NAS-Port-Id, Pulse Dial-back, Output filters (fwd)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Michael J. Hartwick: "Re: NAS-Port-Id, Pulse Dial-back, Output filters (fwd)"
• Previous message: MegaZone: "Re: Preventing Regular Modem users from using ISDN Ports? (fwd)"

You can't do this. RADIUS, as we provide it, does not support limiting
users to a range of ports.

>2. I'm using a dialback entry in the Radius users file. This entry
>works but how can I let the modem dial pulse instead of tone. I put
>the modem on pulse dailing and when I dial on that port it dials
>pulse. But when the dialback entry dials back it is uses tone dailing.
> This tone dialing must come explicitly from the dialer, how can I
>change this? Or how can I change me Radius entry for pulse dialing.

I've been here a year and you're the first person to ask this, had to go
check... Can't be done. 'ATDT' is hardcoded right into the ComOS.

>3. Portmaster filter questions:
>These are the filters I use on the PM2e for dial-up users. I think the
>mailonly.out is giving problems can someone please explain what's
>wrong with this filter?
>
>mailonly.in
>permit 0.0.0.0/0 dns.uem.mz/32 udp dst eq domain
>permit 0.0.0.0/0 pop3.uem.mz/32 tcp dst eq pop3
>permit 0.0.0.0/0 mail.uem.mz/32 tcp dst eq smtp
>
>mailonly.out
>permit dns.uem.mz/32 0.0.0.0/0 udp src eq domain
>permit pop3.uem.mz/32 0.0.0.0/0 tcp src eq pop3 estab
>permit mail.uem.mz/32 0.0.0.0/0 tcp src eq smtp estab

Off hand it looks ok to me, but I think the estab rule is unneeded.

>In which case is it really necessary to use a .in AND a .out filter?

Depends on how tightly you want to lock things down.

>Can you explain me the use of estab? Is the domain rule needed in
>mailonly.out?

estab just checks TCP packets to see if it is an established session. All
packets after the first one in a session have a bit set to flag this. Since
the first packet must have made it through to establish the session in the
first place,' estab is a quick check. Usually used like:
'permit tcp estab' near the top of the filter.

And you do need to allow domain requests on the in filter.

>Next are the internet filters, please comment on the internet.out
>because it doesn't work good:

This is beyond what we can really help with. Filters will vary from site
to site, and the only person who really knows how they should be configured
is someone who works at that site.

>Does the order of the rules in the filter make any difference (i.e.
>the ftp rules)?

Order makes MAJOR difference. The filter is processed in order top to
bottom - the first rule that matches is used, and parsing stops there.
Getting rules in the wrong order can easily open unwanted holes or close
wanted ones.

-MZ

--
Livingston Enterprises - Chair, Department of Interstitial Affairs
Phone: 800-458-9966 510-426-0770 FAX: 510-426-8951 megazone@livingston.com
For support requests: support@livingston.com  <http://www.livingston.com/> 
Snail mail: 6920 Koll Center Parkway  #220, Pleasanton, CA 94566

• Next message: Michael J. Hartwick: "Re: NAS-Port-Id, Pulse Dial-back, Output filters (fwd)"
• Previous message: MegaZone: "Re: Preventing Regular Modem users from using ISDN Ports? (fwd)"