On Monday 25 August 2008, Stroller wrote: > On 25 Aug 2008, at 11:53, Andrew Gaydenko wrote: > > ======= On Monday 25 August 2008, Stroller wrote: =======
> > I mean physical connection: a cable is connected from eth0 to the > > modem. In network topology terms that's your LAN. It will have a private address which depending on your modem software it would be 192.168.X.XXX, or 10.10.10.XXX sort of thing. In your modem's GUI control panel you should be able to change the modem's LAN IP address to one of your choice. Your modem could be a true modem (full bridge) performing no NATing, only encapsulating PPPoE packets from your PC into ATM packets and sending them down the line to the ISP's DSLAM/authentication server. In this case, authentication (ISP username & passwd) will take place from your PC by means of PPPoE. The modem is for all intends and purposes transparent when pinged from the Internet - only your PC is seen - so make sure you have configured your firewall properly. You modem can be seen from within your LAN if you ping or telnet/browse to its LAN IP address mentioned above, but would not show up if e.g. you traceroute an Internet address from your PC. To connect to your modem you will need to manually set a private IP address for your PC on your LAN interface (e.g. ifconfig eth0 192.168.0.100) within the *same* subnet as your modem (in this example your modem could be 192.168.0.1/255.255.255.255 and the subnet would be 192.168.0.0/255.255.255.0). On the other hand, your modem could be a 'half-bridge' modem undertaking the authentication with the ISP itself and then forwarding the packets to your PC. NATing takes place on this implementation and your modem most likely uses PPPoA directly when communicating with the DSLAM/ISP (could also use PPPoE). If your modem has only one ethernet port is not necessarily called a 'router' in the manufacturer's brochures (although in NAT terms it behaves as such) and this may confuse prospective buyers. If it has more than one ethernet ports it essentially incorporates a switch and behaves as what most hardware manufacturers market as a multiport router. Using a single ethernet port (half-bridged) modem or a conventional multiport router means that your PC now has a private IP address which is not visible from the Internet. In this configuration your modem is no longer transparent. Pinging your network from the Internet will show up your router/modem, not your PC. A firewall on your PC is no longer absolutely essential, just common sense. > > Last one is connected to phone line. pptp client starting creates ppp0 > > interface. An incoming speed is about 4Mbit/sec. That's your WAN, which usually obtains an Internet IP address from your ISP's dhcp server. > I can't really help with this. Here (in the UK) we use PPPoA and a > "modem" would usually be connected by USB - the connection to the > internet would be made by a single cable represented by a single > interface. I find this "logical" and "correct", and PPPoE doesn't > make much sense to me (but perhaps because I've never come into > contact with it). Most UK ISPs use PPPoA, although there are some who use PPPoE (e.g. AOL). Most BT telephone exchanges will happily authenticate you using either protocol. > Here in the UK a "modem" connecting to a computer by Ethernet would > be uncommon, but these do exist - they're really a router with a > fixed 1:1 NAT. Authentication is done by the "modem" itself and > configured via a web-page hosted on it. Not always (see above). If authentication onto the ISP's network is done by the modem then that is not a true modem operating in full-bridged mode, but a half-bridge modem which performs NATing. Almost all modems have a choice to set them up in a fully bridged mode. In that operating mode no NATing, no dhcp and no DNS services are offered by the modem. The GUI page to set up a fully bridged mode may well be hidden from view and if you contact the ISP/manufacturer they will tell you that this mode is not supported and you have to revert to a NAT router mode if you want their help. To see the page in question on a Netgear DG834 router run this in your browser: http://192.168.0.1/setup.cgi?next_file=mode.html In fully bridged mode you can connect simultaneously to two different ISPs, having two different Internet addresses. You will need two PPPoE clients to do this (e.g. two different PCs). If you are running an additional router between the (fully bridged) modem and the PC(s) then the ISP authentication has to be dealt with by the router using PPPoE, rather than your PC. > >>> The aim is to close all incoming traffic except for, say, httpd > >>> port. > >> > >> As I'm reading it you can simply firewall all unsolicited incoming on > >> ppp0 - ignoring all other interfaces - then open port 80. But since > >> your explanation doesn't make sense I can't be sure I'm not missing > >> something. That's right - if we are talking about a fully-bridged modem. Otherwise it's perhaps better to configure a set of rules for this purpose on your eth0 interface since that's what you'll use to connect to the LAN/Internet. > > Yes, I also think ppp0 may be treated as INET_IFACE in Oscar's > > tutorial > > terms. The main question is what to do with eth0 wrt filtering. > > Best guess: ignore it. Presumably the point of having both is that > only ppp0 can be seen by the outside world. Presumably eth0 has a > private address and is inaccessible from the internets. Stroller's right, ignore it if the PPPoE authentication is performed by the PC. eth0 may *not* have an IP address at all in the LAN - because a full bridge modem will not serve private IP addresses to clients in the LAN. Only ppp0 will get an IP address from your ISP. Running ifconfig will show you what's what. HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
