Re: ANNOUNCE: pm2_3.1.3c2 fixes Telnet break problem

Leo Savage (leo@esva.net)
Sun, 10 Sep 1995 11:29:01 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: sameer: "Forwarded mail..."
Previous message: Leo Savage: "Re: serious telnet bug; is it just me?"
In reply to: System Administrator: "Re: ANNOUNCE: pm2_3.1.3c2 fixes Telnet break problem"

On Sat, 9 Sep 1995, System Administrator wrote:

> At 12:34 PM 9/9/95 -0400, Leo Savage wrote:
> >
> >add filter notelnet.in
> >set filter notelnet.in 1 permit svr_ip/32 pm_ip/32 tcp dst eq 23 estab
> >set filter notelnet.in 2 permit svr_ip/32 pm_ip/32 tcp dst eq 23 log
> >set filter notelnet.in 3 deny 0.0.0.0/0 pm_ip/32 tcp dst eq 23 log
> >set filter notelnet.in 4 permit
> >set ether0 ifilter notelnet.in
> >save all
> >
>
> OK, I used the modified packet filters which effectively denies access to
> only those hosts which I want to connect on my base network. Unfortunately
> it does not block incoming from my second, third or fourth ip blocks. Why?
>
> I used the above example modifying only to add the specific hosts which I
> wanted to give access to (and not using the estab parameter since it seemed
> to disable use of pmwho, and also not the log param on the permit since the
> connection is logged anyways) How do I block dialin users on other IP blocks
> from telnetting in without setting up a packet filter for dialin?

Having invested further study, I hope I've got all this right. No warranty.

As originally given, this sequence blocks telnet attempts over the
ethernet connection only. To also block attempts from outside you also
want to put this filter on the WAN port, like so:

set W1 ifilter notelnet.in

To block telnet tries from dialup users, you have to add a filter rule to
the std filters named in your RADIUS users file. In ours, all users are
listed as having a "std.user" filter that didn't happen to exist (but
specifying a filter fixed a bug somewhere). I've now defined it like so:

add filter std.user.in
set filter std.user.in 1 deny 0.0.0.0/0 pm_ip/32 tcp dst eq 23 log
set filter std.user.in 2 permit
save all

Again where "pm.ip" is the IP address of the Portmaster. If I read the
docs aright, the ethernet and WAN ports will now block any telnet attempt
to the Portmaster from any IP address except our own server, and dialup
lines will be blocked from telnetting to the Portmaster regardless.

I am debating using the std.user.in filter on the WAN port instead of the
notelnet.in filter. Seems to me the only way the approved system should
ever try to telnet to the Portmaster is via ethernet.

Long term, I guess I'll eventually define three separate filters for
dialup, ethernet, and WAN after I get a copy of that A/W book.

--
    ("`-/")_.-'"``-._             Leo Savage
     . . `; -._    )-;-,_`)
    (v_,)'  _  )`-.\  ``-'       leo@esva.net
   _.- _..-_/ / ((.'
 ((,.-'   ((,/             http://www.esva.net/~leo/

Next message: sameer: "Forwarded mail..."
Previous message: Leo Savage: "Re: serious telnet bug; is it just me?"
In reply to: System Administrator: "Re: ANNOUNCE: pm2_3.1.3c2 fixes Telnet break problem"