Date: Wed, 10 Dec 1997 13:59:12 +0200 (EET) From: Igor Karpov <freebsd@vicotec.kiev.ua> To: Michael Ryan <mike@NetworX.ie> Cc: FreeBSD Support <questions@FreeBSD.ORG> Subject: Re: dfilter in iijppp Message-ID: <Pine.BSF.3.95q.971210124602.5056A-100000@ubik.vicotec.kiev.ua> In-Reply-To: <ECS9710282130I@NetworX.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Mike, I'm sorry, but I'm reading the mail coming to freebsd@ from time to time and I've read your letter today only. The point is that freebsd@ is just pseudo-account to keep the FreeBSD mailing lists to review occasionally. I didn't think (sorry!) that you may answer me; my Re: was too short for you to answer. But yesterday I noticed a funny thing, which may have relation to subject; this is the second reason. The first one is that I think that every directly addressed mail should be answered. As far as I can see, you have a possibility to prevent ppp from dialing on every DNS query. I didn't understand you, 'cos I did it myself _before_ and already forgot the problems with this. The answer is to set up a little nameserver. I even have no static IP and real (non-UUCP) domain name - it works anyway. Of course, you have to be running named... The most useful in doing this was a chapter from Greg Lehey's "Complete FreeBSD Book", describing DNS (I don't exactly know if this book already completed, but could mail this chapter directly to you). On Tue, 28 Oct 1997, Michael Ryan wrote: > Hi Igor, > > On Tue, 28 Oct 1997 10:58:51 +0200 (EET) Pseudo-user collecting FreeBSD mailing > lists. wrote: > > > >From /usr/local/squid/etc/squid.conf: > > > > "If you want to disable DNS tests, do not comment out or delete this list. > > Instead use the -D command line option" > > > > It works for me. > > My understanding of "dns_testnames" is it's how Squid determines if there's > a path to the Internet or not. On my machine, I've simply set this to the > localhost "dns_testnames localhost". That' fine, but it's not what I was > talking about. > > My problem is that for Squid to actually go out there and retrieve pages, > the first thing it'll do is generate a DNS query on the host name of the > web site. Unless DNS is permitted in the dfilter rule set, this will not > trigger the ppp dial-up, Now the funny thing I promised. Yesterday I've found that my iijppp completely ignores dfilter rules 4-7 (I watched it by tcpdump -nv and in ppp.log after set log +TCP/IP). I don't know yet what's the deal, maybe ppp-971125 doesn't want to work with 2.2.1-RELEASE or that's my mistake (I've been playing with filters yesterday). When I'll find out the reason, can let you know if this is actual for you. Here's parts of my ppp.conf: # # Don't keep Alive with ICMP,DNS and RIP packet # set afilter 0 deny icmp set afilter 1 deny udp src eq 53 set afilter 2 deny udp dst eq 53 set afilter 3 deny udp src eq 520 set afilter 4 deny udp dst eq 520 set afilter 5 permit 0/0 0/0 # # Don't dial with ICMP packet # set dfilter 0 deny icmp set dfilter 1 permit 0/0 0/0 set dfilter 2 deny tcp dst eq 4321 set dfilter 3 deny tcp dst eq 550 # # Don't dial with DNS packet # set dfilter 4 deny tcp dst eq 53 set dfilter 5 deny tcp src eq 53 set dfilter 6 deny udp dst eq 53 set dfilter 7 deny udp src eq 53 [-snip-] # # If none of above rules matches, then packet is blockd. # > so Squid will fail, saying that the host isn't > reachable (because the IP address couldn't be ascertained). Therefore, > it seems to me that DNS -must- be permitted in the dfilter ruleset. > > My problem with this is that, now, -every- service will, in effect, cause > the dial-up to occur, because almost every service will first of all > generate a DNS query (just like Squid). > > See what I mean? > > > Bye, > Mike > <mike@NetworX.ie> > --- Regards, Igor. ------------------------------------------------ "Virus is a small freeware utility, which helps users to get rid of their obsolete files."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.971210124602.5056A-100000>