From owner-freebsd-questions Mon Jul 19 18: 5:30 1999 Delivered-To: freebsd-questions@freebsd.org Received: from awfulhak.org (dynamic-102.max1-du-ws.dialnetwork.pavilion.co.uk [212.74.8.102]) by hub.freebsd.org (Postfix) with ESMTP id 92659151F7 for ; Mon, 19 Jul 1999 18:05:22 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from dev.lan.awfulhak.org (root@dev.lan.awfulhak.org [172.16.0.5]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA23569; Tue, 20 Jul 1999 00:59:25 +0100 (BST) (envelope-from brian@lan.awfulhak.org) Received: from dev.lan.awfulhak.org (brian@localhost [127.0.0.1]) by dev.lan.awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA64645; Tue, 20 Jul 1999 00:59:25 +0100 (BST) (envelope-from brian@dev.lan.awfulhak.org) Message-Id: <199907192359.AAA64645@dev.lan.awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: Steve Howe Cc: freebsd-questions Subject: Re: ppp filters In-reply-to: Your message of "Sat, 17 Jul 1999 02:44:11 -0800." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 20 Jul 1999 00:59:25 +0100 From: Brian Somers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > i've been trying to experiment with ppp filters, > but they don't make any apparent difference. > for example, with no other filters, this > default filter "set" does not block > traceroute. even though it is > commented out. > > what am i forgetting to do? Enable tcp/ip logging to see if ppp thinks it's blocking it, and it it isn't, enable debug logging to find out why. > also, most listing in services have > udp/tcp ports. how do i figure out > if i need udp, tcp, or both? Depends on the service. You're better off doing what you're already doing - only enable what you know.... > also, if i create a simple ruleset > for a label in ppp.conf, does that > totally trash all previous rulesets? > like the default labels ruleset for example? No. Nothing's removed unless you set filter number -1. Your version of ppp is fairly old. Filters in the latest version have quite a few extensions. You may want to take a look. > thank you. > > default: > set log chat connect tun command > > # DENY ICMP, DNS > > set afilter 0 deny icmp > set afilter 1 deny udp src eq 53 > set afilter 2 deny udp dst eq 53 > set afilter 3 permit 0/0 0/0 > > # ALLOW PING > > set ifilter 0 permit icmp > set ofilter 0 permit icmp > > # ALLOW FTP-DATA > > set ifilter 1 permit tcp src eq 20 dst gt 1023 > set ofilter 1 permit tcp dst eq 20 > > # ALLOW FTP-CONTROL > > set ifilter 2 permit tcp src eq 21 estab > set ofilter 2 permit tcp dst eq 21 > > # ALLOW TELNET > > set ifilter 3 permit tcp src eq 23 estab > set ofilter 3 permit tcp dst eq 23 > > # ALLOW SMTP > > set ifilter 4 permit tcp src eq 25 > set ofilter 4 permit tcp dst eq 25 > > # ALLOW WHOIS > > set ifilter 5 permit tcp src eq 43 > set ofilter 5 permit tcp dst eq 43 > > # ALLOW DNS > > set ifilter 6 permit udp src eq 53 > set ofilter 6 permit udp dst eq 53 > > # ALLOW POP3 > > set ifilter 7 permit tcp src eq 110 > set ofilter 7 permit tcp dst eq 110 > > # ALLOW IDENT > > set ifilter 8 permit tcp dst eq 113 > set ofilter 8 permit tcp src eq 113 > > # ALLOW IRC > > set ifilter 9 permit tcp dst eq 194 > set ofilter 9 permit tcp src eq 194 > > # ALLOW TRACEROUTE > > # set ifilter 10 permit udp dst gt 33433 > # set ofilter 10 permit udp dst gt 33433 -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message