According to Michael Flaig, on Sun, 24 Apr 2005 12:30:21 +0200, >Hi, > >my firewall is a duron 800 with sarge and 2.6.11 ... >my dsl connection does work only after I did run pppoeconfig. >If I reboot (without changes to pppoe settings) it doesn't work anymore. >ppp starts and quits, no other message logged.
Did this problem appeared with 2.6.10/11? >Is this the same problem as yours? I don't think so. > >But I think your problem may be another one... >As on the Interface (eth0 in your case) the firewall policy is already >set when you start dialing, i think the pppoe traffic gets dropped. If >your policy sets the filters for eth0 (in case you use ethernet), you >have to disable these policies before dialing out and set the policy >again after connection is established... Firestarter configure the firewall for ppp0, and start when the connection is started. The connexion works, I received an IP and DNS server, DNS and ping packet go through. Only tcp part is out. When I try setting the firewall by hand, everything get locked as soon as I put a rule which filter tcp packet according to their state (syn, invalid,...), even if it is only to accept all packets, whatever their state. >firestarter has to set the default action for the interface to deny or >reject and let ports through that you have allowed. I think the pppoe >protocol is not tcp/ip and can not be filtered corretly by iptables. So >the packages get dropped because of the default action. No I don't think so. At least, it would not explain why this changed fron 2.6.8 to 2.6.10/11. With 2.6.8 everything work fine. > >do you have anything in your log when you start dialing? >anything useful to build an rule? No, with 2.6.8, the rejected packet appear in syslog. with 2.6.11 they don't. > >If you do not use ethernet in a local area network you should set the >firewall policy on ppp0 instead of the ethernet interface. For pppoe to >work the eth0 interface shouldn't be configured and have an default >policy action like drop or reject, AFAIK... It is on ppp0. > >If firestarter doesn't give you enough options to configure the iptables >rules maybe fwbuilder (http://www.fwbuilder.org) is something for you. > I'll have a look to that. Thanks for your advice. -- Cedric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
