Manualshelf

Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
81828384858687888990
90 Chapter 5
Security Techniques
Static Packet Filtering
the special keyword, ‘default’.
You may write a specific ruleset for each connecting host, or a default
ruleset will be used. The pppd parser searches for a ruleset that
matches the IP address or hostname of the remote PPP/SLIP host, called
the peer. This usually corresponds to the IP address placed on the right
hand side of the colon on the pppd command line.
Ruleset Design
Rulesets are designed on a per-connecting-host basis rather than a
per-interface basis. This provides support for devices acting as PPP or
SLIP routing hubs. A hub workstation allows multiple hosts to establish
IP connections and may support multiple hosts establishing connections
at different times on the same interface.
If a hub supports different classes of users, PPP filters allow you to
define different access policies for each group. A single hub workstation
may support all of the following PPP/SLIP connections, each defined by a
different ruleset:
a connection to the home of a developer who is allowed to access
multiple hosts and proprietary data
connections for members of a traveling sales team who only require
electronic mail access
connections to customers seeking support who may only access the
anonymous FTP host
Default rulesets are permitted. They simplify configuration when a
single machine supports similar multiple hosts/connections that can be
controlled by the same security policy.
Ruleset Order
The order in which rulesets appear is important. Default rulesets should
appear early in the file because, after they are parsed, the parser
continues searching for more matching rulesets. However, when
addresses or hostnames in packets and rulesets match, the packet is
processed and the parser stops its search.
When a match is found and the ‘non-default’ ruleset is processed,
individual filters replace any default filters "remembered" from earlier in
the file. This means that packet filtering may behave differently if the
"default" rule appears early or late in the file.