Date: Wed, 31 Jan 2001 10:01:01 -0600 From: "Josh Paetzel" <jpaetzel@hutchtel.net> To: <darryl@osborne-ind.com>, <freebsd-questions@FreeBSD.ORG>, "Cliff Sarginson" <cliff@raggedclown.net> Subject: Re: ppp packet filtering Message-ID: <001c01c08b9f$14a9b0e0$6100000a@vladsempire.net> References: <E14NzFf-000NA1-00@post.mail.nl.demon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Cliff Sarginson" <cliff@raggedclown.net> To: <darryl@osborne-ind.com>; <freebsd-questions@FreeBSD.ORG> Sent: Wednesday, January 31, 2001 9:32 AM Subject: Re: ppp packet filtering > I hope you get an answer to this. I have asked several times > on this list for an expert to give some summary of the mystifying > number of combinations available for PPP, filters, ipfw, Nat here, Nat > there nat everywhere. And the documentation available is contradictory. > > I am sure someone out there knows. Pure NAT questions get answered, > but mention PPP .. and silence reigns .. lol. > > Cliff > > > Greetings, > > I use userland ppp with the -auto and -nat flags. This is a > > good combo for me. I want to do some packet filtering for > > security reasons, and wondered if the packet filtering that > > you can do with rules in the ppp.conf is good ? The > > tutorials I've seen start off by configuring NAT on the system > > then using one of the system filtering programs to do the > > job. Seems like overkill if ppp can do the job. > > > > thanks for the input, > > Darryl PPP packet filtering is really the only way that I know of to filter when you have a dynamic IP and dialup. The man page for PPP has extensive documentation on how the rules work and even some suggested setups. I am running a dedicated gateway/packet filtering machine that connects my home network to the internet and so far I have had no problems with it at all. I also run NAT. I'll post my ruleset below. I can telnet through them, ftp, irc, get and send mail, browse the web, and so on. The only thing that I have disabled that is a little odd is ICMP. I haven't tried gaming through them, but then most games suck over a 56k anyways. These are the rules that I have in /etc/ppp/ppp.conf set filter in 0 permit tcp src eq 21 estab set filter out 0 permit tcp dst eq 21 set filter in 1 permit tcp src eq 20 set filter out 1 permit tcp dst eq 20 set filter in 2 permit udp src eq 53 set filter out 2 permit udp dst eq 53 set filter in 3 permit tcp src eq 25 estab set filter out 3 permit tcp dst eq 25 set filter in 4 permit udp dst gt 33433 set filter out 4 permit udp dst gt 33433 set filter in 5 permit tcp src gt 1023 estab set filter out 5 permit tcp dst gt 1023 set filter in 6 permit udp src eq 5999 set filter out 6 permit udp dst eq 5999 set filter in 7 permit tcp src eq 6667 estab set filter out 7 permit tcp dst eq 6667 set filter in 8 permit tcp src eq 80 estab set filter out 8 permit tcp dst eq 80 set filter in 9 permit tcp src eq 23 estab set filter out 9 permit tcp dst eq 23 set filter in 10 permit tcp src eq 110 estab set filter out 10 permit tcp dst eq 110 You'll notice that there are no deny rules. PPP filtering drops anything that doesn't match a rule. This machine is essentially a black hole. You can't ping it, #nmap -sS O P0 myip can't even tell if there is a machine there. For added security I run no services on my gateway at all. About the only thing that this setup can't do for you if you are on a dialup connection is keep you from being DoS'd by someone with a bigger pipe. But then that's an issue that anyone is going to have. Hope this helps, Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001c01c08b9f$14a9b0e0$6100000a>