|
|
|
@ -4,7 +4,7 @@ |
|
|
|
# |
|
|
|
# Originally written by Toshiharu OHNO |
|
|
|
# |
|
|
|
# $OpenBSD: ppp.conf.sample,v 1.13 1999/05/31 00:21:57 brian Exp $ |
|
|
|
# $OpenBSD: ppp.conf.sample,v 1.14 1999/07/27 23:48:38 brian Exp $ |
|
|
|
# |
|
|
|
################################################################# |
|
|
|
|
|
|
|
@ -234,6 +234,94 @@ dodgy: |
|
|
|
set filter in 7 permit udp dst gt 33433 |
|
|
|
set filter out 7 permit udp dst gt 33433 |
|
|
|
|
|
|
|
# |
|
|
|
# ``dodgynet'' is an example intended for an autodial configuration which |
|
|
|
# is connecting a local network to a host on an untrusted network. |
|
|
|
dodgynet: |
|
|
|
# Log link uptime |
|
|
|
set log Phase |
|
|
|
# For autoconnect only |
|
|
|
allow modes auto |
|
|
|
# Define modem device and speed |
|
|
|
set device /dev/cuaa1 |
|
|
|
set speed 115200 |
|
|
|
# Don't support LQR |
|
|
|
deny lqr |
|
|
|
# Remote system phone number, login and password |
|
|
|
set phone 0W1194 |
|
|
|
set authname pppLogin |
|
|
|
set authkey MyPassword |
|
|
|
# Chat script to dial remote system |
|
|
|
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \ |
|
|
|
ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT" |
|
|
|
# Chat script to login to remote Unix system |
|
|
|
set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P" |
|
|
|
# Drop the link after 15 minutes of inactivity |
|
|
|
# Inactivity is defined by the `set filter alive' line below |
|
|
|
set timeout 900 |
|
|
|
# Hard-code remote system to appear within local subnet and use proxy arp |
|
|
|
# to make this system the gateway |
|
|
|
set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0 |
|
|
|
enable proxy |
|
|
|
|
|
|
|
# Allow any TCP packet to keep the link alive |
|
|
|
set filter alive 0 permit tcp |
|
|
|
|
|
|
|
# Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or |
|
|
|
# private TCP ports 24 and 4000 |
|
|
|
set filter dial 0 7 0 0 tcp dst eq http |
|
|
|
set filter dial 1 7 0 0 tcp dst eq login |
|
|
|
set filter dial 2 7 0 0 tcp dst eq shell |
|
|
|
set filter dial 3 7 0 0 tcp dst eq telnet |
|
|
|
set filter dial 4 7 0 0 tcp dst eq ftp |
|
|
|
set filter dial 5 7 0 0 tcp dst eq 24 |
|
|
|
set filter dial 6 deny ! 0 0 tcp dst eq 4000 |
|
|
|
# From hosts on a couple of local subnets to the remote peer |
|
|
|
# If the remote host allowed IP forwarding and we wanted to use it, the |
|
|
|
# following rules could be split into two groups to separately validate |
|
|
|
# the source and destination addresses. |
|
|
|
set filter dial 7 permit 172.17.16.0/20 172.17.20.248 |
|
|
|
set filter dial 8 permit 172.17.36.0/22 172.17.20.248 |
|
|
|
set filter dial 9 permit 172.17.118.0/26 172.17.20.248 |
|
|
|
set filter dial 10 permit 10.123.5.0/24 172.17.20.248 |
|
|
|
|
|
|
|
# Once the link's up, limit outgoing access to the specified hosts |
|
|
|
set filter out 0 4 172.17.16.0/20 172.17.20.248 |
|
|
|
set filter out 1 4 172.17.36.0/22 172.17.20.248 |
|
|
|
set filter out 2 4 172.17.118.0/26 172.17.20.248 |
|
|
|
set filter out 3 deny ! 10.123.5.0/24 172.17.20.248 |
|
|
|
# Allow established TCP connections |
|
|
|
set filter out 4 permit 0 0 tcp estab |
|
|
|
# And new connections to http, rlogin, rsh, telnet, ftp and ports |
|
|
|
# 24 and 4000 |
|
|
|
set filter out 5 permit 0 0 tcp dst eq http |
|
|
|
set filter out 6 permit 0 0 tcp dst eq login |
|
|
|
set filter out 7 permit 0 0 tcp dst eq shell |
|
|
|
set filter out 8 permit 0 0 tcp dst eq telnet |
|
|
|
set filter out 9 permit 0 0 tcp dst eq ftp |
|
|
|
set filter out 10 permit 0 0 tcp dst eq 24 |
|
|
|
set filter out 11 permit 0 0 tcp dst eq 4000 |
|
|
|
# And outgoing icmp |
|
|
|
set filter out 12 permit 0 0 icmp |
|
|
|
|
|
|
|
# Once the link's up, limit incoming access to the specified hosts |
|
|
|
set filter in 0 4 172.17.20.248 172.17.16.0/20 |
|
|
|
set filter in 1 4 172.17.20.248 172.17.36.0/22 |
|
|
|
set filter in 2 4 172.17.20.248 172.17.118.0/26 |
|
|
|
set filter in 3 deny ! 172.17.20.248 10.123.5.0/24 |
|
|
|
# Established TCP connections and non-PASV FTP |
|
|
|
set filter in 4 permit 0/0 0/0 tcp estab |
|
|
|
set filter in 5 permit 0/0 0/0 tcp src eq 20 |
|
|
|
# Useful ICMP messages |
|
|
|
set filter in 6 permit 0/0 0/0 icmp src eq 3 |
|
|
|
set filter in 7 permit 0/0 0/0 icmp src eq 4 |
|
|
|
set filter in 8 permit 0/0 0/0 icmp src eq 11 |
|
|
|
set filter in 9 permit 0/0 0/0 icmp src eq 12 |
|
|
|
# Echo reply (local systems can ping the remote host) |
|
|
|
set filter in 10 permit 0/0 0/0 icmp src eq 0 |
|
|
|
# And the remote host can ping the local gateway (only) |
|
|
|
set filter in 11 permit 0/0 172.17.20.247 icmp src eq 8 |
|
|
|
|
|
|
|
|
|
|
|
# Server side PPP |
|
|
|
# If you want the remote system to authenticate itself, you insist |
|
|
|
|
brian
25 years ago