HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

261

262

263

264

265

266

267

268

269

270

ppp.Filter(4) ppp.Filter(4)

ssrr Strict Source Routing is used to route the internet datagram based on information

supplied by the source.

srcrt Either Loose Source Routing or Strict Source Routing.

any Any IP option - could even match the No Operation option.

EXAMPLES

Default Behavior

The following

Filter ﬁle describes the default behavior of

pppd, either in the absence of a ﬁlter

speciﬁcation ﬁle or in the case of an empty ﬁle:

# Filter - PPP configuration file,

# binding packet types to actions.

# Describes the default behavior of the daemon:

default bringup all pass all keepup all log !all

default6 bringup all pass all keepup all log !all

The default behavior is no restriction of packets, and no logging.

Internet Firewall

A ‘pass’ line like this might be appropriate as a security ﬁrewall between an organizational network and

the larger Internet:

internet-gateway

bringup !ntp !3/icmp !5/icmp !11/icmp !who !route

!nntp !89

pass nntp/137.39.1.2 !nntp

telnet/syn/recv/137.175.0.0

!telnet/syn/recv !ftp/syn/recv

!login/syn/recv !shell/syn/recv !who

!sunrpc !chargen !tftp !supdup/syn/recv

!exec !syslog !route !6000/tcp/syn/send

keepup !send !ntp !3/icmp !5/icmp !11/icmp

!who !route !89

log rejected

This ‘pass’ speciﬁcation allows NNTP (Usenet news) transactions with one peer and no others. It allows

incoming Telnet sessions from hosts on only one network, disallows all other incoming Telnet, SUPDUP,

and FTP sessions, and allows all outgoing Telnet SUPDUP, and FTP sessions.

It allows X Window System clients running elsewhere to display on local window servers, but it allows no

local X clients to use displays located elsewhere. It disallows all SUN RPC trafﬁc, thereby guarding the

local YP/NIS and NFS servers from outside probes and ﬁlesystem mounts. Alas, it also disallows local

machines from mounting ﬁlesystems resident on NFS servers elsewhere, but this can’t be helped because

NFS uses RPC which is a UDP service, and therefore without the SYN and FIN packets that can be used

to characterize the direction in which a TCP stream is being initiated. It blocks several other sorts of

trafﬁc that could be used for nefarious purposes, and the absence of a trailing ‘!all’ means that any trafﬁc

not explicitly blocked is permitted to pass.

The ‘bringup’ and ‘keepup’ lines are appropriate for an intermittent dial-up connection, so that various

error conditions won’t cause the link to be established, nor to keep the call open beyond its usefulness.

OSPF (Open Shortest Path First) routing packets (IP protocol number 89, from RFC-1340) will cross the

link, but won’t cause it to be brought up, nor keep it up if it’s otherwise idle. Usenet news trafﬁc won’t

bring up the link, but once started, the link won’t be shut off in the middle of a news batch. The ‘log

rejected’ line keeps a record of every packet that is blocked by the ‘pass’ line, so that unsuccessful pene-

tration attempts will be noted.

For IPv6 ﬁlter line add similar to:

<IPv6 link local gateway address> #like fe80::2222

# which type of traffic should/shouldn’t bring up the line

bringup !ntp !128/icmp6 !137/icmp6 !who !route !nntp

# which type of packets should be passed/rejected

HP-UX 11i Version 2: September 2004 − 3 − Hewlett-Packard Company Section 4−−249