-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have configured a DACHSTIEN CD firewall which I am using at home with a
dialup system
and it works very well and now have several deployed around Australia on
remote sites for
the company I work for. The latter of these units are connected by modem
to Bigpond
Direct and have proven themselves to be very reliable. My problem occurs
when I updated
the main office firewall to DACHSTIEN CD. This firewall currently is
running Eigerstien
with 2 ISDN channels and working very reliably but I wanted to upgrade to
take advantage
of the latest security features and additions.
On the Eigerstien version, the routes are:
# ip route
203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
default dev ippp0 scope link
This has been working well. To get ISDN support for the DACHSTIEN CD
version, I found
the files where the devices are created and added the appropriate text to
the files,
/var/lib/lrpkg/root.dev.mk /var/lib/lrpkg/root.dev.mod and
/var/lib/lrpkg/root.dev.own,
copying the exact text to each file that had been used in the Eigerstien
version I am
currently running. The interface devices were created in /dev and all
appear to run
correctly except for the routing when the firewall starts. The routes on
this machine
are:
# ip route
139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30
203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
default dev ippp0 scope link
The address 139.130.195.1 is the peer address of the box when connected to
the Bigpond
Direct point of presence. The additions to the network.conf shown below
were typed in
exactly as they were in the previous version, so this may be part of the
problem if some
of the functions act differently in the DACHSTIEN CD version. The
firewall, when
tested, dialled and connected both channels in multilink configuration to
the ISP but is
only able to access ip addresses in the 139.130.0.0/16 address range.
These are only
within our ISP's internal network and therefore do not allow access to the
internet at
large.
Any assistance would be greatly appreciated as I have been tearing my hair
out for the
last three weeks in my attempt to find the problem myself.
Interfaces:
# Interfaces to start on boot go here - ie "ppp0 eth0"
# Do NOT include interfaces configured by dhcp!
IF_AUTO="ippp0 eth0 eth1"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
Device settings:
############################################################################
###
# ISDN Link - the isdn.lrp is required for this to work. (External
Interface)
############################################################################
###
ippp0_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic.
ippp0_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic.
ippp0_MYMSN=38049800 # My telephone Number
ippp0_REMMSN=30073300 # Their telephone number (The ISP)
ippp0_IP_SPOOF=YES
ippp0_IP_KRNL_LOGMARTIANS=NO
# Simple QOS support, Options are same as ethernet above.
ippp0_FAIRQ=YES
ippp0_TXQLEN=64
ippp0_BNDWIDTH=64kbit # Device Bandwidth
ippp0_HNHL=3 # Queue Handle - must be unique
ippp0_IABURST=25 # Interactive Burst
ippp0_IARATE=30Kbit # Interactive Rate
ippp0_PXMTU=1500 # Physical MTU - includes Link Layer Header
ippp1_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic.
ippp1_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic.
ippp1_MYMSN=38049800 # My telephone Number
ippp1_REMMSN=30073300 # Their telephone number (The ISP)
ippp1_IP_SPOOF=YES
ippp1_IP_KRNL_LOGMARTIANS=NO
# Simple QOS support, Options are same as ethernet above.
ippp1_FAIRQ=YES
ippp1_TXQLEN=64
ippp1_BNDWIDTH=64kbit # Device Bandwidth
ippp1_HNHL=4 # Queue Handle - must be unique
ippp1_IABURST=25 # Interactive Burst
ippp1_IARATE=30Kbit # Interactive Rate
ippp1_PXMTU=1500 # Physical MTU - includes Link Layer Header
Interface Activation Section:
if_up () {
local ADDR
# sort out a few things to make life easier - here so that you
# can see what is done and so that you can add anything if needed
eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
eval local MASKLEN=\${"$1"_MASKLEN:-""}
eval local BROADCAST=\${"$1"_BROADCAST:-""}
eval local MYMSN=\${"$1"_MYMSN:-""}
eval local REMMSN=\${"$1"_REMMSN:-""}
eval local PTPADDR=\${"$1"_PTPADDR:-""}
eval local PXMTU=\${"$1"_PXMTU:-""}
eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
eval local ROUTES=\${"$1"_ROUTES:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local TXQLEN=\${"$1"_TXQLEN:-""}
eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
eval local BRIDGE=\${"$1"_BRIDGE:-""}
eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
if [ -n "$BROADCAST" ] ; then
IFCFG_BROADCAST="broadcast $BROADCAST"
fi
# Do dee global bridge stuff
brg_global
# Set default interface flags here - used for PPP and WAN interfaces
if_setproc default rp_filter $DEF_IP_SPOOF
if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
# Set up each interface
case $1 in
ppp0)
pppd call provider
;;
ippp*)
# Get ppp user
USER=`cat /etc/ppp/pap-secrets | grep ^[a-zA-Z0-9] | sed 's/\*.*//'`
# Set up the ISDN interface
isdnctrl verbose 3 #>/dev/null
isdnctrl system on #>/dev/null
isdnctrl addif $1 #>/dev/null
isdnctrl pppbind $1 0 #>/dev/null
isdnctrl addphone $1 out $REMMSN #>/dev/null
isdnctrl eaz $1 $MYMSN #>/dev/null
isdnctrl l2_prot $1 hdlc #>/dev/null
isdnctrl l3_prot $1 trans #>/dev/null
isdnctrl encap $1 syncppp #>/dev/null
isdnctrl huptimeout $1 43200 #>/dev/null
isdnctrl dialmode $1 auto #>/dev/null
# Set up second chanel on ISDN card as a slave to the first.
isdnctrl addslave $1 ippp1
isdnctrl addphone ippp1 out $REMMSN #>/dev/null
isdnctrl eaz ippp1 $MYMSN #>/dev/null
isdnctrl l2_prot ippp1 hdlc #>/dev/null
isdnctrl l3_prot ippp1 trans #>/dev/null
isdnctrl encap ippp1 syncppp #>/dev/null
isdnctrl huptimeout ippp1 43200 #>/dev/null
isdnctrl dialmode ippp1 auto #>/dev/null
if [ -z "$IPADDR" ] ; then
echo 1 >/proc/sys/net/ipv4/ip_dynaddr
ip link set $1 dynamic on
else
ip addr add $IPADDR peer $PTPADDR dev $1
fi
ip link set $1 arp off multicast off
ip link set $1 up
# Debugging - Remove if you like
echo Local Address $IPADDR
echo Peer Address $PTPADDR
if [ -z "$IPADDR" ] ; then
/usr/sbin/ipppd mru 1500 mtu $PXMTU ipcp-accept-local
ipcp-accept-remote
lcp-restart 1 name $USER noipdefault +mp /dev/$1 /dev/ippp1 &
else
/usr/sbin/ipppd mru 1500 mtu $PXMTU lcp-restart 1 name $USER
$IPADDR:$PTPADDR +mp /dev/$1 /dev/ippp1 &
fi
ip route add default dev $1
# Fair queuing - this can be selected for any interface
ip_frQoS $1
;;
fr*)
wanconfig card wanpipe1 dev $1 start
ip addr add $IPADDR peer $PTPADDR dev $1
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_frQoS $1
;;
nat*)
eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI
;;
*) # default interface startup
brg_iface $1 up $BRIDGE
[ -n "$IPADDR" ] \
&& ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1
for ADDR in $IP_EXTRA_ADDRS; do
ip addr add $ADDR dev $1
done
ip link set $1 up
case "$PROXY_ARP" in
YES|Yes|yes)
ip route flush dev $1
;;
*)
;;
esac
# Fair queuing - this can be selected for any interface
ip_QoS $1
;;
esac
for route in $ROUTES; do
echo Route: $route
ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route`
done
# Do universal interface config items here
# Default route support
[ -n "$DEFAULT_GW" ] \
&& ip route replace default nexthop via $DEFAULT_GW dev $1
# Set the TX Queue Length
[ -n "$TXQLEN" ] \
&& ip link set $1 txqlen $TXQLEN
# Spoof protection
if_setproc $1 rp_filter $IP_SPOOF
# Kernel logging of martians on this interface
if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
# Shared Media stuff
if_setproc $1 shared_media $IP_SHARED_MEDIA
# Proxy ARP support
if_setproc $1 proxy_arp $PROXY_ARP
return 0
}
if_down () {
# Do Dee global bridge stuff
brg_global
case $1 in
ppp*)
[ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
;;
ippp*)
isdnctrl hangup $1
sleep 1
kill `cat /var/run/ipppd.pid`
ip route del dev $1
ip link set $1 down
isdnctrl delif $1
;;
fr*)
qt ip link set $1 down
qt ip addr flush dev $1
qt wanconfig card wanpipe1 dev $1 stop
;;
nat*)
eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI
;;
*) # default action
brg_iface $1 down
ip link set $1 down # This also kills any routes
qt ip addr flush dev $1
;;
esac
# Clean up any QoS/fair queuing stuff
ip_QoSclear $1
true
} #END if_down
Andrew GRAY
System Administrator / Senior Technician
Operations
VQA Australasia
Phone: (07) 3804 9822
Fax: (07) 3807 8633
Mob: 0418 734 078
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPLuNzSfv/7x7n0CPEQIm9QCg1gPjJgkVg6C8wU5PZfe/ZUosq5oAoO+G
lG5riUuq9wyqWvaHlxaa3CbL
=Edev
-----END PGP SIGNATURE-----
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
