it is a bug. > Well I'm pretty sure you shouldn't load ipdivert as well as using ipfw > nat, but I've been almost 100% wrong so far so perhaps best ignore me :) I may go on with ppp -nat, but when I have time. I am always busy... Lastly, thank you very much for your kind response. Cheers, Pongthep