PPP filters – stop xntpd from keeping the connection alive

Leave a Comment / By /

PPP filters – stop xntpd from keeping the connection alive

This article was submitted by Jim Mutter
without prompting from me.  Many thanks to Jim for writing up his experiences and
sending them in.  Cheers.

The problem

Jim uses Userland
PPP to connect to his ISP.  He also runs xntpd
to keep the time on this computer accurate.  However, xntpd keeps the
connection alive forever if given the opportunity.  Normally, ppp will die if there
is no traffic.  Jim needed a way to make ppp  ignore ntp packets when deciding
whether or not to keep the connection alive.

The solution

It is possible to write filtering rules for ppp. So Jim  wrote a ruleset to
disallow ntp packets when considering the keep alive status.filter.  The PPP – Pedantic PPP Primer has a
small section (6.2. Playing with PPP filters) on how to do this, however the example
listed is incorrect.  With a little help from  man ppp and more help
from the folks on the FreeBSD-Questions
mailing list he was able to come up with this solution.

  1. ‘su’ to root.
  2. cd /etc/ppp
  3. vi ppp.conf
  4. His first attempt at writing the rules. 
    set filter alive 0 deny udp src eq 123
set filter alive 1 deny tcp src eq 123
set filter alive 2 deny udp dst eq 123
set filter alive 3 deny tcp src eq 123
  5. This configuration doesn’t allow anything to reset the keepalive filter.  The
    result was that ppp disconnected after the ‘timeout’ value no matter what he was doing.
  6. The working solution 
    set filter alive 0 deny udp src eq 123
set filter alive 1 deny tcp src eq 123
set filter alive 2 deny udp dst eq 123
set filter alive 3 deny tcp dst eq 123
set filter alive 4 permit 0 0

That last line is the important one.  Here’s a quote from a user on the
FreeBSD-Questions
mailing list:

Whenever you define a ruleset, there’s in implicit default filter of: 

set filter alive lastrule+1 deny 0 0

This rule needs to be changed to allow everything not explicitly defined: 

set filter alive lastrule+1 permit 0 0

This applies to all filters or rulesets defined in /etc/ppp/ppp.conf.

Other PPP filters

Additional filters include:

dial (for dial on demand)
in (for incoming packets)
out (for outgoing packets)

Other filters

Finally, this is a beginning for defining packet filtering rules, however it’s really
not very powerful.  If you need something more complex you should look into the ipfilter package which works with the kernel level pppd.

Leave a Comment

Scroll to Top