Larry Alkoff wrote:
> I have been spending the past few days configuring dial-up networking
> to use as a fall back in case the cablemodem circuit fails.

> No problem connecting as root to Mindspring (my ISP) with either
> ppp-go or the KPPP dialer but I am not able to ping or surf anything
> outside of my local LAN.

> The problem seems to be that the default gateway is set to the one for
> eth0 instead of ppp0 in spite of the fact that I have the line
> defaultroute
> in /etc/ppp/options.

> My system is Slackware 10.1 using ppp-2.4.2 and kde-3.3.2.

> Here is a picture of route -n and ifconfig ppp0:

> lba@linda ppp # ifconfig ppp0
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:4.231.26.23 P-t-P:209.244.31.133
> Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:51 errors:0 dropped:0 overruns:0 frame:0
> TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:5105 (4.9 Kb) TX bytes:63 (63.0 b)


> lba@linda ppp # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 209.244.31.133 0.0.0.0 255.255.255.255 UH 0 0
> 0 ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
> 0 lo
> 0.0.0.0 192.168.0.1 0.0.0.0 UG 1 0
> 0 eth0


> Googling has not yet brought up anything useful.
> Can anyone tell me how to fix this so the default route is set
> automatically?

Pppd won't automatically override an existing default route with one
through the PPP interface. Add

/sbin/route add default $IFNAME

to /etc/ppp/ip-up, exactly as shown. This should override the default
route through 192.168.0.1 (eth0) for the duration of the PPP connection
and go away when the PPP link is taken down.

-- Clifford Kite Email: "echo xvgr_yvahk-ccc@ri1.arg|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* Bluffing in a poker game can win big; bluffing in a newsgroup
only attracts sharks. */

On Wed, 25 May 2005 20:31:58 -0500, Clifford Kite
wrote:

>Larry Alkoff wrote:
>> I have been spending the past few days configuring dial-up networking
>> to use as a fall back in case the cablemodem circuit fails.
>
>> No problem connecting as root to Mindspring (my ISP) with either
>> ppp-go or the KPPP dialer but I am not able to ping or surf anything
>> outside of my local LAN.
>
>> The problem seems to be that the default gateway is set to the one for
>> eth0 instead of ppp0 in spite of the fact that I have the line
>> defaultroute
>> in /etc/ppp/options.
>
>> My system is Slackware 10.1 using ppp-2.4.2 and kde-3.3.2.
>
>> Here is a picture of route -n and ifconfig ppp0:
>
>> lba@linda ppp # ifconfig ppp0
>> ppp0 Link encap:Point-to-Point Protocol
>> inet addr:4.231.26.23 P-t-P:209.244.31.133
>> Mask:255.255.255.255
>> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
>> RX packets:51 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:3
>> RX bytes:5105 (4.9 Kb) TX bytes:63 (63.0 b)
>
>
>> lba@linda ppp # route -n
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref
>> Use Iface
>> 209.244.31.133 0.0.0.0 255.255.255.255 UH 0 0
>> 0 ppp0
>> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
>> 0 eth0
>> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
>> 0 lo
>> 0.0.0.0 192.168.0.1 0.0.0.0 UG 1 0
>> 0 eth0
>
>
>> Googling has not yet brought up anything useful.
>> Can anyone tell me how to fix this so the default route is set
>> automatically?
>
>Pppd won't automatically override an existing default route with one
>through the PPP interface. Add
>
>/sbin/route add default $IFNAME
>
>to /etc/ppp/ip-up, exactly as shown. This should override the default
>route through 192.168.0.1 (eth0) for the duration of the PPP connection
>and go away when the PPP link is taken down.
>
>-- Clifford Kite Email: "echo xvgr_yvahk-ccc@ri1.arg|rot13"

Thanks for your help Clifford.

In /etc/ppp/ip-up I already have including your addition:

#!/bin/sh
# lba: if-up modified by if-up.local
# from http://www.jennings.homelinux.net/dial.html
#reassign default route when on dial up
/sbin/route del default
/sbin/route add default dev ppp0
echo "ip-up "`date` >>/var/log/lbappp
/sbin/route add default $IFNAME

This produces a route -n which is different only in the last line from
the above, but I still can't surf.

lba@linda lba # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
209.247.21.11 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0
0 ppp0


I didn't find any reference to the IFNAME variable in /etc/ppp
but see it is set to ppp0 so it must be set somewhere else.

Larry

Larry Alkoff writes:

>I have been spending the past few days configuring dial-up networking
>to use as a fall back in case the cablemodem circuit fails.

>No problem connecting as root to Mindspring (my ISP) with either
>ppp-go or the KPPP dialer but I am not able to ping or surf anything
>outside of my local LAN.

>The problem seems to be that the default gateway is set to the one for
>eth0 instead of ppp0 in spite of the fact that I have the line
>defaultroute
>in /etc/ppp/options.

man pppd
pppd will NOT remove and existing default route. You must remove it by hand
first (or by script).
route del default
before you run pppd.

Larry Alkoff wrote:
> In /etc/ppp/ip-up I already have including your addition:

> #!/bin/sh
> # lba: if-up modified by if-up.local
> # from http://www.jennings.homelinux.net/dial.html
> #reassign default route when on dial up
> /sbin/route del default
> /sbin/route add default dev ppp0
> echo "ip-up "`date` >>/var/log/lbappp
> /sbin/route add default $IFNAME

> This produces a route -n which is different only in the last line from
> the above, but I still can't surf.

Looks like you had an almost equivalent solution to provide the default
route already in place.

> lba@linda lba # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 209.247.21.11 0.0.0.0 255.255.255.255 UH 0 0
> 0 ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
> 0 lo
> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0
> 0 ppp0


> I didn't find any reference to the IFNAME variable in /etc/ppp
> but see it is set to ppp0 so it must be set somewhere else.

Pppd itself sets IFNAME to the PPP interface it will use. Buried
deep in man pppd.

Try adding

debug
noipdefault

to /etc/ppp/options.

If you can surf afterwards then just remove the debug line. If you
can't then post an exact copy of the pppd link negotiation messages
in /var/log/debug. Turn on and include the serial link connection
messages too if you can find out how. I don't use pppd frontends
(e.g., ppp-go, the kppd dialer) and so can't help there.

But first you might try pinging a web site by name and by number.
If you can't ping by name but can ping by number then the problem
may be caused by private IP addresses for the cable company's DNS
servers in /etc/resolv.conf. If the IP addresses are routable then
any ping messages and/or a description of ping's behavior when it
fails might be useful.

-- Clifford Kite Email: "echo xvgr_yvahk-ccc@ri1.arg|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* Bluffing in a poker game can win big; bluffing in a newsgroup
only attracts sharks. */

On 26 May 2005 05:39:58 GMT, Unruh wrote:

>Larry Alkoff writes:
>
>>I have been spending the past few days configuring dial-up networking
>>to use as a fall back in case the cablemodem circuit fails.
>
>>No problem connecting as root to Mindspring (my ISP) with either
>>ppp-go or the KPPP dialer but I am not able to ping or surf anything
>>outside of my local LAN.
>
>>The problem seems to be that the default gateway is set to the one for
>>eth0 instead of ppp0 in spite of the fact that I have the line
>>defaultroute
>>in /etc/ppp/options.
>
>man pppd
>pppd will NOT remove and existing default route. You must remove it by hand
>first (or by script).
>route del default
>before you run pppd.
>

In my /etc/ip-down I have lines to
/usr/sbin/del default route
/usr/sbin/route add default gw 192.168.0.1

but for some reason the route is never added.
There is no default route and I cannot surf the web or ping anyone
until I invoke from a command line:
/usr/sbin/route add default gw 192.168.0.1.

Am I using the wrong syntax to set the default route in ip-down?
Maybe ip-down is the wrong place to have this?

Similarly in /etc/ip-up I can use ppp0 automatically with the lines:

# lba: if-up modified by if-up.local
# idea from http://www.jennings.homelinux.net/dial.html
#reassign default route when on dial up
/sbin/route del default
/sbin/route add default dev ppp0
# /sbin/route add default $IFNAME #equivalent to above
echo "ip-up: "`date` >>/var/log/lbappp

Both ip-up and ip-down show up in the /var/log/lbappp log I'm using
until it all works.

Larry

Clifford Kite writes:

>Larry Alkoff wrote:
>> In /etc/ppp/ip-up I already have including your addition:

>> #!/bin/sh
>> # lba: if-up modified by if-up.local
>> # from http://www.jennings.homelinux.net/dial.html
>> #reassign default route when on dial up
>> /sbin/route del default
>> /sbin/route add default dev ppp0
>> echo "ip-up "`date` >>/var/log/lbappp
>> /sbin/route add default $IFNAME

>> This produces a route -n which is different only in the last line from
>> the above, but I still can't surf.

That does not mean anything.
For hints on debugging a ppp connection see
www.theory.physics.ubc.ca/ppp-linux.html

Now, first try
ping 142.103.234.11
If that gives you a response, then your problem is your dns server
(/etc/resolv.conf). If it does not, then you still have routing problems,
and says that the host you are dialing in to is not willing to forward your
packets. (or you may have a system which rejects pings. If so try
telnet 142.103.234.11 80
If you get connection refused, your routing is fine. If it give no response
after 5 sec, you still have routing problms Discuss it with your ISP.

Larry Alkoff writes:

>On 26 May 2005 05:39:58 GMT, Unruh wrote:

>>Larry Alkoff writes:
>>
>>>I have been spending the past few days configuring dial-up networking
>>>to use as a fall back in case the cablemodem circuit fails.
>>
>>>No problem connecting as root to Mindspring (my ISP) with either
>>>ppp-go or the KPPP dialer but I am not able to ping or surf anything
>>>outside of my local LAN.
>>
>>>The problem seems to be that the default gateway is set to the one for
>>>eth0 instead of ppp0 in spite of the fact that I have the line
>>>defaultroute
>>>in /etc/ppp/options.
>>
>>man pppd
>>pppd will NOT remove and existing default route. You must remove it by hand
>>first (or by script).
>>route del default
>>before you run pppd.
>>

>In my /etc/ip-down I have lines to

Why ip-down?


>/usr/sbin/del default route

What does this line mean?
The command I said was
route del default
NOT
del default route.
commands are not permutation invariant.

>/usr/sbin/route add default gw 192.168.0.1

No, just
route add default ppp0
Do not give the gateway. The machine at the other end of the link MUST be
the gateway. If not, then getting to the net is impossible.


>but for some reason the route is never added.
>There is no default route and I cannot surf the web or ping anyone
>until I invoke from a command line:
>/usr/sbin/route add default gw 192.168.0.1.

>Am I using the wrong syntax to set the default route in ip-down?
>Maybe ip-down is the wrong place to have this?

Yes. ip-down is run only after pppd dies and disconnects from the remote end.
That is too late to try to have pppd be your default route.



>Similarly in /etc/ip-up I can use ppp0 automatically with the lines:

># lba: if-up modified by if-up.local
># idea from http://www.jennings.homelinux.net/dial.html
>#reassign default route when on dial up
>/sbin/route del default
>/sbin/route add default dev ppp0

That is much much better.

># /sbin/route add default $IFNAME #equivalent to above
>echo "ip-up: "`date` >>/var/log/lbappp

>Both ip-up and ip-down show up in the /var/log/lbappp log I'm using
>until it all works.

On 27 May 2005 01:38:55 GMT, Unruh wrote:

>Larry Alkoff writes:
>
>>On 26 May 2005 05:39:58 GMT, Unruh wrote:
>
>>>Larry Alkoff writes:
>>>
>>>>I have been spending the past few days configuring dial-up networking
>>>>to use as a fall back in case the cablemodem circuit fails.
>>>
>>>>No problem connecting as root to Mindspring (my ISP) with either
>>>>ppp-go or the KPPP dialer but I am not able to ping or surf anything
>>>>outside of my local LAN.
>>>
>>>>The problem seems to be that the default gateway is set to the one for
>>>>eth0 instead of ppp0 in spite of the fact that I have the line
>>>>defaultroute
>>>>in /etc/ppp/options.
>>>
>>>man pppd
>>>pppd will NOT remove and existing default route. You must remove it by hand
>>>first (or by script).
>>>route del default
>>>before you run pppd.
>>>
>
>>In my /etc/ip-down I have lines to
>
>Why ip-down?

The reason for using ip-down is to change the routing from what is
used for ppp0 back to normal eth0.
>
>>/usr/sbin/del default route
>
>What does this line mean?
>The command I said was
>route del default
>NOT
>del default route.
>commands are not permutation invariant.

Apparently my fingers _are_ permutation invariant

The command in ip-down was actually what you specified and I just
mistyped it in the post.


>>/usr/sbin/route add default gw 192.168.0.1
>
>No, just
>route add default ppp0
>Do not give the gateway. The machine at the other end of the link MUST be
>the gateway. If not, then getting to the net is impossible.

Thank you for pointing me to the error.
The command was correct except for the path which uses simply /sbin
not /usr/sbin. Changed the path and now the route switches
automatically back to the eth0 route when dial-up ends.

>
>>but for some reason the route is never added.
>>There is no default route and I cannot surf the web or ping anyone
>>until I invoke from a command line:
>>/usr/sbin/route add default gw 192.168.0.1.
>
>>Am I using the wrong syntax to set the default route in ip-down?
>>Maybe ip-down is the wrong place to have this?
>
>Yes. ip-down is run only after pppd dies and disconnects from the remote end.
>That is too late to try to have pppd be your default route.

Got it. I'm only using ip-down to switch back to eth0.
All the setup for ppp is done in ip-up.

>
>>Similarly in /etc/ip-up I can use ppp0 automatically with the lines:
>
>># lba: if-up modified by if-up.local
>># idea from http://www.jennings.homelinux.net/dial.html
>>#reassign default route when on dial up
>>/sbin/route del default
>>/sbin/route add default dev ppp0
>
>That is much much better.
>
>># /sbin/route add default $IFNAME #equivalent to above
>>echo "ip-up: "`date` >>/var/log/lbappp
>
>>Both ip-up and ip-down show up in the /var/log/lbappp log I'm using
>>until it all works.
>

Thanks very much for your help Unruh.
Switching from eth0 to dialup (ppp0) and back to eth0 now goes
smoothly with the route set properly.

Larry

On 27 May 2005 01:34:14 GMT, Unruh wrote:

>Clifford Kite writes:
>
>>Larry Alkoff wrote:
>>> In /etc/ppp/ip-up I already have including your addition:
>
>>> #!/bin/sh
>>> # lba: if-up modified by if-up.local
>>> # from http://www.jennings.homelinux.net/dial.html
>>> #reassign default route when on dial up
>>> /sbin/route del default
>>> /sbin/route add default dev ppp0
>>> echo "ip-up "`date` >>/var/log/lbappp
>>> /sbin/route add default $IFNAME
>
>>> This produces a route -n which is different only in the last line from
>>> the above, but I still can't surf.
>
>That does not mean anything.
>For hints on debugging a ppp connection see
>www.theory.physics.ubc.ca/ppp-linux.html
>
>Now, first try
>ping 142.103.234.11
>If that gives you a response, then your problem is your dns server
>(/etc/resolv.conf). If it does not, then you still have routing problems,
>and says that the host you are dialing in to is not willing to forward your
>packets. (or you may have a system which rejects pings. If so try
>telnet 142.103.234.11 80
>If you get connection refused, your routing is fine. If it give no response
>after 5 sec, you still have routing problms Discuss it with your ISP.
>
>

Thanks very much for your hints on debugging and the url you wrote
which I bookmarked.

Wish I had that a week ago - it's taken me nearly that long to debub
kppp and ppp!

I didn't find it in google until I used the search phrase 'hook up
ppp' and then it came up first.

Larry

Larry Alkoff wrote:
> I have been spending the past few days configuring dial-up networking
> to use as a fall back in case the cablemodem circuit fails.
>
> No problem connecting as root to Mindspring (my ISP) with either
> ppp-go or the KPPP dialer but I am not able to ping or surf anything
> outside of my local LAN.
>
> The problem seems to be that the default gateway is set to the one for
> eth0 instead of ppp0 in spite of the fact that I have the line
> defaultroute
> in /etc/ppp/options.
> ...

I get the desired results using these options:

defaultroute
replacedefaultroute

in /etc/ppp/options (see man pppd).

Bryan Batten writes:


>I get the desired results using these options:

>defaultroute
>replacedefaultroute

This is not a part of standard pppd. I believe that SUSE has a habit of
rewriting pppd which sometimes causes problems rathr than solving them


>in /etc/ppp/options (see man pppd).

Unruh wrote:
> Bryan Batten writes:
>
>
>
>> I get the desired results using these options:
>
>
>> defaultroute replacedefaultroute
>
>
> This is not a part of standard pppd. I believe that SUSE has a
> habit of rewriting pppd which sometimes causes problems rathr than
> solving them
>
>
>
>> in /etc/ppp/options (see man pppd).

Hmm. I'm using ppp 2.4.3-20050321+2, part of Debian Sarge. "man pppd"
describes the 'replacedefaultroute' option:


replacedefaultroute
This option is a flag to the defaultroute option. If default-
route is set and this flag is also set, pppd replaces an exist-
ing default route with the new default route.


I guess it makes portability goals a little difficult if different
distributions have too many different ideas of what the capabilities
of well-known packages should be.

In article <429a4539$0$18648$14726298@news.sunsite.dk>, Bryan Batten wrote:

[Recapping to get perspective]


>>Larry Alkoff wrote:

>>> The problem seems to be that the default gateway is set to the one for
>>> eth0 instead of ppp0 in spite of the fact that I have the line
>>> defaultroute
>>> in /etc/ppp/options.

>Bryan Batten writes:

>>I get the desired results using these options:
>>
>>defaultroute
>>replacedefaultroute

>Unruh wrote:

>> This is not a part of standard pppd. I believe that SUSE has a
>> habit of rewriting pppd which sometimes causes problems rathr than
>> solving them

Yeah, Debian seems to have joined the few that aren't concerned with
security. If you recall, I called John Hasler about this in the first
week of this month in comp.os.linux.networking. He never replied. The
thread was titled "A question about default routes"

Bryan Batten writes:

>Hmm. I'm using ppp 2.4.3-20050321+2, part of Debian Sarge. "man pppd"
>describes the 'replacedefaultroute' option:

Yeah, this circumvents security, which is why the 'no replace default'
behavior has been part of pppd for at least ten years. I surprised that
the Debian maintainer decided the security hole was necessary, rather
than fixing the original problem which is a brain-dead installation program.
But then, I was bitching about that problem to Donnie Barnes and Marc Ewing
back in RH 3.0.3 in 1996.

In the original poster's situation, a more appropriate solution is to
"manually" replace the route in /etc/ppp/ip-up (and restore it in
/etc/ppp/ip-down).

Remember, if you have an existing default route to the world, and you use
pppd to replace that route, you are probably circumventing the firewall
that had been protecting the LAN. If we caught one of our users pulling
that stunt, we're not allowed to put their head on a pike at the front
entry way as a warning to others, but the retribution is almost as painful.

Old guy

Bryan Batten writes:

>Unruh wrote:
>> Bryan Batten writes:
>>
>>
>>
>>> I get the desired results using these options:
>>
>>
>>> defaultroute replacedefaultroute
>>
>>
>> This is not a part of standard pppd. I believe that SUSE has a
>> habit of rewriting pppd which sometimes causes problems rathr than
>> solving them
>>
>>
>>
>>> in /etc/ppp/options (see man pppd).

>Hmm. I'm using ppp 2.4.3-20050321+2, part of Debian Sarge. "man pppd"
>describes the 'replacedefaultroute' option:


>replacedefaultroute
> This option is a flag to the defaultroute option. If default-
> route is set and this flag is also set, pppd replaces an exist-
> ing default route with the new default route.


>I guess it makes portability goals a little difficult if different
>distributions have too many different ideas of what the capabilities
>of well-known packages should be.

pppd 2.4.3 was released Nov 14 2004. (ftp.samba.org)

Looks like Debian has decided to change it. Dumb.
Changing pppd is a good way of breaking it. Redhat did that a few years
ago-- took a year to fix their stupidity.
Some hotshot who does not understand ppp decides to "imporve" it.

Moe Trin wrote:
> ...
> Remember, if you have an existing default route to the world, and
> you use pppd to replace that route, you are probably circumventing
> the firewall that had been protecting the LAN. If we caught one of
> our users pulling that stunt, we're not allowed to put their head
> on a pike at the front entry way as a warning to others, but the
> retribution is almost as painful.
>
> Old guy
>

Obvious enough, once stated. It escapes me, though, how changing the
default route using /sbin/route in an ip-up script either helps or
hinders the security situation vs. using 'replacedefaultroute' as a
pppd option.

In my own case, I've added small scripts in /etc/ppp/ip-up.d and
/etc/ppp/ip-down.d to modify iptables firewall rules to track IP
address changes as the link is connected and disconnected.

In article <429e1ba8$0$18644$14726298@news.sunsite.dk>, Bryan Batten wrote:

>Obvious enough, once stated. It escapes me, though, how changing the
>default route using /sbin/route in an ip-up script either helps or
>hinders the security situation vs. using 'replacedefaultroute' as a
>pppd option.

Gotta lay some ground rules - are you 'root' on the system? If so, you
can do what you want. If not, then root can set up pppd to allow you
to use it, but can add some privileged keywords like 'nodefaultroute'
and set file permissions in /etc/ppp/* so that the user can't make
a major security hole.

Some of this is 'security through obscurity", and we all know that's
not something to build a house on. Briefly, if you have a pre-existing
default route, the stock pppd is going to make you jump through hoops
to even get the connection to run. If you _know_ what you are doing,
this isn't that hard (two options, and use of ip-{up|down} scripts).
The stock kernel is also going to help, because you can't have two
functioning default routes, and the kernel will use the last one
configured. Hence, the normal advice is to delete the original
default route. However, assume you have a modem on the computer that
is attached to the company LAN. If you then dial out to the Internet
and delete (or otherwise disable) the pre-existing default, you still
have full access to the company LAN, and the only thing protecting the
LAN from some bad guy outside is /proc/sys/net/ipv4/ip_forward. That
also assumes that your system doesn't somehow get r00ted, and the bad
guy is now running applications on your computer.

>In my own case, I've added small scripts in /etc/ppp/ip-up.d and
>/etc/ppp/ip-down.d to modify iptables firewall rules to track IP
>address changes as the link is connected and disconnected.

That's also a Debian thing (the pppd knows about ip-up and ip-down,
and I'm guessing Debian uses those scripts to run stuff out of the
ip-up.d and ip-down.d directory), but that is quite normal. The
ip-{up|down} files that come with Red Hat (and some clones) looks for
an ip-{up|down}.local - the premise being that the package manager
won't mess with the *.local files (so put your stuff there), while it
_would_ replace the included ip-{up|down} files during updates. When I
was using multiple ISPs, I used ip-{up|down} to run a script that
looked at the remote IP address to select an appropriate resolv.conf
file (I don't use 'usepeerdns' because I'm paid to be paranoid). I
also used it to modify the firewall rules and reset a fingerprinting
application that I normally run.

Old guy

Bryan Batten writes:

>Moe Trin wrote:
>> ...
>> Remember, if you have an existing default route to the world, and
>> you use pppd to replace that route, you are probably circumventing
>> the firewall that had been protecting the LAN. If we caught one of
>> our users pulling that stunt, we're not allowed to put their head
>> on a pike at the front entry way as a warning to others, but the
>> retribution is almost as painful.
>>
>> Old guy
>>

>Obvious enough, once stated. It escapes me, though, how changing the
>default route using /sbin/route in an ip-up script either helps or
>hinders the security situation vs. using 'replacedefaultroute' as a
>pppd option.

a) Having a third party alter the source code with a "root only" option
could well be a security hazard in itself. It has been shown in the past
that such alterations are often done by people who do not understand the
program.
b) That addition must be done by root, and the admin with root priviledges
one hopes will also be someone who has thought of the implications (well, I
know).



>In my own case, I've added small scripts in /etc/ppp/ip-up.d and
>/etc/ppp/ip-down.d to modify iptables firewall rules to track IP
>address changes as the link is connected and disconnected.

That is exactly what should be done. And those scripts are the place to do
them. would you have thought of it when you just put in the options
replacedefaultroute?