|PPP - Pedantic PPP Primer|
|Prev||Chapter 6. Exercises for the Interested Student|
The PPP program has the ability to apply selected filtering rules to the traffic it routes. While this is not nearly as secure as a formal firewall it does provide some access control as to how the link is used.
('man ipfw' for information on setting up a more secure FreeBSD system.)
The complete documentation for the various filters and rules under PPP are availabe in the PPP manpage.
There are four distinct classes of rules which may be applied to the PPP program:
alive filter - Access Counter (or "Keep Alive") filters
These control which events are ignored by the set timeout= statement in the configuration file.
dial filter - Dialing filters
These filtering rules control which events are ignored by the demand-dial mode of PPP.
in filter - Input filters
Control whether incoming packets should be discarded or passed into the system.
out filter - Output filters
Control whether outgoing packets should be discarded or passed into the system.
What follows is a snippet from an operating system which provides a good foundation for "normal" Internet operations while preventing PPP from pumping all data over the dial-up connection. Comments briefly describe the logic of each rule set:
# # KeepAlive filters # Don't keep Alive with ICMP,DNS and RIP packet # set filter alive 0 deny icmp set filter alive 1 deny udp src eq 53 set filter alive 2 deny udp dst eq 53 set filter alive 3 deny udp src eq 520 set filter alive 4 deny udp dst eq 520 set filter alive 5 permit 0/0 0/0 # # Dial Filters: # Note: ICMP will trigger a dial-out in this configuration! # set filter dial 0 permit 0/0 0/0 # # Allow ident packet pass through # set filter in 0 permit tcp dst eq 113 set filter out 0 permit tcp src eq 113 # # Allow telnet connection to the Internet # set filter in 1 permit tcp src eq 23 estab set filter out 1 permit tcp dst eq 23 # # Allow ftp access to the Internet # set filter in 2 permit tcp src eq 21 estab set filter out 2 permit tcp dst eq 21 set filter in 3 permit tcp src eq 20 dst gt 1023 set filter out 3 permit tcp dst eq 20 # # Allow access to DNS lookups # set filter in 4 permit udp src eq 53 set filter out 4 permit udp dst eq 53 # # Allow DNS Zone Transfers # set filter in 5 permit tcp src eq 53 set filter out 5 permit tcp dst eq 53 # # Allow access from/to local network # set filter in 6 permit 0/0 192.168.1.0/24 set filter out 6 permit 192.168.1.0/24 0/0 # # Allow ping and traceroute response # set filter in 7 permit icmp set filter out 7 permit icmp set filter in 8 permit udp dst gt 33433 set filter out 9 permit udp dst gt 33433 # # Allow cvsup # set filter in 9 permit tcp src eq 5998 set filter out 9 permit tcp dst eq 5998 set filter in 10 permit tcp src eq 5999 set filter out 10 permit tcp dst eq 5999 # # Allow NTP for Time Synchronization # set filter in 11 permit tcp src eq 123 dst eq 123 set filter out 11 permit tcp src eq 123 dst eq 123 set filter in 12 permit udp src eq 123 dst eq 123 set filter out 12 permit udp src eq 123 dst eq 123 # # SMTP'd be a good idea! # set filter in 13 permit tcp src eq 25 set filter out 13 permit tcp dst eq 25 # # # We use a lot of `whois`, let's pass that # set filter in 14 permit tcp src eq 43 set filter out 14 permit tcp dst eq 43 set filter in 15 permit udp src eq 43 set filter out 15 permit udp dst eq 43 # # If none of above rules matches, then packet is blocked. #-------
Up to 20 distinct filtering rules can be applied to each class of filter. Rules in each class are number sequentially from 0 to 20 but none of the rules for a particular filter class take affect until ruleset '0' is defined!
If you choose not to use Filtering Rules in the PPP configuration then ALL traffic will be permitted both into and out of your system while it's connected to your ISP.
If you decide that you want to implement filtering rules, add the above lines to your /etc/ppp/ppp.conf file in either the "default:", "demand:", or "interactive:" section (or all of them - the choice is yours).
For questions about FreeBSD, e-mail
For questions about this documentation, e-mail <doc@FreeBSD.org>.
Закладки на сайте
Проследить за страницей
Created 1996-2021 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру