summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
authorbrian <brian@cvs.openbsd.org>1999-07-27 23:48:39 +0000
committerbrian <brian@cvs.openbsd.org>1999-07-27 23:48:39 +0000
commit4c2b3bee941149f46a00d0d4b0fa347edfbb1f93 (patch)
tree9e440d4ae46f0499bd8f9dab3abf5b7401fa111e /etc
parent545e26b567d364e38959560467cec8993bcea67c (diff)
Show how to use the new filter capabilities
Mostly submitted by: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au>
Diffstat (limited to 'etc')
-rw-r--r--etc/ppp/ppp.conf.sample90
1 files changed, 89 insertions, 1 deletions
diff --git a/etc/ppp/ppp.conf.sample b/etc/ppp/ppp.conf.sample
index 93ea741d1e0..1e79a11b152 100644
--- a/etc/ppp/ppp.conf.sample
+++ b/etc/ppp/ppp.conf.sample
@@ -4,7 +4,7 @@
#
# Originally written by Toshiharu OHNO
#
-# $OpenBSD: ppp.conf.sample,v 1.13 1999/05/31 00:21:57 brian Exp $
+# $OpenBSD: ppp.conf.sample,v 1.14 1999/07/27 23:48:38 brian Exp $
#
#################################################################
@@ -234,6 +234,94 @@ dodgy:
set filter in 7 permit udp dst gt 33433
set filter out 7 permit udp dst gt 33433
+#
+# ``dodgynet'' is an example intended for an autodial configuration which
+# is connecting a local network to a host on an untrusted network.
+dodgynet:
+ # Log link uptime
+ set log Phase
+ # For autoconnect only
+ allow modes auto
+ # Define modem device and speed
+ set device /dev/cuaa1
+ set speed 115200
+ # Don't support LQR
+ deny lqr
+ # Remote system phone number, login and password
+ set phone 0W1194
+ set authname pppLogin
+ set authkey MyPassword
+ # Chat script to dial remote system
+ set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
+ ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
+ # Chat script to login to remote Unix system
+ set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
+ # Drop the link after 15 minutes of inactivity
+ # Inactivity is defined by the `set filter alive' line below
+ set timeout 900
+ # Hard-code remote system to appear within local subnet and use proxy arp
+ # to make this system the gateway
+ set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
+ enable proxy
+
+ # Allow any TCP packet to keep the link alive
+ set filter alive 0 permit tcp
+
+ # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
+ # private TCP ports 24 and 4000
+ set filter dial 0 7 0 0 tcp dst eq http
+ set filter dial 1 7 0 0 tcp dst eq login
+ set filter dial 2 7 0 0 tcp dst eq shell
+ set filter dial 3 7 0 0 tcp dst eq telnet
+ set filter dial 4 7 0 0 tcp dst eq ftp
+ set filter dial 5 7 0 0 tcp dst eq 24
+ set filter dial 6 deny ! 0 0 tcp dst eq 4000
+ # From hosts on a couple of local subnets to the remote peer
+ # If the remote host allowed IP forwarding and we wanted to use it, the
+ # following rules could be split into two groups to separately validate
+ # the source and destination addresses.
+ set filter dial 7 permit 172.17.16.0/20 172.17.20.248
+ set filter dial 8 permit 172.17.36.0/22 172.17.20.248
+ set filter dial 9 permit 172.17.118.0/26 172.17.20.248
+ set filter dial 10 permit 10.123.5.0/24 172.17.20.248
+
+ # Once the link's up, limit outgoing access to the specified hosts
+ set filter out 0 4 172.17.16.0/20 172.17.20.248
+ set filter out 1 4 172.17.36.0/22 172.17.20.248
+ set filter out 2 4 172.17.118.0/26 172.17.20.248
+ set filter out 3 deny ! 10.123.5.0/24 172.17.20.248
+ # Allow established TCP connections
+ set filter out 4 permit 0 0 tcp estab
+ # And new connections to http, rlogin, rsh, telnet, ftp and ports
+ # 24 and 4000
+ set filter out 5 permit 0 0 tcp dst eq http
+ set filter out 6 permit 0 0 tcp dst eq login
+ set filter out 7 permit 0 0 tcp dst eq shell
+ set filter out 8 permit 0 0 tcp dst eq telnet
+ set filter out 9 permit 0 0 tcp dst eq ftp
+ set filter out 10 permit 0 0 tcp dst eq 24
+ set filter out 11 permit 0 0 tcp dst eq 4000
+ # And outgoing icmp
+ set filter out 12 permit 0 0 icmp
+
+ # Once the link's up, limit incoming access to the specified hosts
+ set filter in 0 4 172.17.20.248 172.17.16.0/20
+ set filter in 1 4 172.17.20.248 172.17.36.0/22
+ set filter in 2 4 172.17.20.248 172.17.118.0/26
+ set filter in 3 deny ! 172.17.20.248 10.123.5.0/24
+ # Established TCP connections and non-PASV FTP
+ set filter in 4 permit 0/0 0/0 tcp estab
+ set filter in 5 permit 0/0 0/0 tcp src eq 20
+ # Useful ICMP messages
+ set filter in 6 permit 0/0 0/0 icmp src eq 3
+ set filter in 7 permit 0/0 0/0 icmp src eq 4
+ set filter in 8 permit 0/0 0/0 icmp src eq 11
+ set filter in 9 permit 0/0 0/0 icmp src eq 12
+ # Echo reply (local systems can ping the remote host)
+ set filter in 10 permit 0/0 0/0 icmp src eq 0
+ # And the remote host can ping the local gateway (only)
+ set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8
+
# Server side PPP
# If you want the remote system to authenticate itself, you insist