Installing and Administering PPP
Chapter 5 101
Security Techniques
Building a Stanza - Specifics
Example:
!3/0/icmp # block ICMP Unreachable "bad net" messages
Keywords with Origins and Destinations
Frequently, a host acts as a router between two end points so packets
may not originate or terminate at that host. Use the ‘src’ keyword to
specify the point of origin or source and the ‘dst’ keyword to specify the
endpoint or destination. The source or destination can be either an IP
address or a service or port.
Example:
route/dst # permit packets to UDP port 520 on any host
The ‘src’ or ‘dst’ keyword applies to all addresses and ports in the stanza.
Thus, you cannot specify both the source port and destination address or
vice versa in the same stanza using the ‘src’ or ‘dst’ keywords.
Example:
10.0.0.1/route/dst # permit UDP packets to 10.0.0.1 port 520
Even more specific rules may be written by using the keywords ‘srcport’,
‘dstport’, ‘srcaddr’, ‘dstaddr’, ‘srcmask’, and ‘dstmask’ keywords in place
of ‘src’ or ‘dst’. The syntax of these keywords is ‘keyword=value’.
Example:
srcaddr=10.7.127.0/srcmask=255.255.255.0/dstaddr=192.168.5.0
# block packets between the 10.7.127.0-10.7.127.255 and
# 192.168.5.0-192.168.5.255 networks
The workstation running the daemon is your point of reference regarding
the direction of a packet. Packets written by the host are outbound or
sent and are specified by the ‘send’ keyword. Packets read by the host
are inbound, or received, and are specified by the ‘recv’ keyword. The
two rules in the following example prevent spoofed packets for an
internal network 192.168.12.0:
Example:
!recv/src/192.168.12.0 # block receiving packets from outside which claim to
# be from 192.168.12.0-192.168.12.255
!send/dst/192.168.12.0 # block sending packets to outside which claim to be
# going to 192.168.12.0-192.168.12.255