Installing and Administering PPP
Chapter 5 123
Security Techniques
Closed Policy Filter Example
Complete Filter Example
default
pass !all # block all other packets
log rejected # packets rejected by packet filter
10.0.0.1
bringup
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO service (513/udp)
!route # routed/gated RIP service (520/udp)
!ntp # Network Time service (123/udp)
all # all other packets
pass
!recv/ip-opt=srcrt/unreach=srcfail # block SRCRT attacks
!192.168.199.0/recv/src/unreach=net # block IP spoofing attacks
!192.168.199.0/send/dst/unreach=net # block IP spoofing attacks
!127.0.0.0;8 # block IP spoofing attacks
dstport=nntp/dstaddr=192.168.199.10/srcaddr=10.0.5.6
dstport=nntp/srcaddr=192.168.199.10/dstaddr=10.0.5.6
dstport=nntp/dstaddr=192.168.199.10/srcaddr=172.31.12.13
dstport=nntp/srcaddr=192.168.199.10/dstaddr=172.31.12.13
!nntp/unreach=rst
domain/tcp/192.168.199.11/dst/syn/recv # (53/tcp)
!domain/tcp/syn/recv
domain/tcp/192.168.199.11
dstport=domain/udp/192.168.199.11 # permit domain queries (53/udp)
!domain # block domain (53/tcp, 53/udp)
smtp/192.168.199.14/dst/syn/recv # (25/tcp)
!smtp/syn/recv
smtp
www/syn/recv/192.168.199.13/dst # (80/tcp)
!www/syn/recv/unreach=host
www
!dstport=ident/recv/unreach=rst # block IDENT service (113/tcp)
!telnet/syn/recv/unreach=prohibited # block inbound TELNET requests
telnet # permit TELNET messages
!finger/syn/recv/unreach=prohibited # block inbound FINGER requests
finger # permit FINGER messages
ftp/syn/recv/dst/192.168.199.12 # permit inbound FTP for anon FTP
!ftp/syn/recv/unreach=host # block inbound FTP requests
ftp # permit FTP messages
srcport=ftp-data/dstport=1024-65536/syn
!ftp-data/syn # block other FTP-DATA connections
ftp-data # permit FTP-DATA messages
dstport=33410-33515/udp/send # permit outbound
# traceroute operation
!5/icmp # block ICMP_REDIRECT
8/icmp/192.168.199.1 # permit ping of gateway
8/icmp/192.168.199.10 # permit ping of NNTP server