Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Nov 1998 23:47:28 +1100
From:      Eddie Irvine <eirvine@tpgi.com.au>
To:        questions@FreeBSD.ORG
Subject:   ppp and 192.168.0.0 packets.
Message-ID:  <36517060.4CD7035E@tpgi.com.au>
next in thread | raw e-mail | index | archive | help 
Hello all!

I have a FreeBSD 2.2-STABLE server serving a private
network (192.168.x.x) in a school and routing IP and
appletalk between subnets. It also dials up various ISP's 
(depending on which one is working on the day) and runs squid.

So far so good!

I use ppp 2.0 for this, normally *without* aliasing turned
on, because I don't want my smarter kids sending email
from their web browsers out onto the net (Dept. Ed. Policy).

A teacher's machine (192.168.1.115) has netscape configured
to fetch mail from an ISP's mailbox, and when I want to do
this I dial up with the -alias option.

Obviously, we are not doing any mail relaying on our server.

Now, I'm concerned that without the -alias option on all the
time, packets from my private net will sometimes go down
the phone line and onto the internet, making me a (gasp!)
"bad citizen".

1) Should I worry about this?

OK, so, let's assume that I turn aliasing ON all the time and enable
some of the packet filtering rules. To make it simple, say I want to 
permit only the server (interfaces 192.168.1.1, 192.168.2.1, 
192.168.3.1 and whatever the ISP assigns to MYADDR) to be able 
to access port 80, and only the teacher's machine (192.168.1.115) 
to be able to access the ISP's pop server. 

2) Can the filtering rules do this, when aliasing is turned on?

3) How does the ppp filter scan the rule set? Does it start at the top
of the rule set with each packet and *stop* at the first permit or deny
that matches the packet?

I've made a diagram of our network to help with this question - you can
find it on:

http://www1.tpgi.com.au/users/eirvine/freebsd/screens.html#topology

Cheers,
Eddie.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36517060.4CD7035E>