On Tue, Aug 09, 2005 at 06:50:48AM +1000, Darren Reed wrote:
> >
> > Bottom line: I'm not sure I have ipfilter actually running on sppp0.
> > In fact: I'm kinda thinking I don't, which would explain why the box
> > is routing packets but not doing anything to them.
>
> You need to add a "sppp" line to the iu.ap file, add plink to the
> ppp options file and try a reboot for size.
*Thanks*. I'd fumbled my way into a working configuration by doing
bits of that -- although I hadn't rebooted the box yet (I have now,
and yep, you're absolutely right).
In particular, here's what I did, just in case somebody else is headed
this way and needs to experiment a bit:
a) Yep, "plink" is definitely the ticket in /etc/ppp/options,
not "pfil". There's a message in list archives suggesting
the latter, but the former appears to be correct.
b) (Previous to seeing your message but after adding "plink")
I ran "ifconfig sppp0 modinsert [EMAIL PROTECTED]" once the PPP
connection
was established. A subsequent "ifconfig sppp0 modlist" yielded
0 ip
1 pfil
2 sppp
which I believe is the right stuff in the right order.
c) As another check, "ndd /dev/pfil qif_status" (per
the README in the pfil source distribution) then showed
lines of output for le0 and le1 AND sppp0, yay!
d) Flushed the firewall and NAT rulesets, reloaded them
and of course did a "ipf -y" since I have a dynamic address.
And then it all worked.
Now I'm going to do the other piece of what you've said -- modify
/etc/opt/pfil/iu.ap to include a line for sppp, e.g.:
le -1 0 pfil
sppp -1 0 pfil
and see what happens when I reboot.
(later)
Ah. Sure enough, this seems to cause the modinsert to happen
automagically when the sppp0 interface is created. (Where do I
read to find out more about /etc/opt/pfil/iu.ap?)
There's still one lingering issue -- but I haven't ruled out some other
mistake on my part, so I'm not going to call this a bug. After rebooting
and re-establishing the PPP connection, and running "ipf -y", the
firewall rules seem to work...but not NAT. Flushing those ("ipnat -FC")
and reloading them ("ipnat -f ipnat.conf") seems to make them work again.
I'm going to do some RTFM'ing before I try to dig into this further.
My guess is that this really is a misconfig on my part.
---Rsk
