Date: Tue, 4 Nov 1997 17:54:48 -0600 (CST) From: Dave Bodenstab <imdave@mcs.net> To: freebsd-questions@FreeBSD.ORG, reichert@numachi.com Subject: Re: userland ppp and packet filtering Message-ID: <199711042354.RAA25785@imdave.pr.mcs.net>
next in thread | raw e-mail | index | archive | help
> From: Brian Reichert <reichert@numachi.com> > > I've been making extensive use of userland ppp, and am basically > satisfied by it. However, I've been trying to employ the packet > filtering features, but have been meeting with no luck. > > Using ppp.conf.filter.sample as a model, I placed filter rules in > my ppp.conf file. ppp did not complain about any errors, but also > silently failed to provide the reqested filtering. > > Is the filtering really supported? I know the ppp package was > evolving by leaps and bounds, maybe I'm trying to take advantage > of something still in beta... I'm using http://www.freebsd.org/~brian/ppp-971023.src.tar.gz on my ancient 2.0.5 system -- works fine. Here are the filters I use (from ppp.linkup): set ifilter 0 deny host 199.95.208.0/24 MYADDR tcp src eq http set ifilter 1 deny host 199.95.207.0/24 MYADDR tcp src eq http set ifilter 2 deny host 204.71.191.209/26 MYADDR tcp src eq http set ifilter 3 deny host 199.95.200.70 MYADDR tcp src eq http set ifilter 4 deny host 204.71.191.221/24 MYADDR tcp src eq http set ifilter 5 deny host 206.251.6.155/26 MYADDR tcp src eq http set ifilter 6 deny host 206.251.7.133 MYADDR tcp src eq http set ifilter 7 permit 0/0 0/0 set ofilter 0 deny host 199.95.208.0/24 tcp dst eq http set ofilter 1 deny host 199.95.207.0/24 tcp dst eq http set ofilter 2 deny host 204.71.191.209/26 tcp dst eq http set ofilter 3 deny host 199.95.200.70 tcp dst eq http set ofilter 4 deny host 204.71.191.221/24 tcp dst eq http set ofilter 5 deny host 206.251.6.155/26 tcp dst eq http set ofilter 6 deny host 206.251.7.133 tcp dst eq http set ofilter 7 permit 0/0 0/0 The filters are working for me. When I connect to the dilbert page, I no longer get the stuff from ad.doubleclick.net ;-) Since I'm almost totally clueless when it comes to networking, protocols, and how to setup these filtering rules, I had to read the source to figure out the syntax. Here're the notes I made for myself: Filtering: From ``set log tcp/ip'' we see that each packet can be identified by: TYPE / DIRECTION / source ADDRESS / destination ADDRESS where TYPE is tcp/udp/icmp, DIRECTION is input/output, and ADDRESS is ip-number:port In the BNF grammar that follows, TYPE corresponds to <proto>, DIRECTION corresponds to the filter types `ifilter' and `ofilter', and ADDRESS is the ip/port combination. How do afilter and dfileter fit in? BNF grammar: <filter command> ::= 'set' <filter type> -1 | 'set' <filter type> NUMBER 'clear' | 'set' <filter type> NUMBER <action> <proto> | 'set' <filter type> NUMBER <action> <destination address> <proto> | 'set' <filter type> NUMBER <action> <source address> <destination address> <proto> <filter type> ::= 'afilter' ; keep Alive | 'dfilter' ; Dial | 'ifilter' ; Input | 'ofilter' ; Output <action> ::= 'permit' | 'deny' <deny type> <deny type> ::= /*empty*/ | 'host' | 'port' <proto> ::= 'tcp' <tcpudp args> | 'udp' <tcpudp args> | 'icmp' <icmp args> <tcpudp args> ::= /*empty*/ | 'src' <op> <port> <estab> | 'dst' <op> <port> <estab> | 'src' <op> <port> 'dst' <op> <port> <estab> <op> ::= 'eq' | 'lt' | 'gt' <port> ::= NAME | NUMBER <estab> ::= /*empty*/ | 'estab' ; I wonder what ``estab'' is? <icmp args> ::= /*empty*/ | 'src' 'eq' NUMBER <source address> ::= <address> <destination address> ::= <address> <address> ::= 'MYADDR' <bits> | 'HISADDR' <bits> | NUMBER.NUMBER.NUMBER.NUMBER <bits> <bits> ::= /*empty*/ ; /32 assumed | / NUMBER Dave Bodenstab imdave@mcs.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711042354.RAA25785>