Installing and Administering PPP
100 Chapter 5
Security Techniques
Building a Stanza - Specifics
25/tcp # permit SMTP mail
You may specify a range of ports using a hyphen-separated pair of
numbers.
Example:
!0-1023/udp # block privileged UDP ports
Port Numbers and Services
Many systems provide a list of well-known UDP and TCP port numbers
in a services file or they supply contents of the file through a database
service such as NIS or NetInfo. Filter stanzas may use the symbolic
names for these port numbers.
Example:
smtp # permit SMTP (25/tcp) service
Use keywords to identify services that are supported by more than one
protocol. Symbolic port names (i.e., services) can be ambiguous. For
example, ‘domain’ may be either ‘tcp’ or ‘udp’ port 53. When using
keywords that are specific to a protocol like TCP, you must add the ‘tcp’
keyword to the stanza to avoid errors.
Example:
!domain/tcp
Services are not the same as applications or protocols. Note that the
Telnet application is not the same as the telnet service. Specifying
‘!telnet’ in the filter file does not prevent the ‘telnet’ application from
talking to the ‘smtp’ port on the host, nor does it prevent someone from
using the telnet protocol to talk to a telnet daemon (telnetd) running on a
port number other than 23.
Numbered ICMP Messages
‘icmp’ with a single number represents an ICMP message type. ‘icmp’
with two numbers represents a specific ICMP type and code combination.
ICMP type and code values can be found in the Assigned Numbers RFC
or in the /usr/include/netinet/ip_icmp.h file directory on many
systems. More information on numbered ICMP messages is included in
the Unreach Keyword section.
Example:
!icmp/5 # block ICMP Redirect messages