PPP filters – stop xntpd from keeping the connection alive

 PPP, Time sychronization  Add comments
Apr 091999
 

PPP filters – stop xntpd from keeping the connection alive

This article was submitted by Jim Mutter without prompting from me.  Many thanks to Jim for writing up his experiences and sending them in.  Cheers.

The problem

Jim uses Userland PPP to connect to his ISP.  He also runs xntpd to keep the time on this computer accurate.  However, xntpd keeps the connection alive forever if given the opportunity.  Normally, ppp will die if there is no traffic.  Jim needed a way to make ppp  ignore ntp packets when deciding whether or not to keep the connection alive.

The solution

It is possible to write filtering rules for ppp. So Jim  wrote a ruleset to disallow ntp packets when considering the keep alive status.filter.  The PPP – Pedantic PPP Primer has a small section (6.2. Playing with PPP filters) on how to do this, however the example listed is incorrect.  With a little help from  man ppp and more help from the folks on the FreeBSD-Questions mailing list he was able to come up with this solution.
  1. ‘su’ to root.
  2. cd /etc/ppp
  3. vi ppp.conf
  4. His first attempt at writing the rules.
    set filter alive 0 deny udp src eq 123
set filter alive 1 deny tcp src eq 123
set filter alive 2 deny udp dst eq 123
set filter alive 3 deny tcp src eq 123
  5. This configuration doesn’t allow anything to reset the keepalive filter.  The result was that ppp disconnected after the ‘timeout’ value no matter what he was doing.
  6. The working solution
    set filter alive 0 deny udp src eq 123
set filter alive 1 deny tcp src eq 123
set filter alive 2 deny udp dst eq 123
set filter alive 3 deny tcp dst eq 123
set filter alive 4 permit 0 0

That last line is the important one.  Here’s a quote from a user on the FreeBSD-Questions
mailing list:

Whenever you define a ruleset, there’s in implicit default filter of: 

set filter alive lastrule+1 deny 0 0

This rule needs to be changed to allow everything not explicitly defined: 

set filter alive lastrule+1 permit 0 0

This applies to all filters or rulesets defined in /etc/ppp/ppp.conf.

Other PPP filters

Additional filters include: 
dial (for dial on demand)
in (for incoming packets)
out (for outgoing packets)

Other filters

Finally, this is a beginning for defining packet filtering rules, however it’s really not very powerful.  If you need something more complex you should look into the ipfilter package which works with the kernel level pppd.