diff options
author | brian <brian@cvs.openbsd.org> | 1999-07-27 23:48:39 +0000 |
---|---|---|
committer | brian <brian@cvs.openbsd.org> | 1999-07-27 23:48:39 +0000 |
commit | 4c2b3bee941149f46a00d0d4b0fa347edfbb1f93 (patch) | |
tree | 9e440d4ae46f0499bd8f9dab3abf5b7401fa111e /etc | |
parent | 545e26b567d364e38959560467cec8993bcea67c (diff) |
Show how to use the new filter capabilities
Mostly submitted by: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au>
Diffstat (limited to 'etc')
-rw-r--r-- | etc/ppp/ppp.conf.sample | 90 |
1 files changed, 89 insertions, 1 deletions
diff --git a/etc/ppp/ppp.conf.sample b/etc/ppp/ppp.conf.sample index 93ea741d1e0..1e79a11b152 100644 --- a/etc/ppp/ppp.conf.sample +++ b/etc/ppp/ppp.conf.sample @@ -4,7 +4,7 @@ # # Originally written by Toshiharu OHNO # -# $OpenBSD: ppp.conf.sample,v 1.13 1999/05/31 00:21:57 brian Exp $ +# $OpenBSD: ppp.conf.sample,v 1.14 1999/07/27 23:48:38 brian Exp $ # ################################################################# @@ -234,6 +234,94 @@ dodgy: set filter in 7 permit udp dst gt 33433 set filter out 7 permit udp dst gt 33433 +# +# ``dodgynet'' is an example intended for an autodial configuration which +# is connecting a local network to a host on an untrusted network. +dodgynet: + # Log link uptime + set log Phase + # For autoconnect only + allow modes auto + # Define modem device and speed + set device /dev/cuaa1 + set speed 115200 + # Don't support LQR + deny lqr + # Remote system phone number, login and password + set phone 0W1194 + set authname pppLogin + set authkey MyPassword + # Chat script to dial remote system + set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ + ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" + # Chat script to login to remote Unix system + set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P" + # Drop the link after 15 minutes of inactivity + # Inactivity is defined by the `set filter alive' line below + set timeout 900 + # Hard-code remote system to appear within local subnet and use proxy arp + # to make this system the gateway + set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 + enable proxy + + # Allow any TCP packet to keep the link alive + set filter alive 0 permit tcp + + # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or + # private TCP ports 24 and 4000 + set filter dial 0 7 0 0 tcp dst eq http + set filter dial 1 7 0 0 tcp dst eq login + set filter dial 2 7 0 0 tcp dst eq shell + set filter dial 3 7 0 0 tcp dst eq telnet + set filter dial 4 7 0 0 tcp dst eq ftp + set filter dial 5 7 0 0 tcp dst eq 24 + set filter dial 6 deny ! 0 0 tcp dst eq 4000 + # From hosts on a couple of local subnets to the remote peer + # If the remote host allowed IP forwarding and we wanted to use it, the + # following rules could be split into two groups to separately validate + # the source and destination addresses. + set filter dial 7 permit 172.17.16.0/20 172.17.20.248 + set filter dial 8 permit 172.17.36.0/22 172.17.20.248 + set filter dial 9 permit 172.17.118.0/26 172.17.20.248 + set filter dial 10 permit 10.123.5.0/24 172.17.20.248 + + # Once the link's up, limit outgoing access to the specified hosts + set filter out 0 4 172.17.16.0/20 172.17.20.248 + set filter out 1 4 172.17.36.0/22 172.17.20.248 + set filter out 2 4 172.17.118.0/26 172.17.20.248 + set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 + # Allow established TCP connections + set filter out 4 permit 0 0 tcp estab + # And new connections to http, rlogin, rsh, telnet, ftp and ports + # 24 and 4000 + set filter out 5 permit 0 0 tcp dst eq http + set filter out 6 permit 0 0 tcp dst eq login + set filter out 7 permit 0 0 tcp dst eq shell + set filter out 8 permit 0 0 tcp dst eq telnet + set filter out 9 permit 0 0 tcp dst eq ftp + set filter out 10 permit 0 0 tcp dst eq 24 + set filter out 11 permit 0 0 tcp dst eq 4000 + # And outgoing icmp + set filter out 12 permit 0 0 icmp + + # Once the link's up, limit incoming access to the specified hosts + set filter in 0 4 172.17.20.248 172.17.16.0/20 + set filter in 1 4 172.17.20.248 172.17.36.0/22 + set filter in 2 4 172.17.20.248 172.17.118.0/26 + set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 + # Established TCP connections and non-PASV FTP + set filter in 4 permit 0/0 0/0 tcp estab + set filter in 5 permit 0/0 0/0 tcp src eq 20 + # Useful ICMP messages + set filter in 6 permit 0/0 0/0 icmp src eq 3 + set filter in 7 permit 0/0 0/0 icmp src eq 4 + set filter in 8 permit 0/0 0/0 icmp src eq 11 + set filter in 9 permit 0/0 0/0 icmp src eq 12 + # Echo reply (local systems can ping the remote host) + set filter in 10 permit 0/0 0/0 icmp src eq 0 + # And the remote host can ping the local gateway (only) + set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 + # Server side PPP # If you want the remote system to authenticate itself, you insist |