On 28 Jul 2001, Randolph S. Kahle <[EMAIL PROTECTED]> wrote: >On 28 Jul 2001 11:11:58 -0500, John Hasler wrote: >> Randy writes: >> > The user will be able, from a user account, do a pon, poff, etc. to >> > connect to the ISP. So, my challenge is to have the scripts run from >> > user level security and install the firewall rules. >> >> > How do I do this? >> >> The scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d are run when ppp >> comes up and goes down respectively. They are run by pppd and so run as >> root no matter who ran pon and poff. > >Great! That is what I needed to know.
Randolph, there are two ways to deal with that. Option 1) Reset all ipchains rules whenever the interface goes up/down. /etc/ppp/ip-up is called with a number of arguments. You should export those to meaningful variables you can use in the scripts in /etc/ppp/ip-up.d. Make sure you have something like the following in /etc/ppp/ip-up if it isn't there yet: ------- /etc/ppp/ip-up ------- # This script is called with the following arguments: # Arg Name Example # $1 Interface name ppp0 # $2 The tty ttyS1 # $3 The link speed 38400 # $4 Local IP number 12.34.56.78 # $5 Peer IP number 12.34.56.99 # $6 Optional ``ipparam'' value foo # These variables are for the use of the scripts run by run-parts export PPP_IFACE="$1" export PPP_TTY="$2" export PPP_SPEED="$3" export PPP_LOCAL="$4" export PPP_REMOTE="$5" export PPP_IPPARAM="$6" export PPP_TTYNAME=`/usr/bin/basename "$2"` # Run scripts in /etc/ppp/ip-up.d run-parts /etc/ppp/ip-up.d -------- Now you could use $PPP_LOCAL in /etc/ppp/ip-up.d/00ipchains. Some goes for /etc/ppp/ip-down and /etc/ppp/ip-down.d/99ipchains. Option 2) Use static filter rules which filter by interface. You don't need to change them when the ppp0 interface is brought up or down. Probably easier unless you absolutely need the IP address in your ruleset. -- Philipp Lehman <[EMAIL PROTECTED]>
