Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Nov 1998 11:46:25 -0800 (PST)
From:      Doug White <dwhite@resnet.uoregon.edu>
To:        Eddie Irvine <eirvine@tpgi.com.au>
Cc:        questions@FreeBSD.ORG
Subject:   Re: ppp and 192.168.0.0 packets.
Message-ID:  <Pine.BSF.4.03.9811181144310.14521-100000@resnet.uoregon.edu>
In-Reply-To: <36517060.4CD7035E@tpgi.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 17 Nov 1998, Eddie Irvine wrote:

> Hello all!
> 
> I have a FreeBSD 2.2-STABLE server serving a private
> network (192.168.x.x) in a school and routing IP and
> appletalk between subnets. It also dials up various ISP's 
> (depending on which one is working on the day) and runs squid.

[..]

> I use ppp 2.0 for this, normally *without* aliasing turned
> on, because I don't want my smarter kids sending email
> from their web browsers out onto the net (Dept. Ed. Policy).
> 
> A teacher's machine (192.168.1.115) has netscape configured
> to fetch mail from an ISP's mailbox, and when I want to do
> this I dial up with the -alias option.
> 
> Obviously, we are not doing any mail relaying on our server.

And can't unless you turn gatewaying on.

> Now, I'm concerned that without the -alias option on all the
> time, packets from my private net will sometimes go down
> the phone line and onto the internet, making me a (gasp!)
> "bad citizen".

> 1) Should I worry about this?

No. The first router that sees them will eat them.

> OK, so, let's assume that I turn aliasing ON all the time and enable
> some of the packet filtering rules. To make it simple, say I want to 
> permit only the server (interfaces 192.168.1.1, 192.168.2.1, 
> 192.168.3.1 and whatever the ISP assigns to MYADDR) to be able 
> to access port 80, and only the teacher's machine (192.168.1.115) 
> to be able to access the ISP's pop server. 
> 
> 2) Can the filtering rules do this, when aliasing is turned on?

Sure.

> 3) How does the ppp filter scan the rule set? Does it start at the top
> of the rule set with each packet and *stop* at the first permit or deny
> that matches the packet?

It applies the first rule that matches.

Doug White                               
Internet:  dwhite@resnet.uoregon.edu    | FreeBSD: The Power to Serve
http://gladstone.uoregon.edu/~dwhite    | www.freebsd.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.9811181144310.14521-100000>