/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ There are a few things that are unclear in all the documentation on firewalling and masquerading that if they had been stated clearly I would have had my network up and running a lot sooner and without the headaches. First, if your external interface is ppp, then you must not start the firewall/masqueing on bootup or before the ppp interface is initialized. The the only way that the firewall can get the correct dynamic IP address is after it has been assigned. The firewall rules are static, and if it cannot find the interface when initialized, it will not find it later. The correct place for initializing the firewall rules is in /etc/.../ip-up.local, usually as the last line. When ppp goes down you need not run the firewall, so put a stop command in /etc/.../ip-down.local. Second, dynamic addresses assigned by ISPs to ppp interfaces are not not done by DHCP, so if you've set your firewall rules to see your address by DHCP it will not work. You can, however, run a DHCP server on your internal network to assign your local computers dynamic IP addresses, but if you only have a few machines its best to assign them fixed addresses and not take up resources and cause more complications by running a DHCP server. If any of your local machines is a Windows machine be sure to enable DSP in your Networking applet in Control-Pannel - assign at least a couple of nameserver addresses, your local one and perhaps your ISP's. You can run a caching nameserver that's easy to set up - get the program from Freshmeat.net, Rufus.w3.org (RPM) or it may be included in your UNIX (Linux) distribution. This program can also be run from ip-up.local and stopped from ip-down.local if you do not need local DNS services. Of course, if your external connection to the Internet is by ethernet you should start the firewall/masqueing on bootup unless your ethernet interface is not recognized then. In short, the interface must be up and assigned an IP address before the firewall is initialized. If your local IP address is assigned by DHCP, as in DSL, then you need to tell your firewall that. The firewall may have to be reinitialized if your IP address changes. Be sure that ip_dynamic_addr, ip_forwarding, etc., and the appropriate modules loaded - things that are well-documented to make masqueing work - are compiled into the kernel and turned on. These should be included in the firewall script. You don't need any complicated routing tables or protocols. The default gateway should be assigned when your ppp connection is made. If your local network is functional by TCP/IP, then you should be able to masq it. I hope this helps. -- [EMAIL PROTECTED] <Stuart Norman> Censorship is the ultimate obscenity. _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
