The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
PPP filters - stop xntpd from keeping the connection alive 9 April 1999
Need more help on this topic? Click here
This article has no comments
Show me similar articles
This article was submitted by Jim Mutter without prompting from me.  Many thanks to Jim for writing up his experiences and sending them in.  Cheers.
The problem
Jim uses Userland PPP to connect to his ISP.  He also runs xntpd to keep the time on this computer accurate.  However, xntpd keeps the connection alive forever if given the opportunity.  Normally, ppp will die if there is no traffic.  Jim needed a way to make ppp  ignore ntp packets when deciding whether or not to keep the connection alive.
The solution
It is possible to write filtering rules for ppp. So Jim  wrote a ruleset to disallow ntp packets when considering the keep alive status.filter.  The PPP - Pedantic PPP Primer has a small section (6.2. Playing with PPP filters) on how to do this, however the example listed is incorrect.  With a little help from  man ppp and more help from the folks on the FreeBSD-Questions mailing list he was able to come up with this solution.
  1. 'su' to root.
  2. cd /etc/ppp
  3. vi ppp.conf
  4. His first attempt at writing the rules.
    set filter alive 0 deny udp src eq 123
set filter alive 1 deny tcp src eq 123
set filter alive 2 deny udp dst eq 123
set filter alive 3 deny tcp src eq 123
  5. This configuration doesn't allow anything to reset the keepalive filter.  The result was that ppp disconnected after the 'timeout' value no matter what he was doing.
  6. The working solution
    set filter alive 0 deny udp src eq 123
set filter alive 1 deny tcp src eq 123
set filter alive 2 deny udp dst eq 123
set filter alive 3 deny tcp dst eq 123
set filter alive 4 permit 0 0

That last line is the important one.  Here's a quote from a user on the FreeBSD-Questions
mailing list:

Whenever you define a ruleset, there's in implicit default filter of: 

set filter alive lastrule+1 deny 0 0

This rule needs to be changed to allow everything not explicitly defined: 

set filter alive lastrule+1 permit 0 0

This applies to all filters or rulesets defined in /etc/ppp/ppp.conf.

Other PPP filters
Additional filters include: 
dial (for dial on demand)
in (for incoming packets)
out (for outgoing packets)
Other filters
Finally, this is a beginning for defining packet filtering rules, however it's really not very powerful.  If you need something more complex you should look into the ipfilter package which works with the kernel level pppd.

Need more help on this topic? Click here
This article has no comments
Show me similar articles
Servers and bandwidth provided by New York Internet, SuperNews, and RootBSD. Valid HTML, CSS , and RSS
Copyright © 1997-2016 Dan Langille
All rights reserved