Installing and Administering PPP
122 Chapter 5
Security Techniques
Closed Policy Filter Example
The traceroute tool probes high-numbered UDP ports and is so useful
that you should let it through.
!5/icmp # block ICMP_REDIRECT
8/icmp/192.168.199.1 # permit ping of gateway
8/icmp/192.168.199.10 # permit ping of NNTP server
8/icmp/192.168.199.11 # permit ping of DNS server
8/icmp/192.168.199.12 # permit ping of FTP server
8/icmp/192.168.199.13 # permit ping of WWW server
8/icmp/192.168.199.14 # permit ping of SMTP server
!8/icmp/recv # block inbound ping address
# scanning
icmp # permit ICMP messages
Block ICMP redirect messages since the routing on an internal node
should not be changed by an external site. Permit ICMP echo request
packets, sent by ‘ping’, to reach all hosts providing external services.
Block all other inbound ping packets to prevent IP address probes.
Finally, allow other ICMP messages to pass freely.
!all # block all other packets
Silently block all traffic not explicitly permitted to pass. Pass through
the firewall only those packets explicitly permitted to pass.
keepup
!send # outbound traffic
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO protocol
!route # routed/gated RIP protocol
!ntp # Network Time Protocol
all # permit all other packets
The link is considered active (non-idle) if any packet passes that is not
specified in the keepup filter as being blocked. Since there are certain
link failure modes that allow your system to continue sending even
though the peer is unresponsive, no outbound packets are permitted to
reset the idle timer.
log
!8/icmp # ICMP ECHO packets
rejected # packets rejected by packet
# filter
tcp/syn # all TCP connection requests
!all # block all other packets
Log any packet blocked by the ‘pass’ filter above, except ICMP Echo
messages. Also log all TCP connection requests.