Installing and Administering PPP
Chapter 5 127
Security Techniques
Open Policy Filter Example
all # permit all other packets
Permit all traffic except that which you have explicitly specified as
blocked through the firewall.
keepup
!send # outbound traffic
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO protocol
!route # routed/gated RIP protocol
!ntp # Network Time Protocol
all # all other packets
The link is considered active (non-idle) if any packet passes that is not
specified as blocked in the keepup filter. Since there are certain link
failure modes that allows your system to continue sending even though
the peer is unresponsive, no outbound traffic counts against the idle
timer.
log
rejected # packets rejected by packet filter
!all # block all other packets
Log any packet blocked by the ‘pass’ filter above.
Common Mistakes
A number of errors are common enough to be specifically pointed out.
Incorrect Ruleset Indentation
A common mistake is to accidentally indent the ruleset identifier (for
example, hostname, IP address, or ‘default’). This causes the software to
assume that it is a part of the previous ruleset rather than defining the
start of a new ruleset.
Yet another common mistake is not indenting all the parts of a ruleset
after the initial ruleset identifier. This causes the software to assume
that the stanza is the start of a new ruleset. This causes both failures
and/or delays as the software tries to resolve the stanza into an IP
address.
Incorrect Use of 'tcp' and 'udp'
A different error is to fail to specify ‘tcp’ or ‘udp’ when a service can use
either service but the keywords are applicable to only one. An example
of this is the domain name service (DNS), which uses UDP for normal