NAS-Port-Id, Pulse Dial-back, Output filters

Rob Poland (poland@nambu.uem.mz)
Mon, 19 Aug 1996 13:02:01 +0200 GMT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Roman Huerta Molina: "radiusd.dbm"
Previous message: Keith K Chau: "Re: script"

Hello I got some questions where support didn't respond until now,
anyone?

1.How does a RADIUS entry look like for a PPP-user that is only
allowed to login on ports 4,5 and 6? Something like this doesn't work:
fred Password = "UNIX", NAS-Port-ID = 4 5 6,
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Netmask = 255.255.255.192

2. I'm using a dialback entry in the Radius users file. This entry
works but how can I let the modem dial pulse instead of tone. I put
the modem on pulse dailing and when I dial on that port it dials
pulse. But when the dialback entry dials back it is uses tone dailing.
This tone dialing must come explicitly from the dialer, how can I
change this? Or how can I change me Radius entry for pulse dialing.

3. Portmaster filter questions:

These are the filters I use on the PM2e for dial-up users. I think the
mailonly.out is giving problems can someone please explain what's
wrong with this filter?

mailonly.in
permit 0.0.0.0/0 dns.uem.mz/32 udp dst eq domain
permit 0.0.0.0/0 pop3.uem.mz/32 tcp dst eq pop3
permit 0.0.0.0/0 mail.uem.mz/32 tcp dst eq smtp

mailonly.out
permit dns.uem.mz/32 0.0.0.0/0 udp src eq domain
permit pop3.uem.mz/32 0.0.0.0/0 tcp src eq pop3 estab
permit mail.uem.mz/32 0.0.0.0/0 tcp src eq smtp estab

In which case is it really necessary to use a .in AND a .out filter?
Can you explain me the use of estab? Is the domain rule needed in
mailonly.out?

Next are the internet filters, please comment on the internet.out
because it doesn't work good:

internet.in
permit 0.0.0.0/0 dns.uem.mz/32 udp dst eq domain
permit 0.0.0.0/0 pop3.uem.mz/32 tcp dst eq pop3
permit 0.0.0.0/0 mail.uem.mz/32 tcp dst eq smtp
permit 0.0.0.0/0 news.uem.mz/32 tcp dst eq nntp
permit tcp dst eq ftp
permit tcp src gt 1023 dst eq ftp-data estab
permit tcp dst eq www-http
permit tcp dst eq telnet
permit tcp dst eq auth
permit icmp

internet.out
permit dns.uem.mz/32 0.0.0.0/0 udp src eq domain
permit pop3.uem.mz/32 0.0.0.0/0 tcp src eq pop3
permit mail.uem.mz/32 0.0.0.0/0 tcp src eq smtp
permit news.uem.mz/32 0.0.0.0/0 tcp src eq nntp
permit tcp src eq ftp dst gt 1023 estab
permit tcp src eq ftp-data dst gt 1023
permit tcp src eq www-http estab
permit tcp src eq telnet estab
permit tcp src eq auth estab
permit icmp

The authentication is used for certain ftp servers and I think telnet
needs it aswell but the real meaning is unclear. Authorisation might
not be possible with PPP users on an assigned address base!

Does the order of the rules in the filter make any difference (i.e.
the ftp rules)?

Cheers Rob Poland
poland@nambu.uem.mz

Next message: Roman Huerta Molina: "radiusd.dbm"
Previous message: Keith K Chau: "Re: script"