Problem about ppp -nat
ptkrisada at gmail.com
Mon Dec 1 08:35:19 PST 2008
> > # ppp -background isp
> > Loading /lib/libalias_cuseeme.so
> > Loading /lib/libalias_ftp.so
> > Loading /lib/libalias_irc.so
> > Loading /lib/libalias_nbt.so
> > Loading /lib/libalias_pptp.so
> > Loading /lib/libalias_skinny.so
> > Loading /lib/libalias_smedia.so
> I'm surprised ppp would load these unless -nat was specified somewhere?
It is just ppp -background isp.
> I spent about 15 years debugging user problems with dialup modems; it
> can be really difficult without first knowing the modem type and it's
> internal config - however that doesn't seem to be your problem here.
Modem type... it is just a normal external serial modem.
Internal config... I don't know I lost its manual, sorry.
> That is, on connect it should then procede to authentication. There's
> no sign of that. Whether failing at your end or the other is unclear;
> maybe logging LCP might provide more of a clue, but I'm not sure ..
I also don't know about this.
> > At boot time ...
> > Flush all rules.
> > ipfw: unknown interface name tun0
> > ipfw: getsockopt(IP_FW_ADD): Invalid argument
> Hmm. I have rules for natd via ng0, which also doesn't exist at boot,
> without any such complaints, but that's on a 5.5-STABLE box.
> > 00100 check-state
> > ...
> > After presence of tun0 (after dialing) ...
> > # sh /etc/ipfw.rules
> > Flush all rules.
> > ipfw: ipfw_ctl invalid option 56
> What's that about? You haven't shown the rule that produced that ..
root at bsdhost:~# cat /etc/ipfw.rules
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
# Define our outside interface. With userland-ppp this
# defaults to tun0. Or just define ethernet device.
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Do NAT before check-state
$fwcmd nat 123 config if $oif log deny_in same_ports unreg_only reset
$fwcmd add nat 123 ip4 from any to any via $oif
# Check the state of all packets.
$fwcmd add check-state
# Allow all internal traffics, it is dangerous but just for testing.
$fwcmd add allow all from any to any via fxp0
# Allow IPv6 tunneling
$fwcmd add allow udp from any 3653 to any 3653 via $oif
$fwcmd add allow tcp from any 3653 to any 3653 via $oif
# The following line is for user-ppp.
$fwcmd add allow ipv6 from any to any via gif0
# The following line is for UDP encapsulation (machine behind NAT).
# $fwcmd add allow ipv6 from any to any via tun1
# Stop spoofing on the outside interface.
$fwcmd add deny ip from any to any in via $oif not verrevpath
# Allow all connections that we initiate, and keep their state.
# but deny established connections that don't have a dynamic rule.
$fwcmd add allow ip from me to any out via $oif keep-state
$fwcmd add deny tcp from any to any established in via $oif
# Allow all local traffic.
$fwcmd add allow all from any to any via lo0
$fwcmd add deny all from any to 127.0.0.0/8
$fwcmd add deny ip from 127.0.0.0/8 to any
# Allow internet users to connect to the port 21, 23 and 80.
# We specifically allow connections to the ftpd, telnetd and a webserver.
$fwcmd add allow tcp from any to me dst-port 21,23,80 in via $oif setup keep-state
# Allow ICMP packets: remove type 8 if you don't want your host
# to be pingable.
$fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12
# Deny and log all the rest.
$fwcmd add deny log ip from any to any
> > 5. Then insert these commands to /etc/ipfw.rules as the first two rules.
> > /sbin/ipfw add divert natd all from any to any via tun0
> > /sbin/ipfw add pass all from any to any
> > then run the ipfw script to load the new rules.
> > sh /etc/ipfw.rules
> Which other rules?
Please see above.
> > But I just can't pass step 3, unless I unload ipdivert.
> And your ppp.conf or ppp command definitely doesn't mention -nat?
Not at all. As said above only ``ppp -background isp''.
/etc/rc.conf and /etc/ppp/ppp.conf do not store anything about -nat.
> > Please don't suspect my system. It had just been very freshly
> > installed from CDs before I tried everything. And without ipdivert
> > being loaded into the kernel, I can dial and browse any sites and
> > very fast with my /etc/ppp/ppp.conf. Should note a bug?
> Maybe it is. I'm out of ideas anyway, and noone else has come forward.
I have been using *Unix for 7 years (2 years for linux and 5 years for FreeBSD). I haven't found such things. Even with noisy telephone line, I could always dial isp. (But link down sometimes, of course it is found everywhere.) I think it is a bug.
> Well I'm pretty sure you shouldn't load ipdivert as well as using ipfw
> nat, but I've been almost 100% wrong so far so perhaps best ignore me :)
I may go on with ppp -nat, but when I have time.
I am always busy...
Lastly, thank you very much for your kind response.
More information about the freebsd-questions