HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)

p
ppp.Filter(4) ppp.Filter(4)
pass !nntp
!telnet/syn/recv
# Don’t allow any packets from network whose prefix matches
# prefix cafe.
!cafe::1234/16
!ftp/syn/recv !login/syn/recv !shell/syn/recv
# which type of packets should/shouldn’t restart
# the idle timer
keepup !send !ntp !137/icmp !who !route
# which type of packets should/shouldn’t be logged
log rejected
An Extremely Complex Example
The following Filter file instructs the daemon that a connection to any neighbor except the host "back-
bone" be brought up in response to any packet except for those generated by NTP, ICMP Destination
Unreachable, and rwhod. If those are the only types of packets flowing across the link, it will not be kept
up, but all packets are allowed to cross the link while it is up. Packets sent out will not reset the idle timer,
but packets received from the peer will. If the peer goes down and modem problems cause the phone not to
be hung up, (and the idle command-line argument has been specified) pppd will hang up the connection
and retry.
In the special case of the host "backbone" (perhaps a server belonging to a network connectivity vendor),
only telnet and FTP sessions, SMTP electronic mail, NNTP network news, and Domain Name System
queries are considered sufficient cause to bring the link up or to keep it up if otherwise idle.
Once the link is up, all the above plus NTP clock chimes and ICMP messages may flow across the link. No
packets to or from a particular host, nor any packets except Domain Name System queries and responses
for any host on subnet 42 of the class B network 137.175 are ever allowed to cross the link, nor would they
cause the link to be initiated. We allow telnet and FTP sessions only if they are initiated in the outbound
direction.
We log one-line descriptions of various ICMP problem messages (Unreachable, Time Exceeded), and the
complete contents of ICMP messages reporting IP header problems. We log all telnet and FTP sessions,
including inbound attempts (though they will fail because they are excluded in the pass specification
above). We also log the header of the first packet of any electronic mail message flowing over this link on
its way to or from a specific host.
#
# Filter - PPP configuration file binding packet
# types to actions.
#
# For packets that would pass, these services
# will bring up the link:
#
backbone bringup smtp nntp domain telnet ftp
#
# Once brought up, these will pass (or not):
#
pass !131.119.250.104
domain/137.175.42.0/255.255.255.0
!137.175.42.0/0xffffff00
# (alternative ways of
# expressing subnet mask)
!telnet/syn/recv !ftp/syn/recv
domain smtp nntp ntp icmp telnet ftp
#
# Packets received for the services shown will
# reset the idle timer.
#
keepup !send smtp nntp domain telnet ftp
318 Hewlett-Packard Company 4 HP-UX 11i Version 3: February 2007