Site Navigation

Date:      Tue, 20 Jul 1999 00:59:25 +0100
From:      Brian Somers <brian@Awfulhak.org>
To:        Steve Howe <groggy@iname.com>
Cc:        freebsd-questions <questions@FreeBSD.ORG>
Subject:   Re: ppp filters 
Message-ID:  <199907192359.AAA64645@dev.lan.awfulhak.org>
In-Reply-To: Your message of "Sat, 17 Jul 1999 02:44:11 -0800." <Pine.BSF.3.96.990717023834.316A-100000@froggy.anchorage.ptialaska.net> 

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

> i've been trying to experiment with ppp filters,
> but they don't make any apparent difference.
> for example, with no other filters, this
> default filter "set" does not block
> traceroute.  even though it is
> commented out.
> 
> what am i forgetting to do?

Enable tcp/ip logging to see if ppp thinks it's blocking it, and it 
it isn't, enable debug logging to find out why.

> also, most listing in services have
> udp/tcp ports.  how do i figure out
> if i need udp, tcp, or both?

Depends on the service.  You're better off doing what you're already 
doing - only enable what you know....

> also, if i create a simple ruleset
> for a label in ppp.conf, does that
> totally trash all previous rulesets?
> like the default labels ruleset for example?

No.  Nothing's removed unless you set filter number -1.  Your version 
of ppp is fairly old.  Filters in the latest version have quite a 
few extensions.  You may want to take a look.

> thank you.
> 
> default:
>  set log chat connect tun command
> 
> # DENY ICMP, DNS
> 
>  set afilter 0  deny   icmp
>  set afilter 1  deny   udp src eq 53
>  set afilter 2  deny   udp dst eq 53
>  set afilter 3  permit 0/0 0/0
> 
> # ALLOW PING
> 
>  set ifilter 0  permit icmp
>  set ofilter 0  permit icmp
> 
> # ALLOW FTP-DATA
> 
>  set ifilter 1  permit tcp src eq 20 dst gt 1023
>  set ofilter 1  permit tcp dst eq 20
> 
> # ALLOW FTP-CONTROL
> 
>  set ifilter 2  permit tcp src eq 21 estab
>  set ofilter 2  permit tcp dst eq 21
> 
> # ALLOW TELNET
> 
>  set ifilter 3  permit tcp src eq 23 estab
>  set ofilter 3  permit tcp dst eq 23
> 
> # ALLOW SMTP
> 
>  set ifilter 4  permit tcp src eq 25
>  set ofilter 4  permit tcp dst eq 25
> 
> # ALLOW WHOIS
> 
>  set ifilter 5  permit tcp src eq 43
>  set ofilter 5  permit tcp dst eq 43
> 
> # ALLOW DNS
> 
>  set ifilter 6  permit udp src eq 53
>  set ofilter 6  permit udp dst eq 53
> 
> # ALLOW POP3
> 
>  set ifilter 7  permit tcp src eq 110
>  set ofilter 7  permit tcp dst eq 110
> 
> # ALLOW IDENT
> 
>  set ifilter 8  permit tcp dst eq 113
>  set ofilter 8  permit tcp src eq 113
> 
> # ALLOW IRC
> 
>  set ifilter 9  permit tcp dst eq 194
>  set ofilter 9  permit tcp src eq 194
> 
> # ALLOW TRACEROUTE
> 
> # set ifilter 10 permit udp dst gt 33433
> # set ofilter 10 permit udp dst gt 33433

-- 
Brian <brian@Awfulhak.org>                        <brian@FreeBSD.org>
      <http://www.Awfulhak.org>;                   <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour !          <brian@FreeBSD.org.uk>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907192359.AAA64645>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact