[leaf-user] pptp & shorewall and other ppp fixed links already present but in different zones

[Paul T. <ps...@ps...>]

I don't have pptpd working yet on the firewall (it's crashing on tcp 
connect), but I've been looking at the obsolete shorewall documentation 
for running pptpd on the local firewall itself.

In my situation, I have ppp0 in my net zone, because that is my link to 
the outside world (pppoe, thank you SBC :-( ).  I plan to have a few 
pptp tunnels coming into the firewall, which will be in the loc zone, 
and pptp will be set up in a proxyarp configuration on the local lan.

I know the zones need to be ordered, and they are, but the following bit 
worries me... I have rules like FORWARD that have snippets in them:

Chain FORWARD (policy DROP 28 packets, 3746 bytes)
target     prot opt in     out     source               destination
TCPMSS     tcp  --  any    any     anywhere             anywhere 
     tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
eth0_fwd   all  --  eth0   any     anywhere             anywhere
eth1_fwd   all  --  eth1   any     anywhere             anywhere
eth2_fwd   all  --  eth2   any     anywhere             anywhere
ath0_fwd   all  --  ath0   any     anywhere             anywhere
ppp0_fwd   all  --  ppp0   any     anywhere             anywhere
ppp_fwd    all  --  ppp+   any     anywhere             anywhere
Reject     all  --  any    any     anywhere             anywhere
ULOG       all  --  any    any     anywhere             anywhere 
          reject     all  --  any    any     anywhere 
anywhere

ppp0 will be processed for all packets being forwarded by ppp0 (which is 
in net)... but if none of the rules in net2<whatever> actually trigger, 
then this rule falls through to the ppp+ rule, which will get the 
loc2<whatever> rules, which are obviously less restrictive.  This can't 
be allowed to happen.

Is there any "polite" way in shorewall to introduce a rule at the start 
of ppp_fwd, ppp_in, and ppp_out to do a "RETURN" if the interface in 
question is ppp0, or better yet, is there a syntax I can use in 
iptables/shorewall to say ppp+,!ppp0 so the ppp_in/out/fwd rules never 
even get called?

Tom, should I be using hosts syntax at this point?  If so, got any 
suggestions (I only have one small range of IP addresses that are in the 
pptp pool).

Paul