Mark Johnson wrote: > Per Ralph Clark, I'm now running "/usr/sbin/diald debug 31 -daemon", and > getting lots of info. I noticed that while I am generating no activity > via Netscape (see original note, below), diald sends a packet every 10 > seconds or so: > > diald[730]: filter accepted rule 41 proto 88 len 60 packet > 207.66.20.23,0 => 224.0.0.10,0 > > Rule 41 is "accept any 30 any". > 207.66.20.23 is my ISPs router. > 224.0.0.10 is IGRP-ROUTERS.MCAST.NET, which has something to do with > multicasts, I believe. > Although "88" doesn't appear in "/etc/protocols", > [root]# cat /etc/services |grep 88 > kerberos 88/udp kdc # Kerberos authentication - udp > > kerberos 88/tcp kdc # Kerberos authentication - > tcp > I'm not knowingly doing any Kerberos authentication. Don't worry about /etc/services, that has nothing to do with the protocol number, that 88 is the port number. Your diald message is using port 0 which is plain old IP. This is probably what's causing your problem: > ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns > # rules 36 thru 40 > accept udp 30 udp.dest=udp.netbios-ns > accept udp 30 udp.source=udp.netbios-ns You would only be getting any of these packets if you had enabled Samba support. You should ignore any netbios stuff anyway unless you need to allow netbios (i.e. mount Windows file systems etc) over your modem line and I doubt that. > Any more ideas? Perhaps you could post your file "standard.filter". By > the way, my diald is 0.16.5, kernel 2.0.34. The filter file contents didn't really change between diald versions anyway. I've attached my customised filter as requested. The cusomisations don't amount to very much. Apart from extending the 'keepup' time from 2 minutes to 3 minutes to suit my own preferences, all the other changes are flagged as "Ralph's additions" in the file. They include: 1) the first rule in the file is a new one I just I got from someone off this list (Dmitri Pogosyan) the other day, in order to stop Netscape from bringing up an idle connection again when I exit from Netscape (aaargh....!) All praise the guru! 2) changing the 'accept' for those nasty netbios packets to an 'ignore' 3) explicitly 'ignoring' all other registered netbios packet types 4) extra rules to recognise packets going to an external http/ftp proxy on port 8080, so those will also keep the link up for a while just like straight http and ftp packets do - this requires adding a couple of lines to /etc/services as follows: wwwextproxy 8080/tcp http # WorldWideWeb HTTP wwwextproxy 8080/udp # HyperText Transfer Protocol If you were running squid as well you might need to register a port for internal proxying too, to use in an 'ignore' rule which would stop those from keeping the link up. -- [EMAIL PROTECTED] Ralph Clark, Virgo Solutions Ltd (UK) __ _ / / (_)__ __ ____ __ * Powerful * Flexible * Compatible * Reliable * / /__/ / _ \/ // /\ \/ / *Well Supported * Thousands of New Users Every Day* /____/_/_//_/\_,_/ /_/\_\ The Cost Effective Choice - Linux Means Business!
# This is a pretty complicated set of filter rules. # (These are the rules I use myself.) # # I've divided the rules up into four sections. # TCP packets, UDP packets, ICMP packets and a general catch all rule # at the end. # # The link is normally held up for 2 Minutes # Netbios traffic is not allowed to hold up the link # any second -- [EMAIL PROTECTED] # #------------------------------------------------------------------------------ # Rules for TCP packets. #------------------------------------------------------------------------------ # General comments on the rule set: # # In general we would like to treat only data on a TCP link as signficant # for timeouts. Therefore, we try to ignore packets with no data. # Since the shortest possible set of headers in a TCP/IP packet is 40 bytes. # Any packet with length 40 must have no data riding in it. # We may miss some empty packets this way (optional routing information # and other extras may be present in the IP header), but we should get # most of them. Note that we don't want to filter out packets with # tcp.live clear, since we use them later to speedup disconnects # on some TCP links. # # We also want to make sure WWW packets live even if the TCP socket # is shut down. We do this because WWW doesn't keep connections open # once the data has been transfered, and it would be annoying to have the link # keep bouncing up and down every time you get a document. # # Outside of WWW the most common use of TCP is for long lived connections, # that once they are gone mean we no longer need the network connection. # We don't neccessarily want to wait 10 minutes for the connection # to go down when we don't have any telnet's or rlogin's running, # so we want to speed up the timeout on TCP connections that have # shutdown. We do this by catching packets that do not have the live flag set. # --- start of rule set proper --- ############################# Ralph's additions:################################ # ignore Netscape's tendency to bring up the link on exit in order to close # the 'connection' ignore tcp.fin ############################end of Ralphs additions############################# # When initiating a connection we only give the link 15 seconds initially. # The idea here is to deal with possibility that the network on the opposite # end of the connection is unreachable. In this case you don't really # want to give the link 10 minutes up time. With the rule below # we only give the link 15 seconds initially. If the network is reachable # then we will normally get a response that actually contains some # data within 15 seconds. If this causes problems because you have a slow # response time at some site you want to regularly access, you can either # increase the timeout or remove this rule. accept tcp 60 tcp.syn # Keep named xfers from holding the link up ignore tcp tcp.dest=tcp.domain ignore tcp tcp.source=tcp.domain # (Ack! SCO telnet starts by sending empty SYNs and only opens the # connection if it gets a response. Sheesh..) accept tcp 5 ip.tot_len=40,tcp.syn # keep empty packets from holding the link up (other than empty SYN packets) ignore tcp ip.tot_len=40,tcp.live # make sure http transfers hold the link for 2 minutes, even after they end. # NOTE: Your /etc/services may not define the tcp service www, in which # case you should comment out the following two lines or get a more # up to date /etc/services file. See the FAQ for information on obtaining # a new /etc/services file. accept tcp 180 tcp.dest=tcp.www accept tcp 180 tcp.source=tcp.www # ###############################Ralph's additions################################ # support external web proxy accept tcp 180 tcp.dest=tcp.wwwextproxy accept tcp 180 tcp.source=tcp.wwwextproxy ############################end of Ralphs additions############################# # Once the link is no longer live, we try to shut down the connection # quickly. Note that if the link is already down, a state change # will not bring it back up. keepup tcp 5 !tcp.live ignore tcp !tcp.live # an ftp-data or ftp connection can be expected to show reasonably frequent # traffic. accept tcp 180 tcp.dest=tcp.ftp accept tcp 180 tcp.source=tcp.ftp #NOTE: ftp-data is not defined in the /etc/services file provided with # the latest versions of NETKIT, so I've got this commented out here. # If you want to define it add the following line to your /etc/services: # ftp-data 20/tcp # and uncomment the following two rules. #accept tcp 180 tcp.dest=tcp.ftp-data #accept tcp 180 tcp.source=tcp.ftp-data # If we don't catch it above, give the link 10 minutes up time. accept tcp 120 any # Rules for UDP packets # # We time out domain requests right away, we just want them to bring # the link up, not keep it around for very long. # This is because the network will usually come up on a call # from the resolver library (unless you have all your commonly # used addresses in /etc/hosts, in which case you will discover # other problems.) # Note that you should not make the timeout shorter than the time you # might expect your DNS server to take to respond. Otherwise # when the initial link gets established there might be a delay # greater than this between the initial series of packets before # any packets that keep the link up longer pass over the link. # Don't bring the link up for rwho. ignore udp udp.dest=udp.who ignore udp udp.source=udp.who # Don't bring the link up for RIP. ignore udp udp.dest=udp.route ignore udp udp.source=udp.route # Don't bring the link up for NTP or timed. ignore udp udp.dest=udp.ntp ignore udp udp.source=udp.ntp ignore udp udp.dest=udp.timed ignore udp udp.source=udp.timed # Don't bring up on domain name requests between two running nameds. ignore udp udp.dest=udp.domain,udp.source=udp.domain # Bring up the network whenever we make a domain request from someplace # other than named. accept udp 30 udp.dest=udp.domain accept udp 30 udp.source=udp.domain # Do the same for netbios-ns broadcasts # NOTE: your /etc/services file may not define the netbios-ns service # in which case you should comment out the next three lines. ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns ignore udp udp.dest=udp.netbios-ns ignore udp udp.source=udp.netbios-ns ###############################Ralph's additions################################ # exclude all other netbios packets ignore udp udp.source=udp.netbios-dgm,udp.dest=udp.netbios-dgm ignore udp udp.dest=udp.netbios-dgm ignore udp udp.source=udp.netbios-dgm ignore udp udp.source=udp.netbios-ssn,udp.dest=udp.netbios-ssn ignore udp udp.dest=udp.netbios-ssn ignore udp udp.source=udp.netbios-ssn ############################end of Ralph's additions############################ # keep routed and gated transfers from holding the link up ignore udp tcp.dest=udp.route ignore udp tcp.source=udp.route # Anything else gest 2 minutes. accept udp 120 any # Catch any packets that we didn't catch above and give the connection # 30 seconds of live time. accept any 30 any # ################################Ralph's notes################################### # if the telephone company charges in 'units' of 180 seconds (i.e. minimum call # charge) # # use the "impulse" directive, say # # impulse 130,160,20 # # It means diald will drop the line only after the first 130 seconds if there's # no traffic in the following 20 seconds, then repeat (160 seconds without # dropping the line and 20 seconds to drop it if there's no traffic). # The first period is shorter to discount the time needed for modem # negotiation/link establishment. ################################################################################
