From owner-freebsd-questions Tue Nov 4 15:54:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA19817 for questions-outgoing; Tue, 4 Nov 1997 15:54:54 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from imdave.pr.mcs.net (imdave@imdave.pr.mcs.net [205.164.3.77]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA19806 for ; Tue, 4 Nov 1997 15:54:45 -0800 (PST) (envelope-from imdave@mcs.net) Received: (from imdave@localhost) by imdave.pr.mcs.net (8.8.8/8.8.8) id RAA25785; Tue, 4 Nov 1997 17:54:48 -0600 (CST) Date: Tue, 4 Nov 1997 17:54:48 -0600 (CST) From: Dave Bodenstab Message-Id: <199711042354.RAA25785@imdave.pr.mcs.net> To: freebsd-questions@FreeBSD.ORG, reichert@numachi.com Subject: Re: userland ppp and packet filtering Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > From: Brian Reichert > > I've been making extensive use of userland ppp, and am basically > satisfied by it. However, I've been trying to employ the packet > filtering features, but have been meeting with no luck. > > Using ppp.conf.filter.sample as a model, I placed filter rules in > my ppp.conf file. ppp did not complain about any errors, but also > silently failed to provide the reqested filtering. > > Is the filtering really supported? I know the ppp package was > evolving by leaps and bounds, maybe I'm trying to take advantage > of something still in beta... I'm using http://www.freebsd.org/~brian/ppp-971023.src.tar.gz on my ancient 2.0.5 system -- works fine. Here are the filters I use (from ppp.linkup): set ifilter 0 deny host 199.95.208.0/24 MYADDR tcp src eq http set ifilter 1 deny host 199.95.207.0/24 MYADDR tcp src eq http set ifilter 2 deny host 204.71.191.209/26 MYADDR tcp src eq http set ifilter 3 deny host 199.95.200.70 MYADDR tcp src eq http set ifilter 4 deny host 204.71.191.221/24 MYADDR tcp src eq http set ifilter 5 deny host 206.251.6.155/26 MYADDR tcp src eq http set ifilter 6 deny host 206.251.7.133 MYADDR tcp src eq http set ifilter 7 permit 0/0 0/0 set ofilter 0 deny host 199.95.208.0/24 tcp dst eq http set ofilter 1 deny host 199.95.207.0/24 tcp dst eq http set ofilter 2 deny host 204.71.191.209/26 tcp dst eq http set ofilter 3 deny host 199.95.200.70 tcp dst eq http set ofilter 4 deny host 204.71.191.221/24 tcp dst eq http set ofilter 5 deny host 206.251.6.155/26 tcp dst eq http set ofilter 6 deny host 206.251.7.133 tcp dst eq http set ofilter 7 permit 0/0 0/0 The filters are working for me. When I connect to the dilbert page, I no longer get the stuff from ad.doubleclick.net ;-) Since I'm almost totally clueless when it comes to networking, protocols, and how to setup these filtering rules, I had to read the source to figure out the syntax. Here're the notes I made for myself: Filtering: From ``set log tcp/ip'' we see that each packet can be identified by: TYPE / DIRECTION / source ADDRESS / destination ADDRESS where TYPE is tcp/udp/icmp, DIRECTION is input/output, and ADDRESS is ip-number:port In the BNF grammar that follows, TYPE corresponds to , DIRECTION corresponds to the filter types `ifilter' and `ofilter', and ADDRESS is the ip/port combination. How do afilter and dfileter fit in? BNF grammar: ::= 'set' -1 | 'set' NUMBER 'clear' | 'set' NUMBER | 'set' NUMBER | 'set' NUMBER ::= 'afilter' ; keep Alive | 'dfilter' ; Dial | 'ifilter' ; Input | 'ofilter' ; Output ::= 'permit' | 'deny' ::= /*empty*/ | 'host' | 'port' ::= 'tcp' | 'udp' | 'icmp' ::= /*empty*/ | 'src' | 'dst' | 'src' 'dst' ::= 'eq' | 'lt' | 'gt' ::= NAME | NUMBER ::= /*empty*/ | 'estab' ; I wonder what ``estab'' is? ::= /*empty*/ | 'src' 'eq' NUMBER ::=
::=
::= 'MYADDR' | 'HISADDR' | NUMBER.NUMBER.NUMBER.NUMBER ::= /*empty*/ ; /32 assumed | / NUMBER Dave Bodenstab imdave@mcs.net