Installing and Administering PPP

Chapter 5 115

Security Techniques

Writing a Stanza - TCP Examples

We recommend that you use an IP address, but if you use a hostname, it

is important that the system can resolve the hostname locally. If the link

must be up to resolve the name, the hostname matching fails and the

interface is forced to use the default ruleset. This changes the meaning

of your ﬁlter ﬁle and causes long delays because the connection times out

while waiting for name resolution.

A Note on Ruleset Formatting

Each additional line of a ruleset (continuation lines) must be indented,

using one or more white space characters (space or tab). If a line is not

indented, the ﬁrst word on the line is assumed to be a hostname for a

new ruleset.

Any information that follows a ‘#' character on a line is assumed to be a

comment and is ignored.

Ordering Stanzas Effectively

When a ruleset has been selected, each stanza is applied in order, top to

bottom, and left to right. The ﬁlter returns when it ﬁnds a matching

stanza. It is therefore important that you order stanzas in the Filter ﬁle

in most speciﬁc to least speciﬁc (most general) order. If the order is

reversed, the most general rule matches ﬁrst and the ﬁlter never reaches

the more speciﬁc rules.

Example of correct order:

domain/192.0.2.1 # permit DNS to/from 192.0.2.1

!domain # prevent all (other) DNS

Example of wrong order:

!domain # prevent all DNS

domain/192.0.2.1 # this rule is never reached

Isolating an 'Incorrect' Stanza

When pppd ﬁnds an error in the Filter ﬁle, the line number that caused

the failure is reported. When a packet is rejected due to a ﬁlter and the

'log rejected' keyword is used, the line number that caused the rejection

can be recorded in the log ﬁle. Therefore, when tracking down problems,

you can quickly isolate the correct stanza if only one stanza is used per

line.