[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-diald
Subject:    Re: tap0 or ppp0?
From:       Mike Jagdis <jaggy () purplet ! demon ! co ! uk>
Date:       2003-03-30 22:22:11
[Download RAW message or body]

Owain McGuire wrote:
> Simple question really??
> 
> I have upgraded from diald 0.9 to 1.0 and sorted out all of the
> ethertap stuff.  The only thing is that the masqueraded machines don't
> seem to be able to bring up the ppp connections themselves.  The
> "server" machine can though.  I have followed the IP_Masq_Howto for
> 2.4 kernels but I have a question for the rc.firewall-2.4 script.
> Should the external interface be tap0 or ppp0?  I am confused as to
> how the flow or handoever of traffic from tap0 to ppp0 works.

Without knowing what rc.firewall-2.4 does exactly it's difficult to
be sure. However you generally want the proxy interface to either
allow any packet out or to have exactly the same fiewalling of
outgoing packets that the real link would (which may reduce some
false triggers depending how you have diald itself configured).

You do _not_ want masquerading active on the proxy interface. It
gets sort of complicated to follow, but on a machine doing forwarding
with dynamic addresses on the diald link diald will send proxy
packets back to the kernel via the proxy interface and the kernel
will then route them out the real interface, masquerading if
necessary. If you masquerade on the proxy interface as well you
pick up a likely bogus source address which prevents the connection
from working until the client times out and tries again - if that's
after the link has timed out the retry won't work either.

The best answer is probably to make the ppp interface an external,
the proxy a wide open internal (remember the real link has all the
firewalling you need anyway), and configure diald carefully to
only bring the link up for the traffic you want.

Mike

-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]