[Firewall] Authenticated PPPOE with Arnos firewall

Avram Dumitrescu phat at phat.ro
Tue Nov 30 22:12:02 CET 2010

Thanks for the elaborate doc, I was trying to avoid a dirty bash script as a solution to this problem. Well, when in doubt use bash :).

Thank you all for your help and patience.


-----Original Message-----
From: firewall-bounces at rocky.eld.leidenuniv.nl [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of WC -Sx- Jones
Sent: Tuesday, November 30, 2010 8:26 PM
To: Arno's IPTABLES firewall script
Subject: Re: [Firewall] Authenticated PPPOE with Arnos firewall

On Tue, Nov 30, 2010 at 11:48 AM, Avram Dumitrescu <phat at phat.ro> wrote:

> On boot it brings up eth0, eth1, ppp0 and runs the firewall script (in that order), and, until I manually ifdown/ifup eth0 it doesn’t do anything, the server on the other has access to the network but doesn’t resolve.

No, it's not a good idea to get the interfaces plumbed before the
firewall but I don't see a way to do that with PPPoE  :P

The general way to get this to work on any Linux system is boot order
-- the PPPoE script needs to run immediately when the system wants to
plumb the Internet interfaces and there after start the firewall --
there will always be a small window where the Internet is plumbed
without a firewall but we are talking mere seconds.

The system should be taken off the network for testing -- make sure
the PPPoE handshake is happening in the correct order -- errors are OK
at this point, no errors and you have a problem.  Next, while the
system is connected to the network see if it will handshake for an IP
address (errors are not OK at this point) -- if it isn't then there is
no real threat as there is likely no route to the system (IE, the
default route isn't set right.)

Test the boot order, make sure the system is starting up in a normal,
manageable way - IE, the Internet interfaces can be plumbed but no
INETD services need be started until AFTER the firewall is in place.

Try this out:

Then if you need more reading see these:

Firewall mailing list
Firewall at rocky.eld.leidenuniv.nl
Arno's (Linux IPTABLES Firewall) Homepage:

More information about the Firewall mailing list