Installing and Administering PPP
Chapter 5 125
Security Techniques
Open Policy Filter Example
Open Policy Filter Example
This example of a filter is the product of an open policy. It was developed
for the same system configuration as was used in the previous example
demonstrating a filter developed for a closed policy. The system uses
pppd to create a PPP/SLIP link between the system, 192.168.201.1, and
a peer, 10.0.0.1, that is acting as the gateway to the Internet.
default
Since this ruleset is declared as the default ruleset and no ruleset has
been defined for 10.0.0.1, it is applied to any packet crossing the link
connecting this host to any peer, including the Internet gateway
(10.0.0.1).
bringup
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO service (513/udp)
!route # routed/gated RIP service
# (520/udp)
!ntp # Network Time service (123/udp)
all # all other packets
If the link is configured for ‘dial on demand’ connections, the ‘bringup’
filter describes those packets that causes a call to be placed and a
connection to be initiated. The ‘bringup’ filter should be used to prevent
the connection from being brought up inappropriately. It is a good idea
to block packets that are responses to "bad" inbound packets, such as
ICMP Destination unreachable messages, that are not "interesting"
enough to dial the modem. You should also block services, such as the
WHO service, that send packets at a regular intervals and would
therefore never permit the link to stay down long. Any other sort of
traffic initiates a dial connection.
pass
!recv/ip-opt=srcrt/unreach=srcfail # block SRCRT attacks
Do not allow any incoming packets with the Source Route option set in
the IP header. Respond with an ICMP Destination Unreachable
message that has the Source Route Failed code value.
!192.168.199.0/recv/src/unreach=net # block IP spoofing
# attacks
!192.168.199.0/send/dst/unreach=net # block IP spoofing
# attacks