OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] DialUp with Firewall
From: Les Catterall (catteraubigpond.com)
Date: Fri Jun 30 2000 - 03:58:32 CDT

Craig Wyndham wrote:
>
> I tried the /etc/ppp/ip-up script, but it seems to run too early and
> fails to pick up the new address of the ppp connection. If I then
> restart the firewall manually it works fine, but then tends to
> stop passing traffic after a few minutes.
>
> I just have not had time to investigate further, but would be very
> interested in any inputs.
>
> Craig Wyndham (Sydney, Australia)
>
> -------------------------
>
> Try to use the /etc/ppp/ip-up script.
>
> On Wed, 28 Jun 2000, Timo Schulz wrote:
>
> >
> > Hello list,
> > I have a little problem with my dialup connection.
> > After I get connect, I have to restart the SuSEfirewall script
> > to activate the PPP device. So I need root privilegs.
> > Is there any secure possibility to restart the firewall without
> > involving root?
> >
> > Thanks in advance.
> >
> > --
> > Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: suse-security-unsubscribesuse.com
> > For additional commands, e-mail: suse-security-helpsuse.com
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribesuse.com
> For additional commands, e-mail: suse-security-helpsuse.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribesuse.com
> For additional commands, e-mail: suse-security-helpsuse.com

Hi Craig,

I use Red Hat Linux with the 2.0.36 kernel and "ipfwadm". I found I had
to incorporate the attached snippet into "/etc/ppp/ip-up", to enforce
a wait for the IP address to become available. I also include my "ppp_ip"
script which is referenced within the snippet. This script simply returns
the current IP address for the PPP session.

Cheers - Les Catterall

#
# <extract> from my "/etc/ppp/ip-up".
#

#
# Users with a Static IP address could enter it here.
#
# firewall_ip = "your.static.PPP.address"
#

#
# We get our firewall's IP address dynamically from PPP, so we need to enable
# the following option. This enables dynamic-ip address hacking in IP MASQ,
# making life with Diald and similar programs much easier.
#

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#
# Now, _THIS_ script is run automatically immediately after "pppd" brings IPCP
# up (see man "pppd"). So our firewall's IP address this time around will be
# available to us sometime during the course of running this script. We're
# going to need this address for the rulesets that follow (which utilise the
# "firewall_ip" environment variable), so wait here until it's available.
#

while [ "`/usr/local/bin/ppp_ip`" = "" ]; do sleep 1; done

firewall_ip="`/usr/local/bin/ppp_ip`"

#
# Continue "/etc/ppp/ip-up" processing now that IP address is available.
#

#
# </extract>
#

#!/bin/sh

#
# ppp_ip
#
# Version : 19990621 - Les Catterall
#
# Edits:
# 19970720 - Original version.
# 19980920 - Port to Redhad Linux and rename "ppp_ip".
# 19990621 - Use "ifconfig" rather than "tail /var/log/messages".
#
# This script may be used to determine the local IP address allocated for
# the current PPP session (the dynamic Internet address). This address
# is available via "/sbin/ifconfig" immediately after establishing a PPP
# connection. It may be used after any script which calls "/usr/sbin/pppd".
#

/sbin/ifconfig | grep 'P-t-P' | awk '{print $2}' | awk -F: '{print $2}'

#
# End ppp_ip
#

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com