Show how to use the new filter capabilities

Mostly submitted by: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au>
svn path=/head/; revision=49141
2025-01-10 08:22:27 +01:00 · 1999-07-27 23:44:29 +00:00 · 1999-07-27 23:44:29 +00:00 · 4f65166ad5 · 2020-12-20 02:59:44 +00:00
commit 4f65166ad5
parent cad7e7426a
1 changed files with 89 additions and 1 deletions
--- a/share/examples/ppp/ppp.conf.sample
+++ b/share/examples/ppp/ppp.conf.sample
@ -4,7 +4,7 @@
 #
 #           Originally written by Toshiharu OHNO
 #
-# $Id: ppp.conf.sample,v 1.4 1999/04/27 00:25:22 brian Exp $
+# $Id: ppp.conf.sample,v 1.5 1999/05/30 21:31:18 billf Exp $
 #
 #################################################################

@ -247,6 +247,94 @@ dodgy:
    set filter in  7 permit udp dst gt 33433
    set filter out 7 permit udp dst gt 33433

+#
+# ``dodgynet'' is an example intended for an autodial configuration which
+# is connecting a local network to a host on an untrusted network.
+dodgynet:
+    # Log link uptime
+    set log Phase
+    # For autoconnect only
+    allow modes auto
+    # Define modem device and speed
+    set device /dev/cuaa1
+    set speed 115200
+    # Don't support LQR
+    deny lqr
+    # Remote system phone number, login and password
+    set phone 0W1194
+    set authname pppLogin
+    set authkey MyPassword
+    # Chat script to dial remote system
+    set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
+              ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
+    # Chat script to login to remote Unix system
+    set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
+    # Drop the link after 15 minutes of inactivity
+    # Inactivity is defined by the `set filter alive' line below
+    set timeout 900
+    # Hard-code remote system to appear within local subnet and use proxy arp
+    # to make this system the gateway
+    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
+    enable proxy
+
+    # Allow any TCP packet to keep the link alive
+    set filter alive 0 permit tcp
+
+    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
+    # private TCP ports 24 and 4000
+    set filter dial  0 7      0 0 tcp dst eq http
+    set filter dial  1 7      0 0 tcp dst eq login
+    set filter dial  2 7      0 0 tcp dst eq shell
+    set filter dial  3 7      0 0 tcp dst eq telnet
+    set filter dial  4 7      0 0 tcp dst eq ftp
+    set filter dial  5 7      0 0 tcp dst eq 24
+    set filter dial  6 deny ! 0 0 tcp dst eq 4000
+    # From hosts on a couple of local subnets to the remote peer
+    # If the remote host allowed IP forwarding and we wanted to use it, the
+    # following rules could be split into two groups to separately validate
+    # the source and destination addresses.
+    set filter dial  7 permit 172.17.16.0/20  172.17.20.248 
+    set filter dial  8 permit 172.17.36.0/22  172.17.20.248 
+    set filter dial  9 permit 172.17.118.0/26 172.17.20.248 
+    set filter dial 10 permit 10.123.5.0/24   172.17.20.248 
+
+    # Once the link's up, limit outgoing access to the specified hosts
+    set filter out  0 4      172.17.16.0/20  172.17.20.248 
+    set filter out  1 4      172.17.36.0/22  172.17.20.248 
+    set filter out  2 4      172.17.118.0/26 172.17.20.248 
+    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248 
+    # Allow established TCP connections
+    set filter out  4 permit 0 0 tcp estab
+    # And new connections to http, rlogin, rsh, telnet, ftp and ports
+    # 24 and 4000
+    set filter out  5 permit 0 0 tcp dst eq http
+    set filter out  6 permit 0 0 tcp dst eq login
+    set filter out  7 permit 0 0 tcp dst eq shell
+    set filter out  8 permit 0 0 tcp dst eq telnet
+    set filter out  9 permit 0 0 tcp dst eq ftp
+    set filter out 10 permit 0 0 tcp dst eq 24
+    set filter out 11 permit 0 0 tcp dst eq 4000
+    # And outgoing icmp
+    set filter out 12 permit 0 0 icmp
+
+    # Once the link's up, limit incoming access to the specified hosts
+    set filter in   0 4      172.17.20.248  172.17.16.0/20
+    set filter in   1 4      172.17.20.248  172.17.36.0/22
+    set filter in   2 4      172.17.20.248  172.17.118.0/26
+    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
+    # Established TCP connections and non-PASV FTP
+    set filter in   4 permit 0/0  0/0  tcp estab
+    set filter in   5 permit 0/0  0/0  tcp src eq 20
+    # Useful ICMP messages
+    set filter in   6 permit 0/0  0/0  icmp src eq 3
+    set filter in   7 permit 0/0  0/0  icmp src eq 4
+    set filter in   8 permit 0/0  0/0  icmp src eq 11
+    set filter in   9 permit 0/0  0/0  icmp src eq 12
+    # Echo reply (local systems can ping the remote host)
+    set filter in  10 permit 0/0  0/0  icmp src eq 0
+    # And the remote host can ping the local gateway (only)
+    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8
+

 # Server side PPP
 #