Re: [Shorewall-users] Shorewall Reject PPP LCP packets?
Brian Marshall wrote: > No problem blocking PPPoE from the loc zone, I'm just not sure the protocol > number(s) I would use to achieve that. They aren't even IP packets, and as far as I can see should not be getting forwarded at all. As below, they are ether type 0x8863 or 0x8864 vs 0x0800 for IP. More information at https://en.wikipedia.org/wiki/EtherType > It may not be anything to do with LCP packets at all, but something from this > problem PC is causing the DSL modem to think it is being asked to shut down > the ppp connection, in some instances (but not all instances) it even reports > "ppp closed by user request" in the ppp log. > > If you have any thoughts to offer I'm all ears... It might be worth running a packet sniffer and capture the relevant LCP packets on both network links. On the loc net you shouldn't be seeing any PPPoEs (ethertype 0x8864) packets at all - possibly some PPPoE discovery packets (if there's anything trying to use PPPoE you'll see regular PADI packets*). In the modem side you'll need to refine the capture as PPPoEs packets will include all your internet traffic as well, so you'll need to filter on the PPPoE frame type as well to select just the LCP packets. How often do these disconnects happen ? * PADI = PPPoE Active Discovery Initiation Sadly I have a little more knowledge of this than I think I should need having had to debug some PPPoE problems over the years :-( -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall Reject PPP LCP packets?
Hi Simon, Thanks for taking the time to write, sorry timezone and business have delayed my acknowledgement... No problem blocking PPPoE from the loc zone, I'm just not sure the protocol number(s) I would use to achieve that. I don't know how the device is spoofing the packets, I presume it's not intentional but an unintended consequence of other traffic being misinterpreted by my firewall, and am wondering if there are any shorewall rules I could install that might be able to trap/mask the behaviour. Your thought about eth1 and eth0 being joined is certainly worth asking, but not the case here, eth0 has only a single cable to the DSL modem ppp0 It may not be anything to do with LCP packets at all, but something from this problem PC is causing the DSL modem to think it is being asked to shut down the ppp connection, in some instances (but not all instances) it even reports "ppp closed by user request" in the ppp log. If you have any thoughts to offer I'm all ears... thanks again for your time From: Simon Hobson To: Shorewall Users Sent: Tuesday, 20 September 2016, 20:09 Subject: Re: [Shorewall-users] Shorewall Reject PPP LCP packets? I wrote: > Presumably there's no problem blocking all PPPoE traffic from the loc zone ? And looking at https://tools.ietf.org/html/rfc2516 it says : > The ETHER_TYPE is set to either 0x8863 (Discovery Stage) or 0x8864 (PPP > Session Stage). But how is the device spoofing the PPPoE LCP Terminate packets ? And more importantly, how are these non-routable packets getting through the firewall ? Thought ... You haven't linked eth0 and eth1 together on the same network are you ? -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall Reject PPP LCP packets?
I wrote: > Presumably there's no problem blocking all PPPoE traffic from the loc zone ? And looking at https://tools.ietf.org/html/rfc2516 it says : > The ETHER_TYPE is set to either 0x8863 (Discovery Stage) or 0x8864 (PPP > Session Stage). But how is the device spoofing the PPPoE LCP Terminate packets ? And more importantly, how are these non-routable packets getting through the firewall ? Thought ... You haven't linked eth0 and eth1 together on the same network are you ? -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Shorewall Reject PPP LCP packets?
Brian Marshall wrote: > I'm trying to learn if shorewall can drop/reject PPP LCP traffic. > > I have a Bering/LEAF setup running shorewall and also pppoe for shared DSL > connection. 'loc' is eth1, 'net' is ppp0/eth0 > One of the machines in 'loc' zone has an unknown application running that > manages to send LCP TERMREQ commands that shutdown the pppoe link, which > obviously affects all users. Presumably there's no problem blocking all PPPoE traffic from the loc zone ? As I understand it, LCP is embedded in PPP packets - so simply blocking all PPP packets from the loc zone should do it. While looking for good information to supplement my rather vague and hazy memory, I found this which seems very good at explaining how it all fits together : http://www.tcpipguide.com/free/t_PointtoPointProtocolPPP.htm -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Shorewall Reject PPP LCP packets?
I'm trying to learn if shorewall can drop/reject PPP LCP traffic. I have a Bering/LEAF setup running shorewall and also pppoe for shared DSL connection. 'loc' is eth1, 'net' is ppp0/eth0One of the machines in 'loc' zone has an unknown application running that manages to send LCP TERMREQ commands that shutdown the pppoe link, which obviously affects all users.Ideally I would locate the bad unknown application but am having trouble identifying it.Is there a shorewall rule that I can add to prevent the unwanted PPP LCP traffic from getting onto 'fw' from 'loc'? Appreciate any help offered (or redirection if I have the concept wrong), thanks-- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users