Martin Husemann wrote:
> On Mon, Feb 07, 2005 at 04:55:29PM -0300, César Catrián C. wrote:
> 
>>clear-auth-failure=5 seems a very low default to me. 
> 
> 
> This is from experiences with an ex-ISP of mine. They automatically disabled
> my access after 9 wrong retries. I had changed the password using their
> web thing, modified /etc/ifconfig.pppoe0 - but forgot to reload the pppoe
> configuration - after 24 hours they also forced a disconnect, and on reconnect
> my machine got locked out. No need to mention this happend late friday 
> afternoon, and customer service was only available on the next monday.
> If I had known the details, I would have had the connection back up on the
> next morning - they cleared the "blocked" status in a nightly cron job.
> But I didn't know at that time and customer servcie gave very wrong advice,
> and then didn't response, etc. It took nearly a week and caused costs for
> a ISDN backup connection - and you probably understand why it's an ex-ISP
> of mine. Anyway, I used the week w/o DSL connection to implement the max-auth-*
> stuff.
> 
> 
>>I've set it to '0' in my connection.
> 
> 
> That's what I do on most machines too, after inintial testing.

I'd not put anything into my ppp/ip-up and ip-down scripts,
and I neglected to mention the possibly (heh ...) significant
ipf rule surrounding the interface :

pass out quick on sip0 to pppoe0:203.201.104.1 proto tcp from a.b.c.d to
any

Ie: I'm using that interface only for one host, everything else
goes out via a default route on a different interface via a DSL router.
I think maybe IPF gets confused if the interface goes away for a
while?  anyway, that didn't/doesn't explain the inability for it to
authenticate after a failure.

My setup now looks like this :

/etc/ppp/ip-up :
#! /bin/sh
/sbin/ipf -Fa -f /etc/ipf.conf

/etc/ifconfig.pppoe0 :
create
! /sbin/ifconfig sip3 up
! /sbin/pppoectl -e sip3 $int
! /sbin/pppoectl $int myauthproto=pap 'myauthname=user@isp.com.au' 'm
yauthsecret=XXXXXX' hisauthproto=none
0.0.0.0 0.0.0.1 up



In the event of a loss of the PPPoE session, should I
have anything in ip-down to reset anything, or will the
above (with ifwatchd running) take care of that?  Also, should
$int be explicitly specified as pppoe0, or is it ok as '$int' ?

Martin's suggestion to use "destroy" not "delete" I haven't
tried, and I'm not sure if it was a typo or not, but I'll
try it next time it locks up.  What specifically has
been changed in the pppoe stuff since 1.6.1?

I will look to upgrading to NBSD 2.0 in the next few months,
but am a bit swamped with other stuff at the moment to do it
in the next week :)


Thanks everyone for your input,

Carl