>Once upon a time Rob Poland shaped the electrons to say...
>>1.How does a RADIUS entry look like for a PPP-user that is only
>>allowed to login on ports 4,5 and 6? Something like this doesn't work:
>
>You can't do this. RADIUS, as we provide it, does not support limiting
>users to a range of ports.
>
>>2. I'm using a dialback entry in the Radius users file. This entry
>>works but how can I let the modem dial pulse instead of tone. I put
>>the modem on pulse dailing and when I dial on that port it dials
>>pulse. But when the dialback entry dials back it is uses tone dailing.
>> This tone dialing must come explicitly from the dialer, how can I
>>change this? Or how can I change me Radius entry for pulse dialing.
>
>I've been here a year and you're the first person to ask this, had to go
>check... Can't be done. 'ATDT' is hardcoded right into the ComOS.
Could you send a pair of backspaces as part of the phone number and then
DP? Not sure, but it just might work.
>
>>3. Portmaster filter questions:
>>These are the filters I use on the PM2e for dial-up users. I think the
>>mailonly.out is giving problems can someone please explain what's
>>wrong with this filter?
>>
>>mailonly.in
>>permit 0.0.0.0/0 dns.uem.mz/32 udp dst eq domain
>>permit 0.0.0.0/0 pop3.uem.mz/32 tcp dst eq pop3
>>permit 0.0.0.0/0 mail.uem.mz/32 tcp dst eq smtp
>>
>>mailonly.out
>>permit dns.uem.mz/32 0.0.0.0/0 udp src eq domain
>>permit pop3.uem.mz/32 0.0.0.0/0 tcp src eq pop3 estab
>>permit mail.uem.mz/32 0.0.0.0/0 tcp src eq smtp estab
>
>Off hand it looks ok to me, but I think the estab rule is unneeded.
>
>>In which case is it really necessary to use a .in AND a .out filter?
>
>Depends on how tightly you want to lock things down.
>
>>Can you explain me the use of estab? Is the domain rule needed in
>>mailonly.out?
>
>estab just checks TCP packets to see if it is an established session. All
>packets after the first one in a session have a bit set to flag this. Since
>the first packet must have made it through to establish the session in the
>first place,' estab is a quick check. Usually used like:
>'permit tcp estab' near the top of the filter.
>
>And you do need to allow domain requests on the in filter.
>
>>Next are the internet filters, please comment on the internet.out
>>because it doesn't work good:
>
>This is beyond what we can really help with. Filters will vary from site
>to site, and the only person who really knows how they should be configured
>is someone who works at that site.
>
>>Does the order of the rules in the filter make any difference (i.e.
>>the ftp rules)?
>
>Order makes MAJOR difference. The filter is processed in order top to
>bottom - the first rule that matches is used, and parsing stops there.
>Getting rules in the wrong order can easily open unwanted holes or close
>wanted ones.
>
>-MZ
>--
>Livingston Enterprises - Chair, Department of Interstitial Affairs
>Phone: 800-458-9966 510-426-0770 FAX: 510-426-8951 megazone@livingston.com
>For support requests: support@livingston.com <http://www.livingston.com/>
>Snail mail: 6920 Koll Center Parkway #220, Pleasanton, CA 94566
>
----------------------------------------------------------------------------
Michael J. Hartwick, VE3SLQ
Hartwick Communications Consulting
hartwick@primeline.net