Re: (ASCEND) Need Filter-Entry

To: "Stefan M. Brandl" <smb@pnm.net>
Subject: Re: (ASCEND) Need Filter-Entry
From: Neale Banks <neale@idesign.com.au>
Date: Wed, 14 Jan 1998 06:59:14 +1100 (EDT)
cc: ascend-users@bungi.com
In-Reply-To: <199801131705.SAA25694@fireblade.pnm.net>
Sender: owner-ascend-users@max.bungi.com

On Tue, 13 Jan 1998, Stefan M. Brandl wrote:

> In article <x41zyc8tog.fsf@adamc.noc.colt.net> you wrote:
> > Adam Chappell <adamc@adamc.noc.colt.net> writes:
> > 
> >> > I need a radius filter entry that allows smtp-connections only to one
> >> > single host. Connections to any other host on port 25 should be denied.
> >> > Connectoins on all other ports should be allowed to any host.
> >> > 
> >> > Can anyone give me an example-entry?
> >> 
> >> # Allow TCP to and from goodhost [1.2.3.4] on SMTP port
> >>  Ascend-Data-Filter = "ip in forward dstip 1.2.3.4/32 tcp dstport = 25"
> >>  Ascend-Data-Filter = "ip out forward srcip 1.2.3.4/32 tcp srcport = 25"
> >> 
> >> # Allow any TCP where the port involved is not SMTP
> >>  Ascend-Data-Filter = "ip in forward tcp dstport != 25"
> >>  Ascend-Data-Filter = "ip out forward tcp srcport != 25"
> > 
> > Duh! I'm not thinking straight this morning. Get rid of the 'tcp' from
> > all of these entries as well, otherwise I think you'll lose every
> > other protocol in the implicit drop rule :<
> > 
> > Ascend-Data-Filter = "ip in forward dstip 1.2.3.4/32 dstport = 25"
> > Ascend-Data-Filter = "ip out forward srcip 1.2.3.4/32 srcport = 25"
> > Ascend-Data-Filter = "ip in forward dstport != 25"
> > Ascend-Data-Filter = "ip out forward srcport != 25"
> 
> Hi Adam,
> thanks for your reply, but that filter doesn't work :-(
> I still can make connections on port 25 to any host.

I'm not fluent in the syntax of these filters (in particular, check if 
"drop" is the corect keyword), but surely what you want is something like:

# let the permitted smtp sessions in
Ascend-Data-Filter = "ip in forward dstip 1.2.3.4/32 dstport = 25"
# drop all other smtp sessions
Ascend-Data-Filter = "ip in drop dstport = 25"
# let everything else through
Ascend-Data-Filter = "ip in forward dstport != 25"
Ascend-Data-Filter = "ip out forward srcport != 25"

Note that this assumes the filter is being applied at the WAN interface 
and the protected host is on the ethernet.  If this is not the case, then 
you may need to reverse the ins and outs; if applying a filter on the 
ethernet, don't forget to allow ARP!

Regards,
Neale.
 -----------------------------------------------------------------
 Neale Banks                                   Ph: +61 3 9205 0333
 Network Manager                               Fx: +61 3 9819 0533
 Planet Internet & Integration Design
 neale@idesign.com.au                          neale@planet.net.au
 http://www.idesign.com.au               http://www.planet.net.au/
 -----------------------------------------------------------------
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

Re: (ASCEND) Need Filter-Entry

From: "Stefan M. Brandl" <smb@pnm.net>

Prev by Date: Re: (ASCEND) Modem at Console Port of a Max/Pipeline?
Next by Date: Re: (ASCEND) Makefile for AIX
Prev by thread: Re: (ASCEND) Need Filter-Entry
Next by thread: Re: (ASCEND) Need Filter-Entry
Index(es):
- Main
- Thread