Installing and Administering PPP
Chapter 5 107
Security Techniques
Building a Stanza - Specifics
Example 2:
tcp/syn/send/log # pass and log all outbound TCP connection
# requests
There are two ways to invoke the ‘log’ keyword. The log filter allows you
to define, in one location, all the packets you wish to log. Or you can add
the log keyword to the individual rules in the ‘pass’ filter as shown in the
above examples. Generally, it is easier to add a rule in the log filter
requiring all rejected packets be logged rather than adding a ‘log’
qualifier to all rules that block packets.
Stanza Syntax
The syntax of a stanza is very flexible. In general, the order of the values
and keywords in the stanza are not fixed, although certain combinations
of keywords are not allowed. The rules that do exist are:
• Each value and keyword in a stanza must be separated by a single ‘/’.
• In a negation, the ‘!’ must be the first character of the stanza.
• When a network mask accompanies a network address, the mask
must follow the address.
• Since white space created with a space, tab, or newline entry
separates stanzas, no white space is permitted within a stanza.
• Only one protocol (for example, tcp/udp/icmp) may be specified per
stanza.
• syn, fin, ack, rst, or estab may not appear in the same stanza.
The following rules describe the same packet filtering, and would cause
the same template to be invoked.
Example 1:
!telnet/syn/recv/192.0.2.0/255.255.255.0
Example 2:
!192.0.2.0/recv/syn/255.255.255.0/telnet