Re: [Leaf-user] Pppoe and port forward, note and question

Sun, 01 Jul 2001 18:47:14 -0700 

On Sun, 1 Jul 2001, Liam Tumulty wrote:

> I've got port forwarding for a hotline server I run working with the
> EigerStein Pre/release with pppoe (thanks to Etienne Charlier). There are
> notes about security holes using dynamic ip addresses. The only notes I can
> find about this are from
> http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html
> 
> Which says:
> 
> NOTE #2: If you get a dynamically assigned TCP/IP address from your ISP
> (PPP, ADSL, Cablemodems, etc.), you CANNOT load this strong ruleset upon
> boot. You will either need to reload this firewall ruleset EVERY TIME you
> get a new IP address or make your /etc/rc.d/rc.firewall ruleset more
> intelligent. To do this for PPP users, carefully read and un-comment out the
> properly lines in the "Dynamic PPP IP fetch" section below. You can also
> find more details in the TrinityOS - Section 10 doc for more details on
> Strong rulesets and Dynamic IP addresses.
> 
> So I added a "net reload" line to the ip-up script. (which fixed all my
> ipchains problems). Is there a reason this shouldn't be a standard part of
> ppp(d).lrp or pppoe.lrp? Everything else in the strong rulesets from the
> above how-to seem to already be included in the standard scripts.

Different LRP versions may handle this, or not.  The /etc/init.d/network
scripts I am familiar with are not aware of ppp0 or its dynamic address,
so I don't know why your "net reload" worked.

> So my question is: Am I missing something? The network config warning seems
> pretty adamant.

AFAICT this warning is due to the fact that the external ip address is
included in the firewall rules being described in that howto, so they will
break (disabling desired routing) if the external ip changes.  I don't
think this has to do with any particular security "weakness".  Nor is the
standard firewalling in any LRP based on the sample scripts in the HOWTO.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<[EMAIL PROTECTED]>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to