# This is a pretty complicated set of filter rules.
# (These are the rules I use myself.)
#
# I've divided the rules up into four sections.
# TCP packets, UDP packets, ICMP packets and a general catch all rule
# at the end.


#------------------------------------------------------------------------------
# Rules for TCP packets.
#------------------------------------------------------------------------------
# In general we would like to treat only data on a TCP link as signficant
# for timeouts. Therefore, we try to ignore packets with no data.
# Since the shortest possible set of headers in a TCP/IP packet is 40 bytes.
# Any packet with length 40 must have no data riding in it.
# We may miss some empty packets this way (optional routing information
# and other extras may be present in the IP header), but we should get
# most of them. Note that we don't want to filter out packets with
# tcp.fin set, since we use them later to speedup disconnects on some TCP links.
#
# Make sure WWW packets live even if the TCP socket is shut down.
# We do this because WWW doesn't keep connections open once the data
# has been transfered, and it would be annoying to have the link
# keep bouncing up and down every time you get a document.
#
# The most common use of TCP is for long lived connections, that
# once they are gone mean we no longer need the network connection.
# We don't neccessarily want to wait 10 minutes for the connection
# to go down when we don't have any telnet's or rlogin's running,
# so we want to speed up the timeout on TCP connections that have
# shutdown. We do this by catching packets that do not have the live flag set.

# Keep named xfers from holding the link up
ignore tcp tcp.dest=tcp.domain
ignore tcp tcp.source=tcp.domain
# (Ack! SCO telnet starts by sending empty SYNs and only opens the
# connection if it gets a response. Sheesh..)
accept tcp 5 ip.tot_len=40,tcp.syn
# keep empty packets from holding the link up (other than empty SYN packets)
ignore tcp ip.tot_len=40,tcp.live
# make sure http transfers hold the link for 2 minutes, even after they end.
# NOTE: Your /etc/services may not define the tcp service www, in which
# case you should comment out the following two lines or get a more
# up to date /etc/services file. See the FAQ for information on obtaining
# a new /etc/services file.
accept tcp 120 tcp.dest=tcp.www
accept tcp 120 tcp.source=tcp.www
# Once the link is no longer live, we try to shut down the connection
# quickly. Note that if the link is already down, a state change
# will not bring it back up.
keepup tcp 5 !tcp.live
ignore tcp !tcp.live
# an ftp-data or ftp connection can be expected to show reasonably frequent
# traffic.
accept tcp 60 tcp.dest=tcp.ftp
accept tcp 60 tcp.source=tcp.ftp
#NOTE: ftp-data is not defined in the /etc/services file provided with
# the latest versions of NETKIT, so I've got this commented out here.
# If you want to define it add the following line to your /etc/services:
# ftp-data        20/tcp
# and uncomment the following two rules.
accept tcp 120 tcp.dest=tcp.ftp-data
accept tcp 120 tcp.source=tcp.ftp-data
# Accept nntp
accept tcp 120 tcp.dest=tcp.nntp
accept tcp 120 tcp.source=tcp.nntp
# Telnet 
accept tcp 240 tcp.dest=tcp.telnet
accept tcp 240 tcp.source=tcp.telnet
# Rlogin
accept tcp 120 tcp.dest=tcp.login
accept tcp 120 tcp.source=tcp.login
# Microsoft Date
# accept tcp 60 tcp.dest=tcp.netbios-ssn
# accept tcp 60 tcp.source=tcp.netbios-ssn
# Xwin
accept tcp 60 tcp.dest=tcp.xwin
accept tcp 60 tcp.source=tcp.xwin
# imap + pop
accept tcp 60 tcp.dest=tcp.pop-3
accept tcp 60 tcp.dest=tcp.imap
accept tcp 60 tcp.source=tcp.imap
# Shell
accept tcp 120 tcp.dest=tcp.shell
# Long packets like ftp keep the link up
accept tcp 120  ip.tot_len>=255
# If we don't catch it above, give the link 10 minutes up time.
# accept tcp 600 any
# accept tcp 60 any
ignore tcp any

# Rules for UDP packets
#
# We time out domain requests right away, we just want them to bring
# the link up, not keep it around for very long.
# This is because the network will usually come up on a call
# from the resolver library (unless you have all your commonly
# used addresses in /etc/hosts, in which case you will discover
# other problems.)
# Note that you should not make the timeout shorter than the time you
# might expect your DNS server to take to respond. Otherwise
# when the initial link gets established there might be a delay
# greater than this between the initial series of packets before
# any packets that keep the link up longer pass over the link.

# Don't bring the link up for rwho.
ignore udp udp.dest=udp.who
ignore udp udp.source=udp.who
# Don't bring the link up for RIP.
ignore udp udp.dest=udp.route
ignore udp udp.source=udp.route
# Don't bring the link up for NTP or timed.
ignore udp udp.dest=udp.ntp
ignore udp udp.source=udp.ntp
ignore udp udp.dest=udp.timed
ignore udp udp.source=udp.timed
# Don't bring up on domain name requests between two running nameds.
# ignore udp udp.dest=udp.domain,udp.source=udp.domain
accept udp 10 udp.dest=udp.domain,udp.source=udp.domain
# Bring up the network whenever we make a domain request from someplace
# other than named.
# accept udp 10 udp.dest=udp.domain 
# accept udp 10 udp.source=udp.domain
ignore udp udp.dest=udp.domain 
ignore udp udp.source=udp.domain
# Do the same for netbios-ns broadcasts
# NOTE: your /etc/services file may not define the netbios-ns service
# in which case you should comment out the next three lines.
ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns
# accept udp 10 udp.dest=udp.netbios-ns
# accept udp 10 udp.source=udp.netbios-ns
ignore udp udp.dest=udp.netbios-ns
ignore udp udp.source=udp.netbios-ns
# keep routed and gated transfers from holding the link up
ignore udp tcp.dest=udp.route
ignore udp tcp.source=udp.route
# Anything else gest 2 minutes.
# accept udp 120 any
# accept udp 60 any
ignore udp any

# All ICMP packets are ignored for the purposes of bring the link up or down.
accept icmp 10 udp.dest=udp.echo
accept icmp 10 tcp.dest=tcp.echo
# ignore icmp any
accept icmp 10 any

# Catch any packets that we didn't catch above and give the connection
# 30 seconds of live time.
# accept any 30 any
ignore any any

# Sunday
restrict 05:00:00 21:00:00 0 * *
impulse 140,10

# Saturday
restrict 05:00:00 21:00:00 6 * *
impulse 140,10

restrict 21:00:00 23:59:59 * * *
impulse 230,10
restrict 00:00:00 05:00:00 * * *
impulse 230,10

restrict 05:00:00 09:00:00 * * *
impulse 140,10

restrict 09:00:00 18:00:00 * * *
impulse 80,10

restrict 18:00:00 21:00:00 * * *
impulse 140,10

# Valid modes are: slip, cslip, slip6, cslip6, aslip, ppp
# mode ppp

redial-backoff-start 5


# Used by dctrl to monitor diald
fifo "/etc/diald/diald.ctl"

# Put your addresses here
local 194.77.xxx.a
remote 194.77.xxx.bb
netmask 255.255.255.240
connect "/bin/true"
disconnect "/bin/true"
# connect "/sbin/isdnctrl addphone ippp0 out 240"
# disconnect "/sbin/isdnctrl delphone ippp0 out 240 ; /sbin/isdnctrl delphone ippp0 out 240 ; /sbin/isdnctrl hangup ippp0 "

addroute /etc/diald/addroute
delroute /etc/diald/delroute

ip-up /etc/diald/ipup
ip-down /etc/diald/ipdown

# debug 9