Dial-up route problem - PPP

This is a discussion on Dial-up route problem - PPP ; I have been spending the past few days configuring dial-up networking to use as a fall back in case the cablemodem circuit fails. No problem connecting as root to Mindspring (my ISP) with either ppp-go or the KPPP dialer but ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Dial-up route problem

  1. Dial-up route problem

    I have been spending the past few days configuring dial-up networking
    to use as a fall back in case the cablemodem circuit fails.

    No problem connecting as root to Mindspring (my ISP) with either
    ppp-go or the KPPP dialer but I am not able to ping or surf anything
    outside of my local LAN.

    The problem seems to be that the default gateway is set to the one for
    eth0 instead of ppp0 in spite of the fact that I have the line
    defaultroute
    in /etc/ppp/options.

    My system is Slackware 10.1 using ppp-2.4.2 and kde-3.3.2.

    Here is a picture of route -n and ifconfig ppp0:

    lba@linda ppp # ifconfig ppp0
    ppp0 Link encap:Point-to-Point Protocol
    inet addr:4.231.26.23 P-t-P:209.244.31.133
    Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:51 errors:0 dropped:0 overruns:0 frame:0
    TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:5105 (4.9 Kb) TX bytes:63 (63.0 b)


    lba@linda ppp # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref
    Use Iface
    209.244.31.133 0.0.0.0 255.255.255.255 UH 0 0
    0 ppp0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
    0 eth0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
    0 lo
    0.0.0.0 192.168.0.1 0.0.0.0 UG 1 0
    0 eth0


    Googling has not yet brought up anything useful.
    Can anyone tell me how to fix this so the default route is set
    automatically?

    Larry


  2. Re: Dial-up route problem

    Larry Alkoff wrote:
    > I have been spending the past few days configuring dial-up networking
    > to use as a fall back in case the cablemodem circuit fails.


    > No problem connecting as root to Mindspring (my ISP) with either
    > ppp-go or the KPPP dialer but I am not able to ping or surf anything
    > outside of my local LAN.


    > The problem seems to be that the default gateway is set to the one for
    > eth0 instead of ppp0 in spite of the fact that I have the line
    > defaultroute
    > in /etc/ppp/options.


    > My system is Slackware 10.1 using ppp-2.4.2 and kde-3.3.2.


    > Here is a picture of route -n and ifconfig ppp0:


    > lba@linda ppp # ifconfig ppp0
    > ppp0 Link encap:Point-to-Point Protocol
    > inet addr:4.231.26.23 P-t-P:209.244.31.133
    > Mask:255.255.255.255
    > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    > RX packets:51 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:3
    > RX bytes:5105 (4.9 Kb) TX bytes:63 (63.0 b)



    > lba@linda ppp # route -n
    > Kernel IP routing table
    > Destination Gateway Genmask Flags Metric Ref
    > Use Iface
    > 209.244.31.133 0.0.0.0 255.255.255.255 UH 0 0
    > 0 ppp0
    > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
    > 0 eth0
    > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
    > 0 lo
    > 0.0.0.0 192.168.0.1 0.0.0.0 UG 1 0
    > 0 eth0



    > Googling has not yet brought up anything useful.
    > Can anyone tell me how to fix this so the default route is set
    > automatically?


    Pppd won't automatically override an existing default route with one
    through the PPP interface. Add

    /sbin/route add default $IFNAME

    to /etc/ppp/ip-up, exactly as shown. This should override the default
    route through 192.168.0.1 (eth0) for the duration of the PPP connection
    and go away when the PPP link is taken down.

    -- Clifford Kite Email: "echo xvgr_yvahk-ccc@ri1.arg|rot13"
    PPP-Q&A links, downloads: http://ckite.no-ip.net/
    /* Bluffing in a poker game can win big; bluffing in a newsgroup
    only attracts sharks. */

  3. Re: Dial-up route problem

    On Wed, 25 May 2005 20:31:58 -0500, Clifford Kite
    wrote:

    >Larry Alkoff wrote:
    >> I have been spending the past few days configuring dial-up networking
    >> to use as a fall back in case the cablemodem circuit fails.

    >
    >> No problem connecting as root to Mindspring (my ISP) with either
    >> ppp-go or the KPPP dialer but I am not able to ping or surf anything
    >> outside of my local LAN.

    >
    >> The problem seems to be that the default gateway is set to the one for
    >> eth0 instead of ppp0 in spite of the fact that I have the line
    >> defaultroute
    >> in /etc/ppp/options.

    >
    >> My system is Slackware 10.1 using ppp-2.4.2 and kde-3.3.2.

    >
    >> Here is a picture of route -n and ifconfig ppp0:

    >
    >> lba@linda ppp # ifconfig ppp0
    >> ppp0 Link encap:Point-to-Point Protocol
    >> inet addr:4.231.26.23 P-t-P:209.244.31.133
    >> Mask:255.255.255.255
    >> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    >> RX packets:51 errors:0 dropped:0 overruns:0 frame:0
    >> TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
    >> collisions:0 txqueuelen:3
    >> RX bytes:5105 (4.9 Kb) TX bytes:63 (63.0 b)

    >
    >
    >> lba@linda ppp # route -n
    >> Kernel IP routing table
    >> Destination Gateway Genmask Flags Metric Ref
    >> Use Iface
    >> 209.244.31.133 0.0.0.0 255.255.255.255 UH 0 0
    >> 0 ppp0
    >> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
    >> 0 eth0
    >> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
    >> 0 lo
    >> 0.0.0.0 192.168.0.1 0.0.0.0 UG 1 0
    >> 0 eth0

    >
    >
    >> Googling has not yet brought up anything useful.
    >> Can anyone tell me how to fix this so the default route is set
    >> automatically?

    >
    >Pppd won't automatically override an existing default route with one
    >through the PPP interface. Add
    >
    >/sbin/route add default $IFNAME
    >
    >to /etc/ppp/ip-up, exactly as shown. This should override the default
    >route through 192.168.0.1 (eth0) for the duration of the PPP connection
    >and go away when the PPP link is taken down.
    >
    >-- Clifford Kite Email: "echo xvgr_yvahk-ccc@ri1.arg|rot13"


    Thanks for your help Clifford.

    In /etc/ppp/ip-up I already have including your addition:

    #!/bin/sh
    # lba: if-up modified by if-up.local
    # from http://www.jennings.homelinux.net/dial.html
    #reassign default route when on dial up
    /sbin/route del default
    /sbin/route add default dev ppp0
    echo "ip-up "`date` >>/var/log/lbappp
    /sbin/route add default $IFNAME

    This produces a route -n which is different only in the last line from
    the above, but I still can't surf.

    lba@linda lba # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref
    Use Iface
    209.247.21.11 0.0.0.0 255.255.255.255 UH 0 0
    0 ppp0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
    0 eth0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
    0 lo
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0
    0 ppp0


    I didn't find any reference to the IFNAME variable in /etc/ppp
    but see it is set to ppp0 so it must be set somewhere else.

    Larry


  4. Re: Dial-up route problem

    Larry Alkoff writes:

    >I have been spending the past few days configuring dial-up networking
    >to use as a fall back in case the cablemodem circuit fails.


    >No problem connecting as root to Mindspring (my ISP) with either
    >ppp-go or the KPPP dialer but I am not able to ping or surf anything
    >outside of my local LAN.


    >The problem seems to be that the default gateway is set to the one for
    >eth0 instead of ppp0 in spite of the fact that I have the line
    >defaultroute
    >in /etc/ppp/options.


    man pppd
    pppd will NOT remove and existing default route. You must remove it by hand
    first (or by script).
    route del default
    before you run pppd.




  5. Re: Dial-up route problem

    Larry Alkoff wrote:
    > In /etc/ppp/ip-up I already have including your addition:


    > #!/bin/sh
    > # lba: if-up modified by if-up.local
    > # from http://www.jennings.homelinux.net/dial.html
    > #reassign default route when on dial up
    > /sbin/route del default
    > /sbin/route add default dev ppp0
    > echo "ip-up "`date` >>/var/log/lbappp
    > /sbin/route add default $IFNAME


    > This produces a route -n which is different only in the last line from
    > the above, but I still can't surf.


    Looks like you had an almost equivalent solution to provide the default
    route already in place.

    > lba@linda lba # route -n
    > Kernel IP routing table
    > Destination Gateway Genmask Flags Metric Ref
    > Use Iface
    > 209.247.21.11 0.0.0.0 255.255.255.255 UH 0 0
    > 0 ppp0
    > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
    > 0 eth0
    > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
    > 0 lo
    > 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0
    > 0 ppp0



    > I didn't find any reference to the IFNAME variable in /etc/ppp
    > but see it is set to ppp0 so it must be set somewhere else.


    Pppd itself sets IFNAME to the PPP interface it will use. Buried
    deep in man pppd.

    Try adding

    debug
    noipdefault

    to /etc/ppp/options.

    If you can surf afterwards then just remove the debug line. If you
    can't then post an exact copy of the pppd link negotiation messages
    in /var/log/debug. Turn on and include the serial link connection
    messages too if you can find out how. I don't use pppd frontends
    (e.g., ppp-go, the kppd dialer) and so can't help there.

    But first you might try pinging a web site by name and by number.
    If you can't ping by name but can ping by number then the problem
    may be caused by private IP addresses for the cable company's DNS
    servers in /etc/resolv.conf. If the IP addresses are routable then
    any ping messages and/or a description of ping's behavior when it
    fails might be useful.

    -- Clifford Kite Email: "echo xvgr_yvahk-ccc@ri1.arg|rot13"
    PPP-Q&A links, downloads: http://ckite.no-ip.net/
    /* Bluffing in a poker game can win big; bluffing in a newsgroup
    only attracts sharks. */

  6. Re: Dial-up route problem

    On 26 May 2005 05:39:58 GMT, Unruh wrote:

    >Larry Alkoff writes:
    >
    >>I have been spending the past few days configuring dial-up networking
    >>to use as a fall back in case the cablemodem circuit fails.

    >
    >>No problem connecting as root to Mindspring (my ISP) with either
    >>ppp-go or the KPPP dialer but I am not able to ping or surf anything
    >>outside of my local LAN.

    >
    >>The problem seems to be that the default gateway is set to the one for
    >>eth0 instead of ppp0 in spite of the fact that I have the line
    >>defaultroute
    >>in /etc/ppp/options.

    >
    >man pppd
    >pppd will NOT remove and existing default route. You must remove it by hand
    >first (or by script).
    >route del default
    >before you run pppd.
    >


    In my /etc/ip-down I have lines to
    /usr/sbin/del default route
    /usr/sbin/route add default gw 192.168.0.1

    but for some reason the route is never added.
    There is no default route and I cannot surf the web or ping anyone
    until I invoke from a command line:
    /usr/sbin/route add default gw 192.168.0.1.

    Am I using the wrong syntax to set the default route in ip-down?
    Maybe ip-down is the wrong place to have this?

    Similarly in /etc/ip-up I can use ppp0 automatically with the lines:

    # lba: if-up modified by if-up.local
    # idea from http://www.jennings.homelinux.net/dial.html
    #reassign default route when on dial up
    /sbin/route del default
    /sbin/route add default dev ppp0
    # /sbin/route add default $IFNAME #equivalent to above
    echo "ip-up: "`date` >>/var/log/lbappp

    Both ip-up and ip-down show up in the /var/log/lbappp log I'm using
    until it all works.

    Larry


  7. Re: Dial-up route problem

    Clifford Kite writes:

    >Larry Alkoff wrote:
    >> In /etc/ppp/ip-up I already have including your addition:


    >> #!/bin/sh
    >> # lba: if-up modified by if-up.local
    >> # from http://www.jennings.homelinux.net/dial.html
    >> #reassign default route when on dial up
    >> /sbin/route del default
    >> /sbin/route add default dev ppp0
    >> echo "ip-up "`date` >>/var/log/lbappp
    >> /sbin/route add default $IFNAME


    >> This produces a route -n which is different only in the last line from
    >> the above, but I still can't surf.


    That does not mean anything.
    For hints on debugging a ppp connection see
    www.theory.physics.ubc.ca/ppp-linux.html

    Now, first try
    ping 142.103.234.11
    If that gives you a response, then your problem is your dns server
    (/etc/resolv.conf). If it does not, then you still have routing problems,
    and says that the host you are dialing in to is not willing to forward your
    packets. (or you may have a system which rejects pings. If so try
    telnet 142.103.234.11 80
    If you get connection refused, your routing is fine. If it give no response
    after 5 sec, you still have routing problms Discuss it with your ISP.




  8. Re: Dial-up route problem

    Larry Alkoff writes:

    >On 26 May 2005 05:39:58 GMT, Unruh wrote:


    >>Larry Alkoff writes:
    >>
    >>>I have been spending the past few days configuring dial-up networking
    >>>to use as a fall back in case the cablemodem circuit fails.

    >>
    >>>No problem connecting as root to Mindspring (my ISP) with either
    >>>ppp-go or the KPPP dialer but I am not able to ping or surf anything
    >>>outside of my local LAN.

    >>
    >>>The problem seems to be that the default gateway is set to the one for
    >>>eth0 instead of ppp0 in spite of the fact that I have the line
    >>>defaultroute
    >>>in /etc/ppp/options.

    >>
    >>man pppd
    >>pppd will NOT remove and existing default route. You must remove it by hand
    >>first (or by script).
    >>route del default
    >>before you run pppd.
    >>


    >In my /etc/ip-down I have lines to


    Why ip-down?


    >/usr/sbin/del default route


    What does this line mean?
    The command I said was
    route del default
    NOT
    del default route.
    commands are not permutation invariant.

    >/usr/sbin/route add default gw 192.168.0.1


    No, just
    route add default ppp0
    Do not give the gateway. The machine at the other end of the link MUST be
    the gateway. If not, then getting to the net is impossible.


    >but for some reason the route is never added.
    >There is no default route and I cannot surf the web or ping anyone
    >until I invoke from a command line:
    >/usr/sbin/route add default gw 192.168.0.1.


    >Am I using the wrong syntax to set the default route in ip-down?
    >Maybe ip-down is the wrong place to have this?


    Yes. ip-down is run only after pppd dies and disconnects from the remote end.
    That is too late to try to have pppd be your default route.



    >Similarly in /etc/ip-up I can use ppp0 automatically with the lines:


    ># lba: if-up modified by if-up.local
    ># idea from http://www.jennings.homelinux.net/dial.html
    >#reassign default route when on dial up
    >/sbin/route del default
    >/sbin/route add default dev ppp0


    That is much much better.

    ># /sbin/route add default $IFNAME #equivalent to above
    >echo "ip-up: "`date` >>/var/log/lbappp


    >Both ip-up and ip-down show up in the /var/log/lbappp log I'm using
    >until it all works.




  9. Re: Dial-up route problem

    On 27 May 2005 01:38:55 GMT, Unruh wrote:

    >Larry Alkoff writes:
    >
    >>On 26 May 2005 05:39:58 GMT, Unruh wrote:

    >
    >>>Larry Alkoff writes:
    >>>
    >>>>I have been spending the past few days configuring dial-up networking
    >>>>to use as a fall back in case the cablemodem circuit fails.
    >>>
    >>>>No problem connecting as root to Mindspring (my ISP) with either
    >>>>ppp-go or the KPPP dialer but I am not able to ping or surf anything
    >>>>outside of my local LAN.
    >>>
    >>>>The problem seems to be that the default gateway is set to the one for
    >>>>eth0 instead of ppp0 in spite of the fact that I have the line
    >>>>defaultroute
    >>>>in /etc/ppp/options.
    >>>
    >>>man pppd
    >>>pppd will NOT remove and existing default route. You must remove it by hand
    >>>first (or by script).
    >>>route del default
    >>>before you run pppd.
    >>>

    >
    >>In my /etc/ip-down I have lines to

    >
    >Why ip-down?


    The reason for using ip-down is to change the routing from what is
    used for ppp0 back to normal eth0.
    >
    >>/usr/sbin/del default route

    >
    >What does this line mean?
    >The command I said was
    >route del default
    >NOT
    >del default route.
    >commands are not permutation invariant.


    Apparently my fingers _are_ permutation invariant

    The command in ip-down was actually what you specified and I just
    mistyped it in the post.


    >>/usr/sbin/route add default gw 192.168.0.1

    >
    >No, just
    >route add default ppp0
    >Do not give the gateway. The machine at the other end of the link MUST be
    >the gateway. If not, then getting to the net is impossible.


    Thank you for pointing me to the error.
    The command was correct except for the path which uses simply /sbin
    not /usr/sbin. Changed the path and now the route switches
    automatically back to the eth0 route when dial-up ends.

    >
    >>but for some reason the route is never added.
    >>There is no default route and I cannot surf the web or ping anyone
    >>until I invoke from a command line:
    >>/usr/sbin/route add default gw 192.168.0.1.

    >
    >>Am I using the wrong syntax to set the default route in ip-down?
    >>Maybe ip-down is the wrong place to have this?

    >
    >Yes. ip-down is run only after pppd dies and disconnects from the remote end.
    >That is too late to try to have pppd be your default route.


    Got it. I'm only using ip-down to switch back to eth0.
    All the setup for ppp is done in ip-up.

    >
    >>Similarly in /etc/ip-up I can use ppp0 automatically with the lines:

    >
    >># lba: if-up modified by if-up.local
    >># idea from http://www.jennings.homelinux.net/dial.html
    >>#reassign default route when on dial up
    >>/sbin/route del default
    >>/sbin/route add default dev ppp0

    >
    >That is much much better.
    >
    >># /sbin/route add default $IFNAME #equivalent to above
    >>echo "ip-up: "`date` >>/var/log/lbappp

    >
    >>Both ip-up and ip-down show up in the /var/log/lbappp log I'm using
    >>until it all works.

    >


    Thanks very much for your help Unruh.
    Switching from eth0 to dialup (ppp0) and back to eth0 now goes
    smoothly with the route set properly.

    Larry


  10. Re: Dial-up route problem

    On 27 May 2005 01:34:14 GMT, Unruh wrote:

    >Clifford Kite writes:
    >
    >>Larry Alkoff wrote:
    >>> In /etc/ppp/ip-up I already have including your addition:

    >
    >>> #!/bin/sh
    >>> # lba: if-up modified by if-up.local
    >>> # from http://www.jennings.homelinux.net/dial.html
    >>> #reassign default route when on dial up
    >>> /sbin/route del default
    >>> /sbin/route add default dev ppp0
    >>> echo "ip-up "`date` >>/var/log/lbappp
    >>> /sbin/route add default $IFNAME

    >
    >>> This produces a route -n which is different only in the last line from
    >>> the above, but I still can't surf.

    >
    >That does not mean anything.
    >For hints on debugging a ppp connection see
    >www.theory.physics.ubc.ca/ppp-linux.html
    >
    >Now, first try
    >ping 142.103.234.11
    >If that gives you a response, then your problem is your dns server
    >(/etc/resolv.conf). If it does not, then you still have routing problems,
    >and says that the host you are dialing in to is not willing to forward your
    >packets. (or you may have a system which rejects pings. If so try
    >telnet 142.103.234.11 80
    >If you get connection refused, your routing is fine. If it give no response
    >after 5 sec, you still have routing problms Discuss it with your ISP.
    >
    >


    Thanks very much for your hints on debugging and the url you wrote
    which I bookmarked.

    Wish I had that a week ago - it's taken me nearly that long to debub
    kppp and ppp!

    I didn't find it in google until I used the search phrase 'hook up
    ppp' and then it came up first.

    Larry




  11. Re: Dial-up route problem

    Larry Alkoff wrote:
    > I have been spending the past few days configuring dial-up networking
    > to use as a fall back in case the cablemodem circuit fails.
    >
    > No problem connecting as root to Mindspring (my ISP) with either
    > ppp-go or the KPPP dialer but I am not able to ping or surf anything
    > outside of my local LAN.
    >
    > The problem seems to be that the default gateway is set to the one for
    > eth0 instead of ppp0 in spite of the fact that I have the line
    > defaultroute
    > in /etc/ppp/options.
    > ...


    I get the desired results using these options:

    defaultroute
    replacedefaultroute

    in /etc/ppp/options (see man pppd).

  12. Re: Dial-up route problem

    Bryan Batten writes:


    >I get the desired results using these options:


    >defaultroute
    >replacedefaultroute


    This is not a part of standard pppd. I believe that SUSE has a habit of
    rewriting pppd which sometimes causes problems rathr than solving them


    >in /etc/ppp/options (see man pppd).


  13. Re: Dial-up route problem

    Unruh wrote:
    > Bryan Batten writes:
    >
    >
    >
    >> I get the desired results using these options:

    >
    >
    >> defaultroute replacedefaultroute

    >
    >
    > This is not a part of standard pppd. I believe that SUSE has a
    > habit of rewriting pppd which sometimes causes problems rathr than
    > solving them
    >
    >
    >
    >> in /etc/ppp/options (see man pppd).


    Hmm. I'm using ppp 2.4.3-20050321+2, part of Debian Sarge. "man pppd"
    describes the 'replacedefaultroute' option:


    replacedefaultroute
    This option is a flag to the defaultroute option. If default-
    route is set and this flag is also set, pppd replaces an exist-
    ing default route with the new default route.


    I guess it makes portability goals a little difficult if different
    distributions have too many different ideas of what the capabilities
    of well-known packages should be.

  14. Re: Dial-up route problem

    In article <429a4539$0$18648$14726298@news.sunsite.dk>, Bryan Batten wrote:

    [Recapping to get perspective]


    >>Larry Alkoff wrote:


    >>> The problem seems to be that the default gateway is set to the one for
    >>> eth0 instead of ppp0 in spite of the fact that I have the line
    >>> defaultroute
    >>> in /etc/ppp/options.


    >Bryan Batten writes:


    >>I get the desired results using these options:
    >>
    >>defaultroute
    >>replacedefaultroute


    >Unruh wrote:


    >> This is not a part of standard pppd. I believe that SUSE has a
    >> habit of rewriting pppd which sometimes causes problems rathr than
    >> solving them


    Yeah, Debian seems to have joined the few that aren't concerned with
    security. If you recall, I called John Hasler about this in the first
    week of this month in comp.os.linux.networking. He never replied. The
    thread was titled "A question about default routes"

    Bryan Batten writes:

    >Hmm. I'm using ppp 2.4.3-20050321+2, part of Debian Sarge. "man pppd"
    >describes the 'replacedefaultroute' option:


    Yeah, this circumvents security, which is why the 'no replace default'
    behavior has been part of pppd for at least ten years. I surprised that
    the Debian maintainer decided the security hole was necessary, rather
    than fixing the original problem which is a brain-dead installation program.
    But then, I was bitching about that problem to Donnie Barnes and Marc Ewing
    back in RH 3.0.3 in 1996.

    In the original poster's situation, a more appropriate solution is to
    "manually" replace the route in /etc/ppp/ip-up (and restore it in
    /etc/ppp/ip-down).

    Remember, if you have an existing default route to the world, and you use
    pppd to replace that route, you are probably circumventing the firewall
    that had been protecting the LAN. If we caught one of our users pulling
    that stunt, we're not allowed to put their head on a pike at the front
    entry way as a warning to others, but the retribution is almost as painful.

    Old guy


  15. Re: Dial-up route problem

    Bryan Batten writes:

    >Unruh wrote:
    >> Bryan Batten writes:
    >>
    >>
    >>
    >>> I get the desired results using these options:

    >>
    >>
    >>> defaultroute replacedefaultroute

    >>
    >>
    >> This is not a part of standard pppd. I believe that SUSE has a
    >> habit of rewriting pppd which sometimes causes problems rathr than
    >> solving them
    >>
    >>
    >>
    >>> in /etc/ppp/options (see man pppd).


    >Hmm. I'm using ppp 2.4.3-20050321+2, part of Debian Sarge. "man pppd"
    >describes the 'replacedefaultroute' option:



    >replacedefaultroute
    > This option is a flag to the defaultroute option. If default-
    > route is set and this flag is also set, pppd replaces an exist-
    > ing default route with the new default route.



    >I guess it makes portability goals a little difficult if different
    >distributions have too many different ideas of what the capabilities
    >of well-known packages should be.


    pppd 2.4.3 was released Nov 14 2004. (ftp.samba.org)

    Looks like Debian has decided to change it. Dumb.
    Changing pppd is a good way of breaking it. Redhat did that a few years
    ago-- took a year to fix their stupidity.
    Some hotshot who does not understand ppp decides to "imporve" it.


  16. Re: Dial-up route problem

    Moe Trin wrote:
    > ...
    > Remember, if you have an existing default route to the world, and
    > you use pppd to replace that route, you are probably circumventing
    > the firewall that had been protecting the LAN. If we caught one of
    > our users pulling that stunt, we're not allowed to put their head
    > on a pike at the front entry way as a warning to others, but the
    > retribution is almost as painful.
    >
    > Old guy
    >


    Obvious enough, once stated. It escapes me, though, how changing the
    default route using /sbin/route in an ip-up script either helps or
    hinders the security situation vs. using 'replacedefaultroute' as a
    pppd option.

    In my own case, I've added small scripts in /etc/ppp/ip-up.d and
    /etc/ppp/ip-down.d to modify iptables firewall rules to track IP
    address changes as the link is connected and disconnected.

  17. Re: Dial-up route problem

    In article <429e1ba8$0$18644$14726298@news.sunsite.dk>, Bryan Batten wrote:

    >Obvious enough, once stated. It escapes me, though, how changing the
    >default route using /sbin/route in an ip-up script either helps or
    >hinders the security situation vs. using 'replacedefaultroute' as a
    >pppd option.


    Gotta lay some ground rules - are you 'root' on the system? If so, you
    can do what you want. If not, then root can set up pppd to allow you
    to use it, but can add some privileged keywords like 'nodefaultroute'
    and set file permissions in /etc/ppp/* so that the user can't make
    a major security hole.

    Some of this is 'security through obscurity", and we all know that's
    not something to build a house on. Briefly, if you have a pre-existing
    default route, the stock pppd is going to make you jump through hoops
    to even get the connection to run. If you _know_ what you are doing,
    this isn't that hard (two options, and use of ip-{up|down} scripts).
    The stock kernel is also going to help, because you can't have two
    functioning default routes, and the kernel will use the last one
    configured. Hence, the normal advice is to delete the original
    default route. However, assume you have a modem on the computer that
    is attached to the company LAN. If you then dial out to the Internet
    and delete (or otherwise disable) the pre-existing default, you still
    have full access to the company LAN, and the only thing protecting the
    LAN from some bad guy outside is /proc/sys/net/ipv4/ip_forward. That
    also assumes that your system doesn't somehow get r00ted, and the bad
    guy is now running applications on your computer.

    >In my own case, I've added small scripts in /etc/ppp/ip-up.d and
    >/etc/ppp/ip-down.d to modify iptables firewall rules to track IP
    >address changes as the link is connected and disconnected.


    That's also a Debian thing (the pppd knows about ip-up and ip-down,
    and I'm guessing Debian uses those scripts to run stuff out of the
    ip-up.d and ip-down.d directory), but that is quite normal. The
    ip-{up|down} files that come with Red Hat (and some clones) looks for
    an ip-{up|down}.local - the premise being that the package manager
    won't mess with the *.local files (so put your stuff there), while it
    _would_ replace the included ip-{up|down} files during updates. When I
    was using multiple ISPs, I used ip-{up|down} to run a script that
    looked at the remote IP address to select an appropriate resolv.conf
    file (I don't use 'usepeerdns' because I'm paid to be paranoid). I
    also used it to modify the firewall rules and reset a fingerprinting
    application that I normally run.

    Old guy

  18. Re: Dial-up route problem

    Bryan Batten writes:

    >Moe Trin wrote:
    >> ...
    >> Remember, if you have an existing default route to the world, and
    >> you use pppd to replace that route, you are probably circumventing
    >> the firewall that had been protecting the LAN. If we caught one of
    >> our users pulling that stunt, we're not allowed to put their head
    >> on a pike at the front entry way as a warning to others, but the
    >> retribution is almost as painful.
    >>
    >> Old guy
    >>


    >Obvious enough, once stated. It escapes me, though, how changing the
    >default route using /sbin/route in an ip-up script either helps or
    >hinders the security situation vs. using 'replacedefaultroute' as a
    >pppd option.


    a) Having a third party alter the source code with a "root only" option
    could well be a security hazard in itself. It has been shown in the past
    that such alterations are often done by people who do not understand the
    program.
    b) That addition must be done by root, and the admin with root priviledges
    one hopes will also be someone who has thought of the implications (well, I
    know).



    >In my own case, I've added small scripts in /etc/ppp/ip-up.d and
    >/etc/ppp/ip-down.d to modify iptables firewall rules to track IP
    >address changes as the link is connected and disconnected.


    That is exactly what should be done. And those scripts are the place to do
    them. would you have thought of it when you just put in the options
    replacedefaultroute?


+ Reply to Thread