Installing and Administering PPP
Chapter 5 119
Security Techniques
Closed Policy Filter Example
Closed Policy Filter Example
The following is an example static filter configuration, appropriate for a
system using pppd to create a PPP/SLIP link between the system
192.168.199.1 and a peer, 10.0.0.1, that is acting as the gateway to the
Internet. The complete filter, minus the comments, follows this section.
The filter design reflects a fail-safe, or closed, policy.
Default
default
pass !all # block all other packets
log rejected # packets rejected by packet filter
First, we define a default ruleset that is very restrictive. This is a
failsafe ruleset that will not pass any packets through the filter, but will
notify you of all traffic you are missing.
10.0.0.1
This ruleset will be applied to any packet crossing the link connecting
this host to the peer (10.0.0.1).
bringup
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO service (513/udp)
!route # routed/gated RIP service (520/udp)
!ntp # Network Time service (123/udp)
all # all other packets
If the link is configured for ‘dial on demand’ connections, the ‘bringup’
filter describes those packets that causes a call to be placed and a
connection to be initiated. The ‘bringup’ filter should be used to prevent
the connection from being brought up inappropriately. It is a good idea
to block packets that are responses to "bad" inbound packets, such as
ICMP Destination unreachable messages, because they aren't
"interesting" enough to dial the modem. You should also block services,
such as the WHO service, that send packets at a regular intervals and
would therefore never permit the link to stay down long. Any other sort
of traffic initiates a dial connection.
pass
!recv/ip-opt=srcrt/unreach=srcfail # Block SRCRT attacks