HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

271

272

273

274

275

276

277

278

279

280

ppp.Filter(4) ppp.Filter(4)

ssrr Strict Source Routing is used to route the internet datagram based on information

supplied by the source.

srcrt Either Loose Source Routing or Strict Source Routing.

any Any IP option - could even match the No Operation option.

EXAMPLES

Default Behavior

The following Filter ﬁle describes the default behavior of

pppd, either in the absence of a ﬁlter

speciﬁcation ﬁle or in the case of an empty ﬁle:

# Filter - PPP configuration file,

# binding packet types to actions.

# Describes the default behavior of the daemon:

default bringup all pass all keepup all log !all

default6 bringup all pass all keepup all log !all

The default behavior is no restriction of packets, and no logging.

Internet Firewall

A ‘pass’ line like this might be appropriate as a security ﬁrewall between an organizational network and the

larger Internet:

internet-gateway

bringup !ntp !3/icmp !5/icmp !11/icmp !who !route

!nntp !89

pass nntp/137.39.1.2 !nntp

telnet/syn/recv/137.175.0.0

!telnet/syn/recv !ftp/syn/recv

!login/syn/recv !shell/syn/recv !who

!sunrpc !chargen !tftp !supdup/syn/recv

!exec !syslog !route !6000/tcp/syn/send

keepup !send !ntp !3/icmp !5/icmp !11/icmp

!who !route !89

log rejected

This ‘pass’ speciﬁcation allows NNTP (Usenet news) transactions with one peer and no others. It allows

incoming Telnet sessions from hosts on only one network, disallows all other incoming Telnet, SUPDUP,

and FTP sessions, and allows all outgoing Telnet SUPDUP, and FTP sessions.

It allows X Window System clients running elsewhere to display on local window servers, but it allows no

local X clients to use displays located elsewhere. It disallows all SUN RPC trafﬁc, thereby guarding the

local YP/NIS and NFS servers from outside probes and ﬁlesystem mounts. Alas, it also disallows local

machines from mounting ﬁlesystems resident on NFS servers elsewhere, but this can’t be helped because

NFS uses RPC which is a UDP service, and therefore without the SYN and FIN packets that can be used to

characterize the direction in which a TCP stream is being initiated. It blocks several other sorts of trafﬁc

that could be used for nefarious purposes, and the absence of a trailing ‘!all’ means that any trafﬁc not

explicitly blocked is permitted to pass.

The ‘bringup’ and ‘keepup’ lines are appropriate for an intermittent dial-up connection, so that various error

conditions won’t cause the link to be established, nor to keep the call open beyond its usefulness. OSPF

(Open Shortest Path First) routing packets (IP protocol number 89, from RFC-1340) will cross the link, but

won’t cause it to be brought up, nor keep it up if it’s otherwise idle. Usenet news trafﬁc won’t bring up the

link, but once started, the link won’t be shut off in the middle of a news batch. The ‘log rejected’ line keeps

a record of every packet that is blocked by the ‘pass’ line, so that unsuccessful penetration attempts will be

noted.

For IPv6 ﬁlter line add similar to:

<IPv6 link local gateway address> #like fe80::2222

# which type of traffic should/shouldn’t bring up the line

bringup !ntp !128/icmp6 !137/icmp6 !who !route !nntp

# which type of packets should be passed/rejected

HP-UX 11i Version 2: December 2007 Update − 3 − Hewlett-Packard Company 279