Hi all, I always liked the automatic hangup ipppd does because it saves money. Unfortunately, ipppd and dynip does not go well together since with dynip the local and the remote IP address change on each connection. All this ended to the believing that you should not use ipppd with dynip, but that's **NOT** true, read on... The problem: If an IP connection stays open when ipppd hangs up (which happens quite frequently, especially when a browser like e.g . Netscape is involved) the TCP/IP stack in the Linux kernel tries to retransmit the packets but unfortunately to IP addresses that are no longer valid (unless you are **VERY** lucky ;-). However, this retrying causes ipppd to dial up the pop on each retry wasting a considerable amount of money (being greedy I don't like this ;-). And now the solution: Based on the suggestion by Jochen Roedenbeck (see http://sdb.suse.de/sdb/de/html/dyn_masq.html) for the 2.0 kernels using ipwfadmin I built a shell script [see 1] around ipchains (the firewalling in the new 2.2 kernels) to stop ipppd dialling on a packet retried that will never reach its destination anyway. This script is called by ipppd when the connection is closed (hangup) automatically via ip-down [see 2]. The script sets firewall rules to block any packet from and to the old (obsolete) local IP address. This will prevent the kernel to actually send the packets on a retry. If need be, the script will generate an at job that will remove the rules after some time (e.g. one hour). This solution has some advatages over Jochen's approach: 1.: It works for Linux Kernel 2.2 using ipchains 2.: It does not need a compiled C program, only shell scripts which are easier to install, to read and to adapt. All you need is: o A Linux kernel 2.2.x with the dynip patch and ipchains support o (Optional) A running atd for automatic rule removal [see 1] Install as follows: 1. Copy addrule [1] to /sbin and make it chown root:root and chmod 700. 2. Merge your ip-down with mine (diff may help ;-). I used it successfully on a SuSE 6.1 with kernel 2.2.1[123] with ipppd, the Hisax driver (AVM Fritz ISA) for nearly two months now. My pop is Deutsche Telekom (T-Online). No problems so far!!! BTW: I also found that it can be desirable for a pure dial-up connection (no real network) to reduce the retries of undelivered IP packets. I put it in my boot.local [see 3]. This reduces the time the "dead" packes live in the TCP/IP retry queue. And finally - here are the sources: [1]. addrule - The shell script that is called on ip-down --------------- cut --------------- #!/bin/sh # /sbin/addrule, to be executed in ip-down on hangup # # Function: # Block all packets from obsolete $LOCALIP. # The rules can be removed by an at job automatically! # # Needs ipchains and a recent 2.2 kernel. # # (c) 1999, Michael Kwasigroch <[EMAIL PROTECTED]> # November 7th 1999 LOCALIP=$1 if [ -z "$LOCALIP" ] ; then echo "Usage: $0 <LOCALIP>" exit 1 fi # check if /proc/net/ip_fwnames is existing if [ ! -f /proc/net/ip_fwnames ] ; then echo "/proc/net/ip_fwnames not found" exit 2 fi # generate rules RULE1="input -s $LOCALIP -j DENY" RULE2="output -s $LOCALIP -j DENY" # add rules /sbin/ipchains -I $RULE1 >/dev/null 2>/dev/null /sbin/ipchains -I $RULE2 >/dev/null 2>/dev/null # Set up at job to remove rules after 1 hour. # - Uncomment this if you want it. # - You need atd running in order to use it. # - SuSE 6.1 does not run atd in runlevel 1 + 2. # - You may also want to experiment with the delay # (here 1 hour) to match your needs. # at now + 1 hour << EOF # /sbin/ipchains -D $RULE1 >/dev/null 2>/dev/null # /sbin/ipchains -D $RULE2 >/dev/null 2>/dev/null # EOF # done. --------------- cut --------------- [2]. The modified ip-up (ip-down is a symlink to it on SuSE 6.1): --------------- cut --------------- #!/bin/sh # (c) '97, S.u.S.E. GmbH, Fuerth, Germany # Klaus Franken <[EMAIL PROTECTED]> # 25.02.98 # # Remo Behn <[EMAIL PROTECTED]> # 18.07.98 BASENAME=`basename $0` INTERFACE=$1 DEVICE=$2 SPEED=$3 LOCALIP=$4 REMOTEIP=$5 if [ -z "$REMOTEIP" ]; then echo "Usage: $0 <INTERFACE> <DEVICE> <SPEED> <LOCALIP> <REMOTEIP>" exit 1 fi case "$INTERFACE" in ippp*) . /etc/rc.config # find the device found=0 for I in $NETCONFIG; do eval NETDEV=\$NETDEV$I if [ $NETDEV = $INTERFACE ]; then found=1 break; fi done if [ $found -eq 0 ]; then echo "Device '$INTERFACE' not configured in '/etc/rc.config'" exit 1 fi eval IFCONFIG=\$IFCONFIG$I DEST=`grep -v "^#" /etc/route.conf | grep "$INTERFACE\$" | awk '{ print $1}'` DEFAULT=`grep -v "^#" /etc/route.conf | grep default | awk '{ print $2}'` #echo "ok, NETDEV:$NETDEV; IFCONFIG:$IFCONFIG." #echo " DEST: $DEST; DEFAULT: $DEFAULT" case "$BASENAME" in ip-up) # default deny #ipfwadm -I -p deny #ipfwadm -O -p deny # flush #ipfwadm -I -f #ipfwadm -O -f # accept dns #ipfwadm -O -a accept -P udp -S 0/0 53 1024:65535 -D 0/0 53 -W $INTERFACE #ipfwadm -I -a accept -P udp -D 0/0 53 1024:65535 -S 0/0 53 -W $INTERFACE #ipfwadm -O -a accept -P tcp -S 0/0 53 1024:65535 -D 0/0 53 -W $INTERFACE #ipfwadm -I -a accept -P tcp -D 0/0 53 1024:65535 -S 00/0 53 -k -W $INTERFACE # accept conect from client to internet #ipfwadm -O -a accept -P tcp -S 0/0 1024:65535 -D 0/0 -W $INTERFACE #ipfwadm -I -a accept -P tcp -D 0/0 1024:65535 -S 0/0 -k -W $INTERFACE # deny, last match #ipfwadm -I -a deny -P tcp -S 0/0 -D 0/0 -W $INTERFACE #ipfwadm -I -a deny -P udp -S 0/0 -D 0/0 -W $INTERFACE # default accept #ipfwadm -I -p accept #ipfwadm -O -p accept /sbin/route add default gw $REMOTEIP dev $INTERFACE # maybe you want to start mail services: # set follow variables in /etc/rc.config # SENDMAIL_TYPE="yes" # SENDMAIL_SMARTHOST="<ISP-mailserver>" # SENDMAIL_ARGS="-bd -om" # SENDMAIL_EXPENSIVE="yes" # SENDMAIL_NOCANONIFY="yes" #/usr/bin/fetchmail -a -v >>/var/log/fetchmail 2>&1 & #/usr/sbin/sendmail -q & ;; ip-down) # restart interface /sbin/ifconfig $INTERFACE down # workaround due to kernel problem with 'kernd': sleep 1 /sbin/ifconfig $INTERFACE $IFCONFIG # flush, del all rules #ipfwadm -I -f #ipfwadm -O -f # set routes from /etc/route.conf test -z "$DEST" || /sbin/route add -host $DEST dev $INTERFACE test -z "$DEFAULT" || /sbin/route add default gw $DEFAULT # block all obsolete packets to/from $LOCALIP # => can be removed by a cron job automatically! if [ -x /sbin/addrule ] ; then /sbin/addrule $LOCALIP fi ;; *) ;; esac ;; ppp*) # Analog-PPP, add commands if you need... ;; *) # dont know... ;; esac --------------- cut --------------- [3]. My modified boot.local: --------------- cut --------------- #! /bin/sh # # Copyright (c) 1996 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Florian La Roche <[EMAIL PROTECTED]>, 1996 # Werner Fink <[EMAIL PROTECTED]>, 1996 # Burchard Steinbild <[EMAIL PROTECTED]>, 1996 # Modified by Michael Kwasigroch <[EMAIL PROTECTED]> # November 7th 1999 # # /sbin/init.d/boot.local # # script with local commands to be executed from init on system startup # . /etc/rc.config # # Here you should add things, that should happen directly after booting # before we're going to the first run level. # if [ -w /proc/sys/net/ipv4/tcp_retries1 ] ; then echo 2 > /proc/sys/net/ipv4/tcp_retries1 fi if [ -w /proc/sys/net/ipv4/tcp_retries2 ] ; then echo 4 > /proc/sys/net/ipv4/tcp_retries2 fi --------------- cut --------------- Have fun. Michael Kwasigroch ([EMAIL PROTECTED]) P.S.: Please email me directly since I'm not subscribed to any linux list. Thanks.
