Author: Unknown
Email: Unknown
Date Submitted: April 16, 1998
Edited by: David S. Jackson <dsj@dsj.net>
Status: New Entry

Releases:	All
Platform:	All
Category:	Networking and Nefcfg
Category Listing:	How can I write a chat script by hand that invokes my firewall rules?

Issue:

A common question is how to write a chat script by hand. A further challenge is implementing firewall rules with ipfwadm that are launched at the same time the chat session is started.

Response:

• put the following into /etc/ppp/chatscript:
  

      ABORT BUSY
      ABORT ERROR
      ABORT 'NO CARRIER'
      ABORT 'NO DIALTONE'
      '' ATZ OK AT&K3&C1&D3M0 OK ATDT5419462 CONNECT

• put the following into /etc/ppp/ip-down:
  

  
      #!/bin/sh
  
      PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
      export PATH
  
      exit 0

• put the following into /etc/ppp/ip-up:
  

  
      #!/bin/sh
  
      # called when the PPP link is up with the following arguments:
      #
      # $1 = interface-name (ie. ppp0)
      # $2 = tty-device     (ie. /dev/modem)
      # $3 = speed          (ie. 115200)
      # $4 = local-IP-addr
      # $5 = remote-IP-addr
  
      FW=/sbin/ipfwadm
  
      # clear all tables.
      for i in A I O F
      do
          $FW -$i -f
      done
  
      # setup a default policy that applies if packets don't match any
      # other rules.
      $FW -I -p reject -W $1
  
      # deny spoofing.
      $FW -I -a deny -o -S $4 -W $1
      $FW -I -a deny -o -S 127.0.0.0/24 -W $1
  
      # allow return tcp invocations to the internal network for DNS.
      $FW -I -a accept -P udp -S 0.0.0.0/0 53 -D $4/0 1025:65535 -W $1
  
      # accept return tcp traffic.
      $FW -I -a accept -P tcp -b -k -S 0.0.0.0/0 -D $4/0 -W $1
  
      # allow incoming ident.
      $FW -I -a accept -P tcp -b -S 0.0.0.0/0 113 -D/0 $4 -W $1
  
      # allow incoming smtp.
      $FW -I -a accept -P tcp -b -S 0.0.0.0/0 25 -D/0 $4 -W $1
  
      # explicitly deny access to the X server.
      $FW -I -a deny -P tcp -S 0.0.0.0/0 -D $4/0 5999:6100 -W $1
      $FW -I -a deny -P udp -S 0.0.0.0/0 -D $4/0 5999:6100 -W $1
  
      # allow for outgoing ftp.
      $FW -I -a accept -k -P tcp -S 0.0.0.0/0 ftp -D $4 1024:65535 \
           -W $1
      $FW -I -a accept -P tcp -S 0.0.0.0/0 ftp-data -D $4 1024:65535 \
          -W $1
  
      # end of rules.
  
      /usr/local/bin/junkbuster -b /usr/local/lib/junkbuster/\
          blockfile -l /usr/local/lib/junkbuster/logfile &
  
      exit 0

• put the following into /etc/ppp/options:
  

  lock

• put the following into /etc/ppp/secrets:
  

  
      username
      password
  
  

  where username and password are the ones supplied to you by your ISP. there must be a blank line after the password, or ppp will not work!

References:

None.