Paul Gear wrote: > Robert Moskowitz wrote: > >> I am setting up to migrate to providing my own PPPoE router, and I am >> starting (information wise) pretty much from scratch. >> >> My ISP says that once he configs the ADSL router to bridge mode, my >> router (running Centos 5.2 btw) will need to use pppoe to connect and >> get the IPv4 address block and IPv6 prefix. I am NOT suppose to >> configure any addresses for the ethernet interface connected to the >> bridge, those addresses (v4 and v6) will be assigned during the PPPoE >> negotiation. >> ... >> The lack of an IP address on the pppoe interface should not be a >> problem, correct? The interface file just refers to the inferface name >> (e.g.eth0) and I can stay away from IP addresses in the rules. >> > > >From the way you've described things, it sounds to me like you will, in > fact, have an IP address on the PPPoE interface (pppX or dslX as it is > on SUSE), just not on the Ethernet interface (ethX). > Duh. It all makes sense now. And considering the years that I worked on these standards, to actually have to configure them myself, that sure took long enough :) > I ran my firewalls like this for quite some time and Shorewall had no > issues with it, although i eventually found that it was more convenient > to run an RFC1918 IP address on the Ethernet interface so that i could > configure the modem. The trick is to ensure that any traffic coming in > on the Ethernet interface is treated just like any coming in on the PPP > interface, which you can handle in the hosts file. > I would ASSuME that there will be no IP traffic on eth0 to worry about IP addresses. Shouldn't be, it will all be PPP dataframes. Of course.
And all the IP traffic is coming within PPP and thus define ppp0 as the external interface in Shorewall. In fact, I SHOULD have an eth0 interface configured for Shorewall, along with the ppp0 interface. And any IP traffic it intercepts is badness from my ISP. Shorewall just maintains IPtables, not also NETtables (there is such a thing?). And I DO have rfc1918 addresses around. For the family computers, for my VoIP devices (talking to my PBX that has an rfc1918 interface and a public addressed interface), for infrastructure devices, and for some test gear. I have passed 20 systems here in my home. If I add all the special units with addresses it goes over 30. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
