PPP packet filtering
PPP permits the transfer of IP packets over a
serial line via a PPP network interface.
Packet filtering permits control of the traffic through a PPP
network interface
based on the contents of the packets passed to the interface.
Packet filter control is provided for these
interface functions:
bring up-
By default, any packet passed to an outgoing link from a
dedicated serial or automatic dialup endpoint
will bring the interface up if it is down.
Packet filtering provides for specifying that only some types of packets
may bring up a PPP interface.
pass-
By default, any packet passed to an interface is allowed to pass
through that interface.
Packet filtering provides for specifying that only some types of packets
may pass through a PPP interface.
keep up-
By default, any packet passed to an interface will reset the idle
timer for that interface.
(Expiration of the idle timer will cause the interface to be
automatically brought down.)
Packet filtering provides for specifying that only some types of packets
may reset the idle timer for a PPP interface.
Packets can be qualified or disqualified for:
-
transport level protocol type (that is, tcp,
udp, icmp)
-
IP destination or source fields
-
destination or source port field in IP/TCP or IP/UDP
packets
-
packet length
-
IP packet type (that is, broadcast or multicast)
Packet filtering is specified on a per-endpoint basis, although more
than one endpoint may share the same packet filtering parameters.
Creating a packet filter
Packet filter entries must be edited into the /etc/pppfilter
file.
Two or more PPP endpoint configurations can share the same
entry.
If /etc/pppfilter does not exist or no filter file
entry is specified for an endpoint, then all packets bring up the
interface, all packets are passed, and all packets reset the idle timer.
The following filter entry describes the default
behavior of a PPP link:
# tag keyword filter
default bringup !port ntp and !port who and !port route\
and !port timed and !port bgp and !ip proto 8\
and !ip proto 63 and !ip proto 89 and icmp[20]!=9\
and icmp[20]!=10
pass \
keepup !port ntp and !port who and !port route\
and !port timed and !port bgp and !ip proto 8\
and !ip proto 63 and !ip proto 89 and icmp[20]!=9\
and icmp[20]!=10
This specification does not allow ntp, rwhod,
routed, timed, gated, or irdd,
packets to bring up or keep up the link, but it does allow
all packets to pass the link.
See the
packetfilter(SFF)
manual page for a description of the format for the filter file.
Next topic:
PPP authentication methods
Previous topic:
Logging PPP information
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003