{ my $policy = $DialupConnOffice; $OUT .= "\n"; $OUT .= "#------------------------------------------------------------\n"; $OUT .= "# Use \"$policy\" connect policy during office "; $OUT .= "hours on weekdays\n"; $OUT .= "#------------------------------------------------------------\n"; $OUT .= "\n"; $OUT .= "restrict 8:00:00 17:59:59 1-5 * *\n"; $OUT .= "\n"; if ($policy eq 'continuous') { $OUT .= "up\n"; } elsif ($policy eq 'never') { $OUT .= "down\n"; } else { #-------------------------------------------------- # "short" policy: HTTP transfers get 3 minutes, # everything else gets 30 seconds. #-------------------------------------------------- my $httpHold = 180; my $otherHold = 30; if ($policy eq 'medium') { #-------------------------------------------------- # "medium" policy: HTTP transfers get 10 minutes, # everything else gets 5 minutes. #-------------------------------------------------- $httpHold = 600; $otherHold = 300; } elsif ($policy eq 'long') { #-------------------------------------------------- # "long" policy: HTTP transfers get 20 minutes, # everything else gets 10 minutes. #-------------------------------------------------- $httpHold = 1200; $otherHold = 600; } #------------------------ # Rules for TCP packets. #------------------------ # If we force the line up (for example to trigger fetchmail) # but no packets are sent, specify how long to hold the line # up: $OUT .= "first-packet-timeout $otherHold\n"; # The first rule is designed to give the link 30 seconds up time # when we are initiating a TCP connection. The idea here is to deal # with possibility that the network on the opposite end of the # connection is unreachable. In this case you don't really want to # give the link 10 minutes up time. With the rule below we only give # the link 30 seconds initially. If the network is reachable then # we will normally get a response that actually contains some data # within 30 seconds. If this causes problems because you have a # slow response time at some site you want to regularly access, you # can either increase the timeout or remove this rule. $OUT .= "accept tcp 30 tcp.syn\n"; # If you are running named, then it will send data across the link # periodically to synchronize against other domain name servers. # Since this can happen at any time, it is undesirable to keep the # link up for it. Therefore, we ignore any tcp traffic from or to a # domain name server. $OUT .= "ignore tcp tcp.dest=tcp.domain\n"; $OUT .= "ignore tcp tcp.source=tcp.domain\n"; # Normally the packet that starts a connection is longer that 40 # bytes, since it normally contains TCP options to specify the MSS. # However, some TCP implementations don't include these options. # Therefore, we must be careful not to ignore SYN packets that are # only 40 bytes long. $OUT .= "accept tcp 30 ip.tot_len=40,tcp.syn\n"; # Otherwise, we want to ignore any TCP packet that is only 40 bytes # long, since it is not carrying any data. However, we don't want to # ignore 40 byte packets that mark the closing of a connection, # since we use those to cut short the timeout on connections that # have died. Therefore we must test the tcp.live flag here. If it # is not set we might want to see this packet later on in the rules. $OUT .= "ignore tcp ip.tot_len=40,tcp.live\n"; # Make sure http transfers hold the link up, even after they end. # This prevents web browsers from bouncing the connection too much. $OUT .= "accept tcp $httpHold tcp.dest=tcp.www\n"; $OUT .= "accept tcp $httpHold tcp.source=tcp.www\n"; if ($SquidParent) { $OUT .= "accept tcp $httpHold tcp.dest=tcp.wwwproxy\n"; $OUT .= "accept tcp $httpHold tcp.source=tcp.wwwproxy\n"; } # Once the link is no longer live, we try to shut down the # connection quickly. Note that if the link is already down, the # closing of the a connection (which will generate traffic) will not # bring it back up. $OUT .= "keepup tcp $otherHold !tcp.live\n"; $OUT .= "ignore tcp !tcp.live\n"; # Finally, if we don't match the TCP packet somewhere above, then we # give the link 10 minutes up time. Most TCP packets match this # rule. Note that as soon as the TCP connection is closed, the keepup # rule above overwrites the timeout. $OUT .= "accept tcp 600 any\n"; #----------------------- # Rules for UDP packets #----------------------- # Don't bring the link up for rwho: $OUT .= "ignore udp udp.dest=udp.who\n"; $OUT .= "ignore udp udp.source=udp.who\n"; # Don't bring the link up for routing packets: $OUT .= "ignore udp udp.dest=udp.route\n"; $OUT .= "ignore udp udp.source=udp.route\n"; # Don't bring the link up for NTP or timed: $OUT .= "ignore udp udp.dest=udp.ntp\n"; $OUT .= "ignore udp udp.source=udp.ntp\n"; $OUT .= "ignore udp udp.dest=udp.timed\n"; $OUT .= "ignore udp udp.source=udp.timed\n"; # Don't bring up on domain name requests between # two running copies of named: $OUT .= "ignore udp udp.dest=udp.domain,udp.source=udp.domain\n"; # Bring up the network for domain requests: $OUT .= "accept udp 30 udp.dest=udp.domain \n"; $OUT .= "accept udp 30 udp.source=udp.domain\n"; # Bring up the network for netbios requests, # except between netbios servers: $OUT .= "ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns\n"; $OUT .= "accept udp 30 udp.dest=udp.netbios-ns\n"; $OUT .= "accept udp 30 udp.source=udp.netbios-ns\n"; # Any other UDP packets: $OUT .= "accept udp $otherHold any\n"; # Catch any packets that we didn't catch above: $OUT .= "accept any $otherHold any\n"; } }