Very Computer

Folks,

   We have built a firewall on a linux system with two Adaptec quad
   ethernet cards. I have setup firewall rules properly for all the
   ethernet interfaces, but I am having problem with PPP connection.

   We have client that has an AIX system, and will be dialing in to the
   firewall. I am able to make PPP connection using CHAP authentication,
   but after that I cannot connect to either of the systems.

                   +---------+
   internet (eth0) |         |
   intranet (eth1) | Linux   | (ppp0) client_3
   client_1 (eth2) | RH 5.1  |
   client_2 (eth3) |         |
                   +---------+

   eth4 through eth7 are not configured.

   Intranet is 192.9.100.0 network and ppp0 is 10.8.1.0 network.

   My PPP address is 10.8.1.1 and the client's PPP address is 10.8.1.2

   I am trying to setup forwarding rules so that a system
   (192.9.100.101) and talk to client system, with traffic allowed both
   ways. Right now I cannot even talk to the otherside of PPP connection.

   I have shutdown all interfaces except eth1, and also shutdown
   firewall.

   Here are some of the details.

<aix>/>  netstat -r
Route Tree for Protocol Family 2:
10.8.1.1         10.8.1.2          UH        1      409   -   pp1   -
     .
     .
     .
     .

<aix>/>  ping 10.8.1.1
PING 10.8.1.1: (10.8.1.1): 56 data bytes

IP firewall forward rules, default policy: deny
type  prot source               destination          ports
acc   all  anywhere             anywhere             n/a

<linux>/root 25> ipfwadm -O -l
IP firewall output rules, default policy: deny
type  prot source               destination          ports
acc   all  anywhere             anywhere             n/a

IP firewall input rules, default policy: deny
type  prot source               destination          ports
acc   all  anywhere             anywhere             n/a

<linux>/root> ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:40 errors:0 dropped:0 overruns:0
          TX packets:40 errors:0 dropped:0 overruns:0

eth1      Link encap:Ethernet  HWaddr 00:00:92:A7:DF:05
          inet addr:192.9.100.120  Bcast:192.9.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1157 errors:0 dropped:0 overruns:0
          TX packets:601 errors:0 dropped:0 overruns:0
          Interrupt:9 Base address:0xb400

ppp0      Link encap:Point-to-Point Protocol
          inet addr:10.1.8.1  P-t-P:10.8.1.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING  MTU:296  Metric:1
          RX packets:214 errors:0 dropped:0 overruns:0
          TX packets:146 errors:0 dropped:0 overruns:0

<linux>/root> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.1.2        *               255.255.255.255 UH      296 0          0 ppp0
127.0.0.0       *               255.0.0.0       U      3584 0          0 lo
default         *               0.0.0.0         U      1500 0          0 eth1

<linux>/root 7> tcpdump -i ppp0
tcpdump: listening on ppp0
09:49:38.596508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:49:38.596508 lidp16 > 10.8.1.2: icmp: host 10.8.1.1 unreachable [tos 0xc0]
09:49:39.576508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:49:39.576508 lidp16 > 10.8.1.2: icmp: host 10.8.1.1 unreachable [tos 0xc0]
09:49:40.576508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:49:40.576508 lidp16 > 10.8.1.2: icmp: host 10.8.1.1 unreachable [tos 0xc0]
09:49:41.596508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:49:41.596508 lidp16 > 10.8.1.2: icmp: host 10.8.1.1 unreachable [tos 0xc0]
09:49:42.596508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:49:42.596508 lidp16 > 10.8.1.2: icmp: host 10.8.1.1 unreachable [tos 0xc0]

<linux>/root 19> route del 10.8.1.2

<linux>/root 20> route add -host 10.8.1.2 gw 10.8.1.1

<linux>/root 21> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.1.2        10.8.1.1        255.255.255.255 UGH    1500 0          0 eth1
127.0.0.0       *               255.0.0.0       U      3584 0          0 lo
default         *               0.0.0.0         U      1500 0          0 eth1

<linux>/root 22> tcpdump -i ppp0
tcpdump: listening on ppp0
09:53:54.426508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:53:55.426508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:53:56.426508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:53:57.426508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:53:58.406508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:53:59.406508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:54:00.406508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:54:01.406508 10.8.1.2 > 10.8.1.1: icmp: echo request
09:54:02.406508 10.8.1.2 > 10.8.1.1: icmp: echo request

To reply, please remove no_junk_mail from my e-mail address.
--
Hemant Shah, LIDP Inc.                /-------------------\    ^~~~~^
 Voice: +1 630 960 0133 x 664         |TECHNOLOGY         |    |    |
   Fax: +1 630 960 0717               |No place for wimps |   o|-OO-|o

                                      \-------------------/    |    |
-----------------[DO NOT SEND UNSOLICITED BULK E-MAIL]------------------
I haven't lost my mind,                Above opinions are mine only.
it's backed up on tape somewhere.      Others can have their own.

Try the proxyarp option on the pppd commandline.  I'm not sure your
even getting to the point where you need to look at the firewall
setup.

Emil