Installing and Administering PPP
116 Chapter 5
Security Techniques
Writing a Stanza - TCP Examples
Working with Default Rulesets
The default ruleset is:
default bringup all pass all keepup all log !all
This is probably an unacceptable default if you are trying to filter
packets. Your default should be the same as your most restrictive ruleset
because it keeps your site secure if connection-specific filtering fails due
to a misconfigured IP address or hostname.
The following sections deal with two approaches to writing default
rulesets. The difference between the two approaches is apparent from
their names, the "closed policy" and the "open policy."
Open Policy Default Rulesets
If you are willing to accept most packets from a site from which you have
not previously accepted traffic, a reasonable default filter might be:
default
bringup all
pass !exec !tftp all
keepup all
log rejected !all
Notice the use of ‘all’ rather than ‘!all’ at the end of each filter. This
default ruleset only blocks ‘tftp’ packets and ‘rexec’ packets, two protocols
that normally should never cross organizational boundaries.
A Note on Using the ‘log rejected’ Filter
In the previous example, and in the following Closed Policy examples, we
use the ‘log rejected' filter. This is a good default log filter to use. When
testing, it permits you to see that your filter is working as expected and
keeps track of outside attempts to connect through to blocked services.
Closed Policy Default Rulesets
The closed policy default rulesets in the examples that follow illustrate
the way services can be safely and incrementally allowed for a remote
site. This approach begins from the premise that no packets should be
allowed to pass.