>
>
> On Fri, 15 Sep 1995, Pat McClanahan wrote:
>
> >
> > I have some users that I want to restrict to only be able to send and
> > recieve email - is there any way to use PM or Radius capabilities to
> > restrict incoming dial-in users to certain network services?
>
> This is very difficult.. the only way I know of is to create a
> configuration file for pine that specifically says that no one is allowed
> to shell out.. and then set pine as their shell in /etc/passwd..
Actually, this would work only for users with a shell account. I think
the best bet would be to create a filter in each Portmaster that limits
the user's packets to destination ports 25 and 110 (SMTP and POP3 ports),
and then in their entry in the RADIUS users file, apply that filter.
Something like this (and the syntax may be off, so don't hold me liable
if this breaks anything!):
in the Portmaster:
add filter mail.out
set filter mail.out 1 permit aaa.aaa.aaa.aa/32 0.0.0.0/0 tcp dst eq 110
set filter mail.out 2 permit aaa.aaa.aaa.aa/32 0.0.0.0/0 tcp dst eq 25
set filter mail.out 3 deny aaa.aaa.aaa.aa/32 0.0.0.0/0 tcp
set filter mail.out 4 permit
(Where `aaa.aaa.aaa.aa' is the IP address of the portmaster you're
working from)
Of course, you do *not* want to apply this filter to any of the interfaces
on the PM, but specify it in the appropriate section with the entries of
the users you want to restrict.
Note that I have never done this to restrict users in this way, but as
far as I can tell, it should work, at least in theory.
And life is very simple, in theory. ;-)
Chris Woods Senior System Administrator USAinternet, Inc.
GCS/CM/IT d- s++:+ a- C++++$ ULS++++$ P+++$>++++ L++++$ E W$ N+ !o
K++ !w--- !O !M-- !V-- PS+? !PE !Y+>++ PGP+ t+@ !5 X !R tv? b+ DI++
D+@ G++ e h---- r+++ y++++
cjwoods@usa1.net http://www.usa1.com 508-774-4700