From owner-freebsd-questions  Tue Nov 17 04:47:12 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA06283
          for freebsd-questions-outgoing; Tue, 17 Nov 1998 04:47:12 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from buffy.tpgi.com.au (buffy.tpgi.com.au [203.12.160.34])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA06278
          for <questions@freebsd.org>; Tue, 17 Nov 1998 04:47:09 -0800 (PST)
          (envelope-from eirvine@tpgi.com.au)
Received: (from smtpd@localhost)
	by buffy.tpgi.com.au (8.8.7/8.8.7) id XAA25723
	for <questions@freebsd.org>; Tue, 17 Nov 1998 23:47:12 +1100
Received: from tar-ppp-176.tpgi.com.au(203.26.26.176), claiming to be "tpgi.com.au"
 via SMTP by buffy.tpgi.com.au, id smtpda25691; Tue Nov 17 23:47:07 1998
Message-ID: <36517060.4CD7035E@tpgi.com.au>
Date: Tue, 17 Nov 1998 23:47:28 +1100
From: Eddie Irvine <eirvine@tpgi.com.au>
X-Mailer: Mozilla 4.03 [en] (Win95; I)
MIME-Version: 1.0
To: questions@FreeBSD.ORG
Subject: ppp and 192.168.0.0 packets.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hello all!

I have a FreeBSD 2.2-STABLE server serving a private
network (192.168.x.x) in a school and routing IP and
appletalk between subnets. It also dials up various ISP's 
(depending on which one is working on the day) and runs squid.

So far so good!

I use ppp 2.0 for this, normally *without* aliasing turned
on, because I don't want my smarter kids sending email
from their web browsers out onto the net (Dept. Ed. Policy).

A teacher's machine (192.168.1.115) has netscape configured
to fetch mail from an ISP's mailbox, and when I want to do
this I dial up with the -alias option.

Obviously, we are not doing any mail relaying on our server.

Now, I'm concerned that without the -alias option on all the
time, packets from my private net will sometimes go down
the phone line and onto the internet, making me a (gasp!)
"bad citizen".

1) Should I worry about this?

OK, so, let's assume that I turn aliasing ON all the time and enable
some of the packet filtering rules. To make it simple, say I want to 
permit only the server (interfaces 192.168.1.1, 192.168.2.1, 
192.168.3.1 and whatever the ISP assigns to MYADDR) to be able 
to access port 80, and only the teacher's machine (192.168.1.115) 
to be able to access the ISP's pop server. 

2) Can the filtering rules do this, when aliasing is turned on?

3) How does the ppp filter scan the rule set? Does it start at the top
of the rule set with each packet and *stop* at the first permit or deny
that matches the packet?

I've made a diagram of our network to help with this question - you can
find it on:

http://www1.tpgi.com.au/users/eirvine/freebsd/screens.html#topology

Cheers,
Eddie.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message