[suse-security] DialUp with Firewall
Hello list, I have a little problem with my dialup connection. After I get connect, I have to restart the SuSEfirewall script to activate the PPP device. So I need root privilegs. Is there any secure possibility to restart the firewall without involving root? Thanks in advance. -- Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4
Try to use the /etc/ppp/ip-up script. On Wed, 28 Jun 2000, Timo Schulz wrote:
Hello list, I have a little problem with my dialup connection. After I get connect, I have to restart the SuSEfirewall script to activate the PPP device. So I need root privilegs. Is there any secure possibility to restart the firewall without involving root?
Thanks in advance.
-- Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I tried the /etc/ppp/ip-up script, but it seems to run too early and fails to pick up the new address of the ppp connection. If I then restart the firewall manually it works fine, but then tends to stop passing traffic after a few minutes. I just have not had time to investigate further, but would be very interested in any inputs. Craig Wyndham (Sydney, Australia) ------------------------- Try to use the /etc/ppp/ip-up script. On Wed, 28 Jun 2000, Timo Schulz wrote:
Hello list, I have a little problem with my dialup connection. After I get connect, I have to restart the SuSEfirewall script to activate the PPP device. So I need root privilegs. Is there any secure possibility to restart the firewall without involving root?
Thanks in advance.
-- Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Craig Wyndham wrote:
I tried the /etc/ppp/ip-up script, but it seems to run too early and fails to pick up the new address of the ppp connection. If I then restart the firewall manually it works fine, but then tends to stop passing traffic after a few minutes.
I just have not had time to investigate further, but would be very interested in any inputs.
Craig Wyndham (Sydney, Australia)
-------------------------
Try to use the /etc/ppp/ip-up script.
On Wed, 28 Jun 2000, Timo Schulz wrote:
Hello list, I have a little problem with my dialup connection. After I get connect, I have to restart the SuSEfirewall script to activate the PPP device. So I need root privilegs. Is there any secure possibility to restart the firewall without involving root?
Thanks in advance.
-- Two-a-Day at joesixpack.net www.freenet.de/joesixpack keyid BF3DF9B4
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Craig, I use Red Hat Linux with the 2.0.36 kernel and "ipfwadm". I found I had to incorporate the attached snippet into "/etc/ppp/ip-up", to enforce a wait for the IP address to become available. I also include my "ppp_ip" script which is referenced within the snippet. This script simply returns the current IP address for the PPP session. Cheers - Les Catterall # # <extract> from my "/etc/ppp/ip-up". # # # Users with a Static IP address could enter it here. # # firewall_ip = "your.static.PPP.address" # # # We get our firewall's IP address dynamically from PPP, so we need to enable # the following option. This enables dynamic-ip address hacking in IP MASQ, # making life with Diald and similar programs much easier. # echo "1" > /proc/sys/net/ipv4/ip_dynaddr # # Now, _THIS_ script is run automatically immediately after "pppd" brings IPCP # up (see man "pppd"). So our firewall's IP address this time around will be # available to us sometime during the course of running this script. We're # going to need this address for the rulesets that follow (which utilise the # "firewall_ip" environment variable), so wait here until it's available. # while [ "`/usr/local/bin/ppp_ip`" = "" ]; do sleep 1; done firewall_ip="`/usr/local/bin/ppp_ip`" # # Continue "/etc/ppp/ip-up" processing now that IP address is available. # # # </extract> # #!/bin/sh # # ppp_ip # # Version : 19990621 - Les Catterall # # Edits: # 19970720 - Original version. # 19980920 - Port to Redhad Linux and rename "ppp_ip". # 19990621 - Use "ifconfig" rather than "tail /var/log/messages". # # This script may be used to determine the local IP address allocated for # the current PPP session (the dynamic Internet address). This address # is available via "/sbin/ifconfig" immediately after establishing a PPP # connection. It may be used after any script which calls "/usr/sbin/pppd". # /sbin/ifconfig | grep 'P-t-P' | awk '{print $2}' | awk -F: '{print $2}' # # End ppp_ip #
On Fri, Jun 30, 2000 at 18:58 +1000, Les Catterall wrote:
Craig Wyndham wrote:
I tried the /etc/ppp/ip-up script, but it seems to run too early and fails to pick up the new address of the ppp connection. If I then restart the firewall manually it works fine, but then tends to stop passing traffic after a few minutes.
[ ... ]
I use Red Hat Linux with the 2.0.36 kernel and "ipfwadm". I found I had to incorporate the attached snippet into "/etc/ppp/ip-up", to enforce a wait for the IP address to become available. I also include my "ppp_ip" script which is referenced within the snippet. This script simply returns the current IP address for the PPP session.
What did I miss when I feel you could easily take the newly assigned address from one of ip-up's parameters? From reading "man 8 pppd ipppd" (... /etc/ppp/ip-up ... "It is executed with the parameters interface-name tty-device speed local-IP-address remote-IP-address") I get that there shouldn't be any need for these kind of hacks. Maybe this was just too easy ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On Fri, 30 Jun 2000, Gerhard Sittig wrote:
What did I miss when I feel you could easily take the newly assigned address from one of ip-up's parameters? From reading "man 8 pppd ipppd" (... /etc/ppp/ip-up ... "It is executed with the parameters interface-name tty-device speed local-IP-address remote-IP-address") I get that there shouldn't be any need for these kind of hacks. Maybe this was just too easy ...
Yes, very easy. The man page is right. Here is the start of my
ip-up. Only the last 3 lines are mine. Of course I didn't read the
man page either - I got the hint from reading the nice SuSE script! I
read How-Tos to make things work, and only read man pages when things
break. BTW by adapting the SuSE script using these parameters, I was
able to use SAMBA to connect a Windows laptop to my Workstation by ppp
over a serial cable, and still freely bring my modem link to the
Internet up and down (I was too mean to buy an ethernet card.)
Yours, dproc
#!/bin/sh
# (c) '97, S.u.S.E. GmbH, Fuerth, Germany
# Klaus Franken
Gerhard Sittig wrote:
On Fri, Jun 30, 2000 at 18:58 +1000, Les Catterall wrote:
Craig Wyndham wrote:
I tried the /etc/ppp/ip-up script, but it seems to run too early and fails to pick up the new address of the ppp connection. If I then restart the firewall manually it works fine, but then tends to stop passing traffic after a few minutes.
[ ... ]
I use Red Hat Linux with the 2.0.36 kernel and "ipfwadm". I found I had to incorporate the attached snippet into "/etc/ppp/ip-up", to enforce a wait for the IP address to become available. I also include my "ppp_ip" script which is referenced within the snippet. This script simply returns the current IP address for the PPP session.
What did I miss when I feel you could easily take the newly assigned address from one of ip-up's parameters? From reading "man 8 pppd ipppd" (... /etc/ppp/ip-up ... "It is executed with the parameters interface-name tty-device speed local-IP-address remote-IP-address") I get that there shouldn't be any need for these kind of hacks. Maybe this was just too easy ...
Yep. This is much more straightforward. If the local IP address is needed within "ip-up" processing, it can indeed, be assigned from the fourth parameter given on its invocation. Thanks Gerhard. I must RTFM, I must RTFM, I must RTFM, ... Cheers - Les Catterall
participants (6)
-
Craig Wyndham -
dproc@dol.net -
Gerhard Sittig -
Les Catterall -
lupe@admin2.ecosoft.ro -
Timo Schulz