Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: (ASCEND) Filters and such...
On Thu, 19 Mar 1998, Gerard Cany wrote:
> Simple solutions ??
>
> With all the talk of having to add filters etc.... has anyone created
> radius user file entries for all the different filters that we can
> just cut and paste etc....
> [Gerard Cany]
> Ascend-Data-Filter = "ip in drop udp dstport = 9",
> Ascend-Data-Filter = "ip in drop tcp dstport = 137",
> Ascend-Data-Filter = "ip in drop tcp dstport = 138",
> Ascend-Data-Filter = "ip in drop tcp dstport = 139",
> Ascend-Data-Filter = "ip in drop udp dstport = 137",
> Ascend-Data-Filter = "ip in drop udp dstport = 138",
> Ascend-Data-Filter = "ip in drop udp dstport = 139",
> Ascend-Data-Filter = "ip in forward"
>
This is very close to the filter we have. We also protect against IP
spoofing by not using a generic "ip in forward" at the end but a filter
that looks more like:
Framed-Address = 208.6.68.160,
Framed-Netmask = 255.255.255.255,
Ascend-Data-Filter = "ip in drop tcp dstport = 137",
Ascend-Data-Filter = "ip in drop tcp dstport = 138",
Ascend-Data-Filter = "ip in drop tcp dstport = 139",
Ascend-Data-Filter = "ip in forward srcip 208.6.68.160/32",
Ascend-Data-Filter = "ip out drop tcp dstport = 137",
Ascend-Data-Filter = "ip out drop tcp dstport = 138",
Ascend-Data-Filter = "ip out drop tcp dstport = 139",
Ascend-Data-Filter = "ip out forward",
We also block 137,138, and 139 in both directions. The problem with all
of this is by the time you're done, the radius record is so large you
can't make it a dbm file anymore -- the record is larger than 1K.
The other problem I have is in order to defend against IP spoofing, you
have to give out static IPs. If you were using dynamic IPs, you *could*
filter all IPs except the ones from the pool but it doesn't offer quite
the same protection...
Just points to ponder...
Steve
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
References: