Date: Mon, 17 Aug 1998 16:10:47 +0200 From: Arnout Boer <arnout@xs4all.nl> To: hackers@FreeBSD.ORG Subject: PPP filterering problems.. Message-ID: <19980817161047.52771@xs4all.nl>
next in thread | raw e-mail | index | archive | help
Hi!
A couple of weeks ago I grabbed the latest ppp source.
I installed it and let my FreeBSD server alias for
the network in the background.... with some puzzling and
reading that was not much of a problem.
But the filtering is unclear for me..
With the following filter almost nothing comes in..
I don't have a clue and coulnd't find a extensive
filtering explanation so if anybody can help.
Great...
Here are my filtering rules from ppp.conf
(btw... if it's beter to use ipfw as filter in combination
with ppp -alias than I will look after that)
But since ppp supports it... why not :-)
# ppp.conf
default:
set log local tcp/ip Phase Chat Connect hdlc LCP IPCP CCP tun command
set device /dev/cuaa0
set speed 38400
set timeout 0
disable pred1
deny pred1
disable lqr
#
# If we don't want ICMP and DNS packets to keep the connection alive:
#
set filter alive 0 deny icmp
set filter alive 1 deny udp src eq 53
set filter alive 2 deny udp dst eq 53
set filter alive 3 deny udp src eq 520
set filter alive 4 deny udp dst eq 520
set filter alive 5 deny udp src eq 137
set filter alive 6 deny udp dst eq 137
set filter alive 7 deny udp src eq 138
set filter alive 8 deny udp dst eq 138
set filter alive 9 deny udp src eq 139
set filter alive 10 deny udp dst eq 139
set filter alive 11 permit 0/0 0/0
#
# And we don't want ICMPs to cause a dialup:
#
set filter dial 0 deny icmp
set filter dial 1 deny udp src eq 53
set filter dial 2 deny udp dst eq 53
set filter dial 3 deny udp src eq 137
set filter dial 4 deny udp dst eq 137
set filter dial 5 deny udp src eq 138
set filter dial 6 deny udp dst eq 138
set filter dial 7 deny udp src eq 139
set filter dial 8 deny udp dst eq 139
#
# or any TCP SYN or RST packets (badly closed TCP channels):
#
set filter dial 9 deny 0 0 tcp syn finrst
# Finally
set filter dial 10 permit 0/0 0/0
# Once the line's up, allow connections for ident (113), telnet (23),
# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
# ICMP (ping) and traceroute (>33433).
#
# Anything else is blocked by default
#
# set filter in 0 permit tcp dst eq 113
# set filter out 0 permit tcp src eq 113
set filter in 1 permit tcp src eq 23 estab
set filter out 1 permit tcp dst eq 23
set filter in 2 permit tcp src eq 21 estab
set filter out 2 permit tcp dst eq 21
set filter in 3 permit tcp src eq 20 dst gt 1023
set filter out 3 permit tcp dst eq 20
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 5 permit icmp
set filter out 5 permit icmp
set filter in 6 permit udp dst gt 33433
set filter out 6 permit udp src gt 33433
set filter out 7 permit tcp dst eq 25
set filter in 7 permit tcp src eq 25 estab
set filter in 8 permit 0/0 192.168.0.1/24
set filter out 8 permit 192.168.0.1/24 0/0
set filter in 9 permit udp src eq 22
set filter out 9 permit udp dst eq 22
set filter out 10 permit tcp dst eq 22
set filter in 10 permit tcp src eq 22
set filter in 11 permit udp src eq 119
set filter out 11 permit udp dst eq 119
set filter out 12 permit tcp dst eq 119
set filter in 12 permit tcp src eq 119
set filter in 14 permit udp src eq 110
set filter out 14 permit udp dst eq 110
set filter out 15 permit tcp dst eq 110
set filter in 15 permit tcp src eq 110
set filter in 16 permit udp src eq 194
set filter out 16 permit udp dst eq 194
set filter out 18 permit tcp dst eq 194
set filter in 18 permit tcp src eq 194
set filter out 19 permit tcp src eq 80
set filter in 19 permit tcp dst eq 80
#
# If none of above rules matches, then packet is blocked.
# on demand --- ppp -auto -alias demand
demand:
alias enable yes
alias log yes
alias use_sockets yes
alias unregistered_only yes
set login "TIMEOUT 5 ogin:-\\r-ogin: blah TIMEOUT 20 word: oeps"
set timeout 90
set ifaddr 194.109.15.187 194.109.6.1/0 255.255.0.0 0.0.0.0
add default HISADDR
# enable dns
set openmode active
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980817161047.52771>