HP-UX Reference (11i v2 03/08) - 4 File Formats (vol 8)
p
ppp.Filter(4) ppp.Filter(4)
default bringup all pass all keepup all log !all
The default behavior is no restriction of packets, and no logging.
Internet Firewall
A ‘pass’ line like this might be appropriate as a security firewall between an organizational network and
the larger Internet:
internet-gateway
bringup !ntp !3/icmp !5/icmp !11/icmp !who !route
!nntp !89
pass nntp/137.39.1.2 !nntp
telnet/syn/recv/137.175.0.0
!telnet/syn/recv !ftp/syn/recv
!login/syn/recv !shell/syn/recv !who
!sunrpc !chargen !tftp !supdup/syn/recv
!exec !syslog !route !6000/tcp/syn/send
keepup !send !ntp !3/icmp !5/icmp !11/icmp
!who !route !89
log rejected
This ‘pass’ specification allows NNTP (Usenet news) transactions with one peer and no others. It allows
incoming Telnet sessions from hosts on only one network, disallows all other incoming Telnet, SUPDUP,
and FTP sessions, and allows all outgoing Telnet SUPDUP, and FTP sessions.
It allows X Window System clients running elsewhere to display on local window servers, but it allows no
local X clients to use displays located elsewhere. It disallows all SUN RPC traffic, thereby guarding the
local YP/NIS and NFS servers from outside probes and filesystem mounts. Alas, it also disallows local
machines from mounting filesystems resident on NFS servers elsewhere, but this can’t be helped because
NFS uses RPC which is a UDP service, and therefore without the SYN and FIN packets that can be used
to characterize the direction in which a TCP stream is being initiated. It blocks several other sorts of
traffic that could be used for nefarious purposes, and the absence of a trailing ‘!all’ means that any traffic
not explicitly blocked is permitted to pass.
The ‘bringup’ and ‘keepup’ lines are appropriate for an intermittent dial-up connection, so that various
error conditions won’t cause the link to be established, nor to keep the call open beyond its usefulness.
OSPF (Open Shortest Path First) routing packets (IP protocol number 89, from RFC-1340) will cross the
link, but won’t cause it to be brought up, nor keep it up if it’s otherwise idle. Usenet news traffic won’t
bring up the link, but once started, the link won’t be shut off in the middle of a news batch. The ‘log
rejected’ line keeps a record of every packet that is blocked by the ‘pass’ line, so that unsuccessful pene-
tration attempts will be noted.
An Extremely Complex Example
The following
Filter file instructs the daemon that a connection to any neighbor except the host ‘back-
bone’ be brought up in response to any packet except for those generated by NTP, ICMP Destination
Unreachable, and rwhod. If those are the only types of packets flowing across the link, it will not be
kept up, but all packets are allowed to cross the link while it is up. Packets sent out will not reset the
idle timer, but packets received from the peer will. If the peer goes down and modem problems cause the
phone not to be hung up, (and the idle command-line argument has been specified) pppd will hang up
the connection and retry.
In the special case of the host ‘backbone’ (perhaps a server belonging to a network connectivity vendor),
only telnet and FTP sessions, SMTP electronic mail, NNTP network news, and Domain Name System
queries are considered sufficient cause to bring the link up or to keep it up if otherwise idle.
Once the link is up, all the above plus NTP clock chimes and ICMP messages may flow across the link.
No packets to or from a particular host, nor any packets except Domain Name System queries and
responses for any host on subnet 42 of the class B network 137.175 are ever allowed to cross the link, nor
would they cause the link to be initiated. We allow telnet and FTP sessions only if they are initiated in
the outbound direction.
We log one-line descriptions of various ICMP problem messages (Unreachable, Time Exceeded), and the
complete contents of ICMP messages reporting IP header problems. We log all telnet and FTP sessions,
including inbound attempts (though they will fail because they are excluded in the ‘pass’ specification
above). We also log the header of the first packet of any electronic mail message flowing over this link on
its way to or from a specific host.
HP-UX 11i Version 2: August 2003 − 3 − Hewlett-Packard Company Section 4−−245