ppp.Filter.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ppp.Filter(4) ppp.Filter(4)

NAME

ppp.Filter - PPP packet ﬁlter speciﬁcation ﬁle format

DESCRIPTION

The ﬁle

/etc/ppp/Filter

describes how on-demand PPP links are to be managed. By default, any

type of packet causes the link (if down) to be brought up (connected to its remote end); any packet is

allowed to traverse the link; and any packet is sufﬁcient to reset the idle timer, expiration of which would

cause the link to be shut down. This combination is not always appropriate behavior, so the ﬁlter ﬁle

allows individual control based on the packet type and its source or destination. These selection criteria

may be speciﬁed for any of the three phases of operation: bringing up the link, passing packets on the

link, and shutting down the link due to inactivity. Packet logging detail may also be selected using the

same criteria.

Format

Comments begin with a

# and extend to the end of the line; blank lines, or lines beginning with a

#, are

ignored. Upper/lower case distinctions are ignored in hostname speciﬁcations, but are signiﬁcant else-

where. Fields are separated by horizontal or vertical white space (blanks or tabs or newlines).

If a line begins with a hostname or IPv4/IPv6 address or the special words

default or

default6 for

IPv6, that line is considered to be the beginning of a new set of ﬁltering speciﬁcations. The ﬁltering

speciﬁcations will be applied to any packet crossing the point-to-point link connecting this host to the

peer named by that initial hostname or IPv4/IPv6 address. The hostname or IPv4/IPv6 address in the

ﬁrst column of the ﬁlter ﬁle refers to the peer (system or router or terminal server) at the remote end of

the point-to-point (PPP or SLIP) link. The hostname or IPv4/IPv6 address in the ﬁrst column of the ﬁlter

ﬁle, and associated with the link peer, is unrelated to the source or destination IPv4/IPv6 address of any

packet crossing the link. If the link peer’s address doesn’t match any name or address speciﬁed in the

ﬁrst column of ﬁlter ﬁle, the ﬁlter speciﬁcation following the special word

default for IPv4 packets and

default6 for IPv6 packets will be used.

If a newline is followed by white space, that line is a continuation of the ﬁltering speciﬁcation already in

progress.

There are four keywords to describe the actions taken by

pppd in response to a particular packet:

bringup Describes those packets that will cause a call to be placed and a connection initiated.

Packets of this sort also must qualify to "pass" across the link, either by being explicitly

mentioned or by inclusion in a larger class in the pass section.

pass Describes those packets that will be allowed to traverse the link on an already-

established connection. Only packets which would be passed can cause the link to be

brought up. Any packet that is not passed is optionally logged, then discarded.

keepup Describes packets that will reset the idle timer, thereby keeping the line connected.

log Describes packets whose headers or contents are to be noted in the log ﬁle.

After each action keyword comes stanzas, separated by white space, describing packets that ﬁt the cri-

teria for that action. Each stanza is processed in the order shown in the ﬁle, and contain restrictions or

permissions on the packets encountered. As soon as a pattern or a condition is found that matches the

packet in question,

pppd takes the indicated action and ignores the rest of the listed stanzas (i.e.,

inclusive or with shortcut evaluation).

Stanzas may contain IP protocol numbers, optionally hyphen-separated ranges of TCP or UDP port

numbers along with the

/tcp or /udp qualiﬁer, numbers representing ICMP/ICMPv6 message types or

codes (which can be found in <netinet/ip_icmp.h> and <netinet/icmp6.h>

) along with the

/icmp or /icmp6 for ICMPv6 qualiﬁer, service names corresponding to entries in /etc/services

,or

names or IP addresses of hosts or networks, or the special keyword

all, which is the default for all

actions except log, where the default is !all. (Usually, it is unnecessary to use all; as a convenience,

pppd automatically adds a !all at the end of a stanza list if the last stanza isnot negated, and add an

all at the end of a stanza list if the last stanza is negated. For example, in the typical case of log this

sensibly results in only those packets matching the stanzas shown being logged, and no others. In the

typical case of pass, this results in certain listed packets being restricted, but allowing the passage of all

others.)

For IPv4 packets ﬁltering if a network is speciﬁed, either by name or by address, then the corresponding

network mask must also be speciﬁed if it is of a different size than the default for that class of network.

The network mask and additional

and conditions within a stanza are separated by slashes (/), and may

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (6 pages)

PAGE 1
ppp.Filter(4) ppp.Filter(4) NAME ppp.Filter - PPP packet filter specification file format DESCRIPTION The file /etc/ppp/Filter describes how on-demand PPP links are to be managed. By default, any type of packet causes the link (if down) to be brought up (connected to its remote end); any packet is allowed to traverse the link; and any packet is sufficient to reset the idle timer, expiration of which would cause the link to be shut down.
PAGE 2
ppp.Filter(4) ppp.Filter(4) be specified either as a series of decimal numbers separated by periods, or as a single 32-bit hexadecimal number. For IPv6 networks specify a prefix or a IPv6 address with prefix length separated by a slash (/). The sense of a stanza may be negated by prefixing it with an exclamation mark (!). In the log filter specification, the special keyword trace causes the contents (as well as headers) of the indicated type of packet to be written to the log file.
PAGE 3
ppp.Filter(4) ppp.Filter(4) ssrr Strict Source Routing is used to route the internet datagram based on information supplied by the source. srcrt Either Loose Source Routing or Strict Source Routing. any Any IP option - could even match the No Operation option.
PAGE 4
ppp.Filter(4) ppp.Filter(4) pass !nntp !telnet/syn/recv # Don’t allow any packets from network whose prefix matches # prefix cafe.
PAGE 5
ppp.Filter(4) # # # # ppp.Filter(4) Only these messages will have headers or contents logged, unless higher-level debugging is set: log 3/icmp 11/icmp 12/icmp/trace telnet/syn ftp/syn smtp/syn/terminus.netsys.
PAGE 6
ppp.Filter(4) ppp.Filter(4) pass !x11/syn/send which is much more readable. A list of TCP and UDP service numbers and names, selected from the Assigned Numbers RFC, is available in Examples/services.ex. AUTHOR ppp.Filter was developed by HP. SEE ALSO pppd(1), ppp.Auth(4), ppp.Devices(4), ppp.Dialers(4), ppp.Keys(4), ppp.Systems(4), services(4). RFC 791, RFC 792, RFC 1055, RFC 1548, RFC 1332, RFC 1122, RFC 1144, RFC 1340.