From owner-freebsd-questions Sun Dec 21 02:59:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA23242 for questions-outgoing; Sun, 21 Dec 1997 02:59:37 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA23190 for ; Sun, 21 Dec 1997 02:59:22 -0800 (PST) (envelope-from brian@awfulhak.org) Received: from gate.lan.awfulhak.org (localhost [127.0.0.1]) by awfulhak.demon.co.uk (8.8.7/8.8.7) with ESMTP id EAA18335; Sun, 21 Dec 1997 04:20:47 GMT (envelope-from brian@gate.lan.awfulhak.org) Message-Id: <199712210420.EAA18335@awfulhak.demon.co.uk> X-Mailer: exmh version 2.0zeta 7/24/97 To: "Joe \"Marcus\" Clarke" cc: FreeBSD User Questions List Subject: Re: PPP telnet filter In-reply-to: Your message of "Sat, 20 Dec 1997 17:33:32 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 21 Dec 1997 04:20:46 +0000 From: Brian Somers Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Hey, I'm trying to create a ppp filter that will deny telnet requests > coming from the Internet, but allow them coming from 192.168.100/24. > Everything I try seems to produce unwanted results. My situation is > this: I want the people on the Intranet (192.168.100/24) to be able to > telnet to the server, but everyone else sholud be denied. I hope I'm > being clear in this. I've tried a few o/ifilters with no real luck. I > always seem to block ALL telnet requests, or allow all of them. Oh, and > everything else should be allowed to pass normally. I have some filters > up to prevent ICMP keep-alive, and dial, and they work fine. Thanks. set ifilter X allow 192.168.100.0/24 0/0 tcp dst eq 23 set ifilter X+1 deny tcp dst eq 23 This is assuming that everyone is ``outside''. In most setups, the second line is only necessary as the internal network won't be going via ppp. Another good pitfall is if your `hostname's IP is the one you're using for ppp, and you don't have a loopback route for it, it'll force the traffic through ppp :-| To setup the loopback route, add ifconfig_lo0_alias0="inet a.b.c.d netmask 0xffffffff" to /etc/rc.conf (a.b.c.d is your static IP number). > Joe Clarke > -- Brian , , Don't _EVER_ lose your sense of humour....