From owner-freebsd-questions  Wed Nov 18 11:47:24 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA26968
          for freebsd-questions-outgoing; Wed, 18 Nov 1998 11:47:24 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26960
          for <questions@FreeBSD.ORG>; Wed, 18 Nov 1998 11:47:15 -0800 (PST)
          (envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by resnet.uoregon.edu (8.8.8/8.8.8) with ESMTP id LAA18504;
          Wed, 18 Nov 1998 11:46:26 -0800 (PST)
          (envelope-from dwhite@resnet.uoregon.edu)
Date: Wed, 18 Nov 1998 11:46:25 -0800 (PST)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Eddie Irvine <eirvine@tpgi.com.au>
cc: questions@FreeBSD.ORG
Subject: Re: ppp and 192.168.0.0 packets.
In-Reply-To: <36517060.4CD7035E@tpgi.com.au>
Message-ID: <Pine.BSF.4.03.9811181144310.14521-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 17 Nov 1998, Eddie Irvine wrote:

> Hello all!
> 
> I have a FreeBSD 2.2-STABLE server serving a private
> network (192.168.x.x) in a school and routing IP and
> appletalk between subnets. It also dials up various ISP's 
> (depending on which one is working on the day) and runs squid.

[..]

> I use ppp 2.0 for this, normally *without* aliasing turned
> on, because I don't want my smarter kids sending email
> from their web browsers out onto the net (Dept. Ed. Policy).
> 
> A teacher's machine (192.168.1.115) has netscape configured
> to fetch mail from an ISP's mailbox, and when I want to do
> this I dial up with the -alias option.
> 
> Obviously, we are not doing any mail relaying on our server.

And can't unless you turn gatewaying on.

> Now, I'm concerned that without the -alias option on all the
> time, packets from my private net will sometimes go down
> the phone line and onto the internet, making me a (gasp!)
> "bad citizen".

> 1) Should I worry about this?

No. The first router that sees them will eat them.

> OK, so, let's assume that I turn aliasing ON all the time and enable
> some of the packet filtering rules. To make it simple, say I want to 
> permit only the server (interfaces 192.168.1.1, 192.168.2.1, 
> 192.168.3.1 and whatever the ISP assigns to MYADDR) to be able 
> to access port 80, and only the teacher's machine (192.168.1.115) 
> to be able to access the ISP's pop server. 
> 
> 2) Can the filtering rules do this, when aliasing is turned on?

Sure.

> 3) How does the ppp filter scan the rule set? Does it start at the top
> of the rule set with each packet and *stop* at the first permit or deny
> that matches the packet?

It applies the first rule that matches.

Doug White                               
Internet:  dwhite@resnet.uoregon.edu    | FreeBSD: The Power to Serve
http://gladstone.uoregon.edu/~dwhite    | www.freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message