HP-UX Reference (11i v1 05/09) - 4 File Formats (vol 8)
p
ppp.Filter(4) ppp.Filter(4)
#
# Filter - PPP configuration file binding packet
# types to actions.
#
# For packets that would pass, these services
# will bring up the link:
#
backbone bringup smtp nntp domain telnet ftp
#
# Once brought up, these will pass (or not):
#
pass !131.119.250.104
domain/137.175.42.0/255.255.255.0
!137.175.42.0/0xffffff00
# (alternative ways of
# expressing subnet mask)
!telnet/syn/recv !ftp/syn/recv
domain smtp nntp ntp icmp telnet ftp
#
# Packets received for the services shown will
# reset the idle timer.
#
keepup !send smtp nntp domain telnet ftp
#
# Only these messages will have headers or contents
# logged, unless higher-level debugging is set:
#
log 3/icmp 11/icmp 12/icmp/trace
telnet/syn ftp/syn
smtp/syn/terminus.netsys.com
#
default bringup !ntp !3/icmp !who
keepup !send !ntp !3/icmp !who
RECOMMENDATIONS
Simpler filter specifications allow pppd to start up quicker and run faster, with less processing overhead
for each packet, but that overhead is likely to present a problem only at very high line speeds (like T1).
The ‘backbone’ example shown above is severe overkill for the sake of illustration, evolved over a period of
several weeks, and took the authors several tries to get right. Start with a simple filter specification and
add each special case only as the need arises, usually as the result of watching packet logs. Then test care-
fully to ensure that your change had only the desired effect.
Be very careful with header logging and even more careful with packet content tracing. Make the selection
criteria very narrow, or the log file will grow extremely large in a short period of time. Also, if the daemon
is running on a diskless workstation or if the log file is on a NFS-mounted file system, excessive amounts of
logging information will drastically impede the daemon’s ability to process at high packet rates.
Remember, NFS writes are synchronous.
If you specify host names, be sure that their addresses are available locally, even with the connection down.
If you find that you must bring up a connection to resolve a domain name, consider using that host’s IP
address (decimal numbers separated by periods) in both
Filter and Systems instead.
If you want to specify all Domain Name System traffic, use ‘domain’ which will be expanded to entries for
both 53/tcp and 53/udp. (Some DNS traffic uses each transport.) To allow queries but disable domain
transfers, use !domain/tcp . Similarly, some systems’ older /etc/services files, as distributed by
the manufacturer, list NTP as a TCP service. When the current UDP NTP implementation was installed
on your system, the administrator may have left the old
123/tcp entry along with the correct 123/udp.
The correct solution is to remove the
123/tcp entry from /etc/services. A workaround would be to
specify 123/udp in Filter.
DEC ULTRIX 4.2 and some other systems may have no entry for FTP’s data socket in their
/etc/services file. If you want to log the bulk data connections as well as the control connections,
you’ll need to either add an entry for ‘ftp-data’ to /etc/services, or use 20/tcp explicitly in
Filter. The former is preferable because it will cause the log file entry to contain the symbolic name
Section 4−−220 Hewlett-Packard Company − 4 − HP-UX 11i Version 1: September 2005