Installing and Administering PPP
Chapter 5 117
Security Techniques
Writing a Stanza - TCP Examples
Block All Packets
If your security policy changes and you must block packets from a
formerly acceptable site, you might change the default filter to the
following:
default bringup !all pass !all keepup !all log rejected !all
Block All Packets Except Electronic Mail
Most sites are willing to permit electronic mail through the workstation
or system. For this, and the following examples, it is important that you
have the smtp service defined in your services file. To help prevent any
problems due to this assumption, you could use the explicit port number,
protocol, and IP address to test. Then you might write the default this
way:
default bringup !all pass 25/tcp !all keepup !all log rejected !all
The filter file is easier to read and comprehend if you use the service
name. Still, specifying the explicit port number and protocol can also
prevent someone from changing the meaning of your rulesets by
subverting NIS. The benefit may be negligible, though, if the
information is only checked against the local services file. Intruders able
to modify the services file could also modify the filter file.
Limiting Electronic Mail to a Gateway
If you wish to limit electronic mail access to a gateway machine, you
need to add the qualification to the smtp stanza. The next two examples
use the fictitious name/address bignfast/192.0.2.1.
default bringup !all pass smtp/bignfast !all keepup !all log rejected !all
Unresolvable Hostnames and Changing IP
Addresses
In the last example we used the hostname 'bignfast'. But consider the
inherent problem of using a hostname instead of the IP address. If the
host address cannot be resolved, you may reach a state of "deadlock"
because the name must be resolved for the service to begin, but the
service must begin for the name to be resolved. The example below may
be more reliable.
default bringup !all pass smtp/192.0.2.1 !all keepup !all log rejected !all