The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

Поиск:  Каталог документации / Документация по FreeBSD / Руководства по FreeBSD на английском

6.2. Playing with PPP filters

The PPP program has the ability to apply selected filtering rules to the traffic it routes. While this is not nearly as secure as a formal firewall it does provide some access control as to how the link is used.

('man ipfw' for information on setting up a more secure FreeBSD system.)

The complete documentation for the various filters and rules under PPP are availabe in the PPP manpage.

There are four distinct classes of rules which may be applied to the PPP program:



What follows is a snippet from an operating system which provides a good foundation for "normal" Internet operations while preventing PPP from pumping all data over the dial-up connection. Comments briefly describe the logic of each rule set:

    #
    # KeepAlive filters
    # Don't keep Alive with ICMP,DNS and RIP packet
    #
     set filter alive 0 deny icmp
     set filter alive 1 deny udp src eq 53
     set filter alive 2 deny udp dst eq 53
     set filter alive 3 deny udp src eq 520
     set filter alive 4 deny udp dst eq 520
     set filter alive 5 permit 0/0 0/0
    #
    # Dial Filters:
    #  Note:  ICMP will trigger a dial-out in this configuration!
    #
     set filter dial 0 permit 0/0 0/0
    #
    # Allow ident packet pass through
    #
     set filter in 0 permit tcp dst eq 113
     set filter out 0 permit tcp src eq 113
    #
    # Allow telnet connection to the Internet
    #
     set filter in 1 permit tcp src eq 23 estab
     set filter out 1 permit tcp dst eq 23
    #
    # Allow ftp access to the Internet
    #
     set filter in 2 permit tcp src eq 21 estab
     set filter out 2 permit tcp dst eq 21
     set filter in 3 permit tcp src eq 20 dst gt 1023
     set filter out 3 permit tcp dst eq 20
    #
    # Allow access to DNS lookups
    #
     set filter in 4 permit udp src eq 53
     set filter out 4 permit udp dst eq 53
    #
    # Allow DNS Zone Transfers
    #
     set filter in 5 permit tcp src eq 53
     set filter out 5 permit tcp dst eq 53
    #
    # Allow access from/to local network
    #
     set filter in 6 permit 0/0 192.168.1.0/24
     set filter out 6 permit 192.168.1.0/24 0/0
    #
    # Allow ping and traceroute response
    #
     set filter in 7 permit icmp
     set filter out 7 permit icmp
     set filter in 8 permit udp dst gt 33433
     set filter out 9 permit udp dst gt 33433
    #
    # Allow cvsup
    #
     set filter in 9 permit tcp src eq 5998
     set filter out 9 permit tcp dst eq 5998
     set filter in 10 permit tcp src eq 5999
     set filter out 10 permit tcp dst eq 5999
    #
    # Allow NTP for Time Synchronization
    #
     set filter in 11 permit tcp src eq 123 dst eq 123
     set filter out 11 permit tcp src eq 123 dst eq 123
     set filter in 12 permit udp src eq 123 dst eq 123
     set filter out 12 permit udp src eq 123 dst eq 123
    #
    # SMTP'd be a good idea!
    #
     set filter in 13 permit tcp src eq 25
     set filter out 13 permit tcp dst eq 25
    #
    #
    # We use a lot of `whois`, let's pass that
    #
     set filter in 14 permit tcp src eq 43
     set filter out 14 permit tcp dst eq 43
     set filter in 15 permit udp src eq 43
     set filter out 15 permit udp dst eq 43
    #
    # If none of above rules matches, then packet is blocked.
    #-------


Up to 20 distinct filtering rules can be applied to each class of filter. Rules in each class are number sequentially from 0 to 20 but none of the rules for a particular filter class take affect until ruleset '0' is defined!

If you choose not to use Filtering Rules in the PPP configuration then ALL traffic will be permitted both into and out of your system while it's connected to your ISP.

If you decide that you want to implement filtering rules, add the above lines to your /etc/ppp/ppp.conf file in either the "default:", "demand:", or "interactive:" section (or all of them - the choice is yours).

For questions about FreeBSD, e-mail <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.




Спонсоры:
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2020 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру