From nobody@FreeBSD.org  Wed Dec  6 19:21:26 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id F0E1A37B400
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  6 Dec 2000 19:21:24 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id eB73LOu47885;
	Wed, 6 Dec 2000 19:21:24 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200012070321.eB73LOu47885@freefall.freebsd.org>
Date: Wed, 6 Dec 2000 19:21:24 -0800 (PST)
From: ncalvo@es.freebsd.org
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: Inaccuracy of the dialup-firewall tutorial
X-Send-Pr-Version: www-1.0

>Number:         23342
>Category:       docs
>Synopsis:       Inaccuracy of the dialup-firewall tutorial
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jesusr@freebsd.org
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 06 19:30:01 PST 2000
>Closed-Date:    Tue Feb 27 04:45:55 PST 2001
>Last-Modified:  Tue Feb 27 04:46:43 PST 2001
>Originator:     ncalvo
>Release:        4.2-RELEASE  i386
>Organization:
>Environment:
FreeBSD amnesiac.no.domain 4.2-RELEASE FreeBSD 4.2-RELEASE #2: Thu Dec  7 02:00:29 CET 2000     root@amnesiac.no.domain:/usr/src/sys/compile/AMNESIAC  i386

>Description:
The "Dialup-firewall" tutorial features an inaccuracy concerning the
name of the device on which the supplied firewall rules operate.

The supplied ruleset operates on the "tun0" interface. However, when
opening a PPP connection through a modem the "ppp0" interface is used
instead (as reported by  /sbin/ifconfig  ).

>How-To-Repeat:
Follow the tutorial and, afterwards, open a ppp conection through a
modem.

You will find that no traffic is allowed through that connection due
to the following firewall rule

  65435 deny log ip from any to any

>Fix:
In the sgml source file of the tutorial, substitute "tun0" for "ppp0".

I am mailing a patch to both, the author of the tutorial (Marc Silver):

  marcs@draenor.org

and to the -doc list:

  freebsd-doc@freebsd.org



>Release-Note:
>Audit-Trail:

From: "Eric Ogren" <eogren@stanford.edu>
To: <ncalvo@es.freebsd.org>, <freebsd-gnats-submit@FreeBSD.ORG>
Cc:  
Subject: Re: docs/23342: Inaccuracy of the dialup-firewall tutorial
Date: Wed, 6 Dec 2000 19:36:32 -0800

   If you connect using user-mode PPP, like the majority
 of FreeBSD users do, tun0 is the correct device.
 
 Eric
 ----- Original Message -----
 From: <ncalvo@es.freebsd.org>
 To: <freebsd-gnats-submit@FreeBSD.ORG>
 Sent: Wednesday, December 06, 2000 7:21 PM
 Subject: docs/23342: Inaccuracy of the dialup-firewall tutorial
 
 
 >
 > >Number:         23342
 > >Category:       docs
 > >Synopsis:       Inaccuracy of the dialup-firewall tutorial
 > >Confidential:   no
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    freebsd-doc
 > >State:          open
 > >Quarter:
 > >Keywords:
 > >Date-Required:
 > >Class:          doc-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Wed Dec 06 19:30:01 PST 2000
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     ncalvo
 > >Release:        4.2-RELEASE  i386
 > >Organization:
 > >Environment:
 > FreeBSD amnesiac.no.domain 4.2-RELEASE FreeBSD 4.2-RELEASE #2: Thu Dec  7
 02:00:29 CET 2000     root@amnesiac.no.domain:/usr/src/sys/compile/AMNESIAC
 i386
 >
 > >Description:
 > The "Dialup-firewall" tutorial features an inaccuracy concerning the
 > name of the device on which the supplied firewall rules operate.
 >
 > The supplied ruleset operates on the "tun0" interface. However, when
 > opening a PPP connection through a modem the "ppp0" interface is used
 > instead (as reported by  /sbin/ifconfig  ).
 >
 > >How-To-Repeat:
 > Follow the tutorial and, afterwards, open a ppp conection through a
 > modem.
 >
 > You will find that no traffic is allowed through that connection due
 > to the following firewall rule
 >
 >   65435 deny log ip from any to any
 >
 > >Fix:
 > In the sgml source file of the tutorial, substitute "tun0" for "ppp0".
 >
 > I am mailing a patch to both, the author of the tutorial (Marc Silver):
 >
 >   marcs@draenor.org
 >
 > and to the -doc list:
 >
 >   freebsd-doc@freebsd.org
 >
 >
 >
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted:
 >
 >
 > To Unsubscribe: send mail to majordomo@FreeBSD.org
 > with "unsubscribe freebsd-doc" in the body of the message
 >
 
 

From: ncalvo <ncalvo@es.freebsd.org>
To: freebsd-gnats-submit@FreeBSD.org, marcs@draenor.org
Cc:  
Subject: Re: docs/23342: Inaccuracy of the dialup-firewall tutorial
Date: Wed, 07 Feb 2001 19:31:10 +0100

 This is a multi-part message in MIME format.
 --------------CC564A663CBFCEA4615F8B6D
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Hello,
 
 As a follow up to this short sighted pr that I opened, I have produced a
 patch.
 
 I have been in contact with Marc Silver (the author of the
 dialup-firewall tutorial) and he has approved the patch.
 
 I am enclosing the mentioned patch as an attachment.
 
 Thank you.
 
 ncalvo
 
 _
 --------------CC564A663CBFCEA4615F8B6D
 Content-Type: text/plain; charset=us-ascii;
  name="dialup-firewall.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="dialup-firewall.patch"
 
 --- article.sgml.orig	Sun Jan 21 16:17:22 2001
 +++ article.sgml	Sun Jan 21 17:19:32 2001
 @@ -294,6 +294,73 @@
  	    firewall.</para>
  	</answer>
        </qandaentry>
 +
 +<!-- addition starts here -->
 +
 +      <qandaentry>
 +	<question>
 +	  <para>There must be something wrong.  I followed your instructions
 +	    to the letter and now I am locked out.</para>
 +        </question>
 +
 +	<answer>
 +	  <para>This tutorial assumes that you are running
 +	    <emphasis>userland-ppp</emphasis>, therefore the supplied ruleset
 +	    operates on the <devicename>tun0</devicename> interface, which
 +	    corresponds to the first connection made with &man.ppp.8; (a.k.a.
 +	    <emphasis>user-ppp</emphasis>).  Additional connections would use
 +	    <devicename>tun1</devicename>, <devicename>tun2</devicename> and so
 +	    on.</para>
 +
 +	  <para>You should also note that &man.pppd.8; uses the
 +	    <devicename>ppp0</devicename> interface instead, so if you start the
 +	    connection with &man.pppd.8; you must substitute
 +	    <devicename>tun0</devicename> for <devicename>ppp0</devicename>.  A
 +	    quick way to edit the firewall rules to reflect this change is shown
 +	    below. The original ruleset is backed up as
 +	    <filename>fwrules_tun0</filename>.</para>
 +
 +	  <screen>
 +	    <prompt>&tilde; &prompt.user; </prompt><userinput>cd /etc/firewall</userinput>
 +	    <prompt>/etc/firewall &prompt.user; </prompt><userinput>su</userinput>
 +	    <prompt>Password:</prompt>
 +	    <prompt>/etc/firewall &prompt.root; </prompt><userinput>mv fwrules fwrules_tun0</userinput>
 +	    <prompt>/etc/firewall &prompt.root; </prompt><userinput>cat fwrules_tun0 | sed s/tun0/ppp0/g > fwrules</userinput>
 +	  </screen>
 +
 +	  <para>To know whether you are currently using &man.ppp.8; or
 +	    &man.pppd.8; you can examine the output of &man.ifconfig.8; once the
 +	    connection is up. E.g., for a connection made with &man.pppd.8; you
 +	    would see something like this (showing only the relevant lines):</para>
 +
 +	  <screen>
 +	    &prompt.user; <userinput>ifconfig</userinput>
 +	    <emphasis>(skipped...)</emphasis>
 +	    ppp0: flags=<replaceable>8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1524</replaceable>
 +                    inet <replaceable>xxx.xxx.xxx.xxx</replaceable> --&gt; <replaceable>xxx.xxx.xxx.xxx</replaceable> netmask <replaceable>0xff000000</replaceable>
 +	    <emphasis>(skipped...)</emphasis>
 +	    </screen>
 +
 +	  <para>On the other hand, for a connection made with &man.ppp.8;
 +	    (<emphasis>user-ppp</emphasis>) you should see something similar to
 +	    this:</para>
 +
 +	  <screen>
 +	    &prompt.user; <userinput>ifconfig</userinput>
 +	    <emphasis>(skipped...)</emphasis>
 +	    ppp0: flags=<replaceable>8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500</replaceable>
 +	    <emphasis>(skipped...)</emphasis>
 +	    tun0: flags=<replaceable>8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1524</replaceable>
 +	            <emphasis>(IPv6 stuff skipped...)</emphasis>
 +                    inet <replaceable>xxx.xxx.xxx.xxx</replaceable> --&gt; <replaceable>xxx.xxx.xxx.xxx</replaceable> netmask <replaceable>0xffffff00</replaceable>
 +                    Opened by PID <replaceable>xxxxx</replaceable>
 +            <emphasis>(skipped...)</emphasis>
 +            </screen>
 +	</answer>
 +      </qandaentry>
 +
 +<!-- addition ends here -->
 +
      </qandaset>
    </sect1>
  </article>
 
 --------------CC564A663CBFCEA4615F8B6D--
 
 
Responsible-Changed-From-To: freebsd-doc->jesusr@freebsd.org 
Responsible-Changed-By: jesusr 
Responsible-Changed-When: Tue Feb 27 04:28:05 PST 2001 
Responsible-Changed-Why:  
Working on it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23342 
State-Changed-From-To: open->closed 
State-Changed-By: jesusr 
State-Changed-When: Tue Feb 27 04:45:55 PST 2001 
State-Changed-Why:  
Patch applied. 
Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23342 
>Unformatted:
