Very Computer

by **Bonz** » Fri, 21 Dec 2001 08:51:50

I'm very confused as to the use of the active-filter and pass-filter
options for pppd. The man page doesn't appear to be very explicit about
how the filters are actually used.

For example, I would like to stop udp packets with destination address
239.255.255.250 and port 1900 from being counted as packets affecting the
idle timeout that I have set.

The question boils down to this: how do I code the filter expression so
that these packets are ignored? Is this possible? Or will the firewall
which is already denying them get in the way?

TIA

--
mike

by **Dean Thompso** » Sat, 22 Dec 2001 10:19:07

Hi!,

Quote:> I'm very confused as to the use of the active-filter and pass-filter
> options for pppd. The man page doesn't appear to be very explicit about
> how the filters are actually used.

> For example, I would like to stop udp packets with destination address
> 239.255.255.250 and port 1900 from being counted as packets affecting the
> idle timeout that I have set.

> The question boils down to this: how do I code the filter expression so
> that these packets are ignored? Is this possible? Or will the firewall
> which is already denying them get in the way?

I remember reading or being told somewhere that these filters are not
implemented on any other distribution of PPP other than the BSD version. As a
result, playing around with these filters will only waste your time unless you
are using a BSD system.

See ya

Dean Thompson

by **Mike F** » Sun, 23 Dec 2001 08:59:03

On Fri, 21 Dec 2001 01:19:07, Dean Thompson

> > The question boils down to this: how do I code the filter expression so
> > that these packets are ignored? Is this possible? Or will the firewall
> > which is already denying them get in the way?

> I remember reading or being told somewhere that these filters are not
> implemented on any other distribution of PPP other than the BSD version. As a
> result, playing around with these filters will only waste your time unless you
> are using a BSD system.

Thanks Dean. Using RH6.2 and that's what all the docs seem to imply. It
looks like I'm SOL when it comes to using the idle timer to take the PPP
connection down. These packets come in at fairly random intervals and
are what are keeping the connection up longer than necessary. Oh well!
Back to the tried and tested ppp-off method!

--
Regards, Mike Fry

by **Bill Unr** » Sun, 23 Dec 2001 09:40:51

]On Fri, 21 Dec 2001 01:19:07, Dean Thompson

]> > The question boils down to this: how do I code the filter expression so
]> > that these packets are ignored? Is this possible? Or will the firewall
]> > which is already denying them get in the way?
]>
]> I remember reading or being told somewhere that these filters are not
]> implemented on any other distribution of PPP other than the BSD version. As a
]> result, playing around with these filters will only waste your time unless you
]> are using a BSD system.
]>

]Thanks Dean. Using RH6.2 and that's what all the docs seem to imply. It
]looks like I'm SOL when it comes to using the idle timer to take the PPP
]connection down. These packets come in at fairly random intervals and
]are what are keeping the connection up longer than necessary. Oh well!
]Back to the tried and tested ppp-off method!

The old diald ( which seems to have fallen out of favour since demand
option was configured into pppd) apparently did a much better job of
filtering out such garbage in deciding when the link should go down.
You might find diald again and try that.

by **Clifford Kit** » Sat, 05 Jan 2002 06:12:22

> I'm very confused as to the use of the active-filter and pass-filter
> options for pppd. The man page doesn't appear to be very explicit about
> how the filters are actually used.
> For example, I would like to stop udp packets with destination address
> 239.255.255.250 and port 1900 from being counted as packets affecting the
> idle timeout that I have set.
> The question boils down to this: how do I code the filter expression so
> that these packets are ignored? Is this possible? Or will the firewall
> which is already denying them get in the way?

First you are likely to need a 2.4.x kernel and pppd 2.4.1. I'm currently
running pppd 2.4.1 under the 2.4.12 kernel. The active-filter option
actually works to some extent (unknown) in Linux.

You are correct. The man pages fail abysmally in explaining how the
active-filter option is applied. Apparently if the filter expression
is true then matching packets do not count against idle time - which
is just the opposite of what one might think. The meaning in tcpdump
is that if the expression is true then the packet is dumped to standard
output, and otherwise the packet is ignored. The active-filter analogy
would be that matching packets are counted against idle time, which is
not what happens.

I found that this is the case this morning when I needed something that
would prevent keepalive packets sent by a client on my host from a
certain port to a dynamic DNS server from counting against idle time.
This is what worked for me:

active-filter 'src port pulse'

(pulse is the name I associated with the port number in /etc/services.)

Assuming that the port is at the destination host, this should work
for you:

active-filter 'dst host 239.255.255.250 and dst udp port 1900'

If the firewall is on the destination host then it will get the packets
and if it responds with an "unreachable" or "prohibited" message then
then these responses will count against idle time. In that case I can
see two avenues of approach.

Try to find a way to use the active-filter, and/or the pass-filter option
to keep the responses from counting against idle time. I haven't explored
this possibility.

Patch pppd 2.4.1 with the simple patch in the file auth.c.diff-2.4.1.gz
at http://users3.ev1.net/~ckite/public_html/ in the "Files for download"
section so pppd will not count any incoming traffic against idle time.

-- Clifford Kite <Email: Presently not available>
/* ... packets usually cross many administrative boundaries on their way
from a source to a destination and often the only point of agreement
between those separate administrations is that all problems are someone
else's fault. --Van Jacobson, abstract of April 97 MSRI talk */

by **Clifford Kit** » Sat, 05 Jan 2002 08:08:35

> I found that this is the case this morning when I needed something that
> would prevent keepalive packets sent by a client on my host from a
> certain port to a dynamic DNS server from counting against idle time.
> This is what worked for me:
> active-filter 'src port pulse'
> (pulse is the name I associated with the port number in /etc/services.)

My bad. I didn't do enough testing. Adding that option causes pppd
to idle off in the time set for idle regardless of what other traffic
is on the link.

It seems that the active-filter is still not yet ready for prime time.

--
Clifford Kite <Email: Presently not available>
/* The generation of random numbers is too important to be left
to chance. */

by **Mike Fr** » Sat, 05 Jan 2002 08:46:06

>>I found that this is the case this morning when I needed something that
>>would prevent keepalive packets sent by a client on my host from a
>>certain port to a dynamic DNS server from counting against idle time.
>>This is what worked for me:

>>active-filter 'src port pulse'

>>(pulse is the name I associated with the port number in /etc/services.)

> My bad. I didn't do enough testing. Adding that option causes pppd
> to idle off in the time set for idle regardless of what other traffic
> is on the link.

> It seems that the active-filter is still not yet ready for prime time.

It seems that unless I upgrade from RH6.2 I'm not going to get my wish
just yet. Thanks for all the information anyway. I'll just have to learn
to live with all these effing M$ machines that are the ones sending the
packets in the first place :-)

Very Computer

Usage of filters in pppd

Usage of filters in pppd

Usage of filters in pppd

Usage of filters in pppd

Usage of filters in pppd

Usage of filters in pppd

Usage of filters in pppd

Usage of filters in pppd