HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

261

262

263

264

265

266

267

268

269

270

ppp.Filter(4) ppp.Filter(4)

pass !nntp

!telnet/syn/recv

# Don’t allow any packets from network whose prefix matches

# prefix cafe.

!cafe::1234/16

!ftp/syn/recv !login/syn/recv !shell/syn/recv

# which type of packets should/shouldn’t restart the idle timer

keepup !send !ntp !137/icmp !who !route

# which type of packets should/shouldn’t be logged

log rejected

An Extremely Complex Example

The following

Filter ﬁle instructs the daemon that a connection to any neighbor except the host ‘back-

bone’ be brought up in response to any packet except for those generated by NTP, ICMP Destination

Unreachable, and rwhod. If those are the only types of packets ﬂowing across the link, it will not be

kept up, but all packets are allowed to cross the link while it is up. Packets sent out will not reset the

idle timer, but packets received from the peer will. If the peer goes down and modem problems cause the

phone not to be hung up, (and the idle command-line argument has been speciﬁed) pppd

will hang up

the connection and retry.

In the special case of the host ‘backbone’ (perhaps a server belonging to a network connectivity vendor),

only telnet and FTP sessions, SMTP electronic mail, NNTP network news, and Domain Name System

queries are considered sufﬁcient cause to bring the link up or to keep it up if otherwise idle.

Once the link is up, all the above plus NTP clock chimes and ICMP messages may ﬂow across the link.

No packets to or from a particular host, nor any packets except Domain Name System queries and

responses for any host on subnet 42 of the class B network 137.175 are ever allowed to cross the link, nor

would they cause the link to be initiated. We allow telnet and FTP sessions only if they are initiated in

the outbound direction.

We log one-line descriptions of various ICMP problem messages (Unreachable, Time Exceeded), and the

complete contents of ICMP messages reporting IP header problems. We log all telnet and FTP sessions,

including inbound attempts (though they will fail because they are excluded in the ‘pass’ speciﬁcation

above). We also log the header of the ﬁrst packet of any electronic mail message ﬂowing over this link on

its way to or from a speciﬁc host.

# Filter - PPP configuration file binding packet

# types to actions.

# For packets that would pass, these services

# will bring up the link:

backbone bringup smtp nntp domain telnet ftp

# Once brought up, these will pass (or not):

pass !131.119.250.104

domain/137.175.42.0/255.255.255.0

!137.175.42.0/0xffffff00

# (alternative ways of

# expressing subnet mask)

!telnet/syn/recv !ftp/syn/recv

domain smtp nntp ntp icmp telnet ftp

# Packets received for the services shown will

# reset the idle timer.

keepup !send smtp nntp domain telnet ftp

Section 4−−250 Hewlett-Packard Company − 4 − HP-UX 11i Version 2: September 2004