pppd filtering (was Re: BIND/login question)

Adrian Wontroba aw1 at stade.co.uk
Wed Jan 26 00:26:24 GMT 2000

On Tue, Jan 25, 2000 at 07:34:33AM -0500, Goddard, David wrote:
> The problem is Yet Another Unwanted Dialups With ppp -auto issue, with the
> finger being pointed at DNS lookups.  What I'm not sure of is where the
> blame lies for this - my BIND config, the behavious of login or my shelll or
> whatever.

What follows won't help the hangs, but should help with the dialups.  It
is the filtering rule set I use on (one of) my boxes.

It will _only_ dial out with a "ping demon-du.demon.co.uk" (change the
address to taste, but make sure it is in /etc/hosts).  It will keep the
line up while most things are going on, but when whats happening is just
ICMP, DNS etc packets, it will drop the line.

This works fine with a collection of FreeBSD boxes connected to the
machine with the modem.  Windows appears to generate other traffic,
which has the effect of keeping the line up once its gone up.  As I
don't use Windows much, my solution is to close down or disconnect such
machines from my network once I've done with them.  Easier than finding
out what Windows is up to and enhancing the filtering rules.

# clear out rules
 set filter alive -1
 set filter dial -1
 set filter in -1
 set filter out -1
# Don't keep Alive with ICMP (other than demon-du), DNS and RIP packet
# or NTP
#	icmp
 set filter alive 0 permit 0/0 icmp
 set filter alive 1 deny icmp
#	DNS udp
 set filter alive 2 deny udp src eq 53
 set filter alive 3 deny udp dst eq 53
 set filter alive 4 deny udp src eq 520
 set filter alive 5 deny udp dst eq 520
#	DNS tcp
 set filter alive 6 deny tcp src eq 53
 set filter alive 7 deny tcp dst eq 53
 set filter alive 8 deny udp src eq 123
 set filter alive 9 deny udp dst eq 123
 set filter alive 10 deny tcp src eq 123
 set filter alive 11 deny tcp dst eq 123
# allow everything else
 set filter alive 12 permit 0/0 0/0
# Don't dial with anything but an ICMP packet to "demon-du"
 set filter dial 0 permit 0/0 icmp
 set filter dial 1 deny 0/0 0/0
# No input restrictions
 set filter in 0 permit 0/0 0/0
# No output restrictions
 set filter out 0 permit 0/0 0/0

Adrian Wontroba

