MDK 9.1: How can I run a firewall before establishing ppp0 internet connection?

Hi,
My Mandrake 9.1 stand alone PC has an ADSL Internet connection using PPPoE.
I use the Shorewall firewall which is configured to interface with the Internet
via pppp0.
The ADSL connection does NOT come up during boot (it's a "dialer") and thus,
ppp0 is not available after boot. As a result, after I connect to the Internet
(using rp-pppoe) I have run the following:
a. "shorewall clear"
b. shorewall start"

Can I avoid this procedure? (running these 2 commands).

Thanks in adavance.

Michael Badt <(E-Mail Removed)> wrote:

> My Mandrake 9.1 stand alone PC has an ADSL Internet connection using
> PPPoE. I use the Shorewall firewall which is configured to interface with
> the Internet via pppp0.
> The ADSL connection does NOT come up during boot (it's a "dialer") and
> thus, ppp0 is not available after boot. As a result, after I connect to
> the Internet (using rp-pppoe) I have run the following:
> a. "shorewall clear"
> b. shorewall start"

Why don't you put these two command into some boot-up scripts
eg. rc.local and just try it? Good crafted packet filter scripts
can be setup without an existing ppp interface.

If shorewall does rely on the ppp interface to exist, you can
put your 2 commands into the /etc/ppp/ip-up.local script. This
script is called when the ppp interface has come up. You can
stop the firewall by putting the appropriate stop command to
/etc/ppp/ip-down.local.

HTH

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Horst Knobloch <(E-Mail Removed)> wrote:

> Why don't you put these two command into some boot-up scripts
> eg. rc.local and just try it? Good crafted packet filter scripts
> can be setup without an existing ppp interface.

I don't see any way that net-filtering could be successfully started
without the PPP interface, and the interface doesn't come up until
the IPCP negotiations for the PPP link are completed. Can you give
us example of how to start net-filtering without the interface?

> If shorewall does rely on the ppp interface to exist, you can
> put your 2 commands into the /etc/ppp/ip-up.local script. This
> script is called when the ppp interface has come up. He can
> stop the firewall by putting the appropriate stop command to
> /etc/ppp/ip-down.local.

If the two scripts above exist (it depends on the distribution) then
they are probably the ones to use, but if they don't exist then he can
simply put the commands for the start script in /etc/ppp/ip-up and the
down script in /etc/ppp/ip-down. These scripts are executed by pppd
after the interface is up and after it is down, respectively. He might
have to use the full path name for the scripts, depending on what PATH
is set for the scripts.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* "Be liberal in what you accept, and conservative in what you send"
RFC 1122 */

On Sun, 28 Sep 2003 12:07:26 +0200, Horst Knobloch wrote:

> Michael Badt <(E-Mail Removed)> wrote:
>
>> My Mandrake 9.1 stand alone PC has an ADSL Internet connection using
>> PPPoE. I use the Shorewall firewall which is configured to interface with
>> the Internet via pppp0.
>> The ADSL connection does NOT come up during boot (it's a "dialer") and
>> thus, ppp0 is not available after boot. As a result, after I connect to
>> the Internet (using rp-pppoe) I have run the following:
>> a. "shorewall clear"
>> b. shorewall start"
>
> Why don't you put these two command into some boot-up scripts
> eg. rc.local and just try it? Good crafted packet filter scripts
> can be setup without an existing ppp interface.
>
> If shorewall does rely on the ppp interface to exist, you can
> put your 2 commands into the /etc/ppp/ip-up.local script. This
> script is called when the ppp interface has come up. You can
> stop the firewall by putting the appropriate stop command to
> /etc/ppp/ip-down.local.
>
> HTH
>
> Ciao, Horst


The 2.4 series of kernel allows you yo specify interfaces that are not yet
available, so you can bring up the firewall at system boot up, long before
you dial out.

On Sun, 28 Sep 2003 10:33:02 -0400, joseph philip wrote:
Thank you all.
I'll sure try your good advices.

Michael Badt



> On Sun, 28 Sep 2003 12:07:26 +0200, Horst Knobloch wrote:
>
>> Michael Badt <(E-Mail Removed)> wrote:
>>
>>> My Mandrake 9.1 stand alone PC has an ADSL Internet connection using
>>> PPPoE. I use the Shorewall firewall which is configured to interface
>>> with the Internet via pppp0.
>>> The ADSL connection does NOT come up during boot (it's a "dialer") and
>>> thus, ppp0 is not available after boot. As a result, after I connect to
>>> the Internet (using rp-pppoe) I have run the following: a. "shorewall
>>> clear"
>>> b. shorewall start"
>>
>> Why don't you put these two command into some boot-up scripts eg.
>> rc.local and just try it? Good crafted packet filter scripts can be
>> setup without an existing ppp interface.
>>
>> If shorewall does rely on the ppp interface to exist, you can put your 2
>> commands into the /etc/ppp/ip-up.local script. This script is called
>> when the ppp interface has come up. You can stop the firewall by putting
>> the appropriate stop command to /etc/ppp/ip-down.local.
>>
>> HTH
>>
>> Ciao, Horst
>
>
> The 2.4 series of kernel allows you yo specify interfaces that are not yet
> available, so you can bring up the firewall at system boot up, long before
> you dial out.

joseph philip <(E-Mail Removed)> wrote:

> On Sun, 28 Sep 2003 12:07:26 +0200, Horst Knobloch wrote:
>
>> Michael Badt <(E-Mail Removed)> wrote:
[...]
>>> The ADSL connection does NOT come up during boot (it's a "dialer") and
>>> thus, ppp0 is not available after boot. As a result, after I connect to
>>> the Internet (using rp-pppoe) I have run the following:
>>> a. "shorewall clear"
>>> b. shorewall start"
>>
>> Why don't you put these two command into some boot-up scripts
>> eg. rc.local and just try it? Good crafted packet filter scripts
>> can be setup without an existing ppp interface.
[...]
>
> The 2.4 series of kernel allows you yo specify interfaces that are not
> yet available, so you can bring up the firewall at system boot up, long
> before you dial out.

I wasn't aware that this only works with 2.4 series of the
kernel. I thought that packet filter scripts only fail if the
interface is not up, because of commands in the packet
filter script like:

EXT_IP=`ifconfig ppp0 | sed -n 's/.*inet addr:\([^ ][^ ]*\) .*/\1/p'`

and iptables rules depending on the $EXT_IP.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn

Clifford Kite <(E-Mail Removed)> wrote:

> Horst Knobloch <(E-Mail Removed)> wrote:
>
>> Why don't you put these two command into some boot-up scripts
>> eg. rc.local and just try it? Good crafted packet filter scripts
>> can be setup without an existing ppp interface.
>
> I don't see any way that net-filtering could be successfully started
> without the PPP interface, and the interface doesn't come up until
> the IPCP negotiations for the PPP link are completed. Can you give
> us example of how to start net-filtering without the interface?

As Joseph Phillip pointed out, it seems to be a feature of
the 2.4 series of the kernel. I'm using 2.4.20 and it definitely
works here. I can't verify whether this breaks with 2.2, though.

ifconfig eth3
eth3: error fetching interface information: Device not found

iptables -A INPUT -i eth3 -j DROP
iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth3 * 0.0.0.0/0 0.0.0.0/0

Of course rules with '-i eth3' won't match until the interface
eth3 has been created.


Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn