Hi,
I'm having some trouble getting all the Ascend-Data-Filter attributes I
set in the users file returned in an access-accept packet. Its strange
because some of the filters get returned, but others do not. Its
creating a real problem for me. Here is the stanza where I match and
attach the attributes. Note that there is no other area in my users
file where Ascend-Data-Filters are being used.
DEFAULT Huntgroup-Name == xxxyyyzzz
Ascend-Data-Filter += "ip out drop udp dstport = 135",
Ascend-Data-Filter += "ip out drop udp dstport = 136",
Ascend-Data-Filter += "ip out drop udp dstport = 137",
Ascend-Data-Filter += "ip out drop udp dstport = 138",
Ascend-Data-Filter += "ip out drop udp dstport = 139",
Ascend-Data-Filter += "ip out drop udp dstport = 445",
Ascend-Data-Filter += "ip out drop udp dstport = 587",
Ascend-Data-Filter += "ip out drop udp dstport = 1433",
Ascend-Data-Filter += "ip out drop udp dstport = 1434",
Ascend-Data-Filter += "ip out drop udp dstport = 4444",
Ascend-Data-Filter += "ip out drop tcp dstport = 135",
Ascend-Data-Filter += "ip out drop tcp dstport = 136",
Ascend-Data-Filter += "ip out drop tcp dstport = 137",
Ascend-Data-Filter += "ip out drop tcp dstport = 138",
Ascend-Data-Filter += "ip out drop tcp dstport = 139",
Ascend-Data-Filter += "ip out drop tcp dstport = 445",
Ascend-Data-Filter += "ip out drop tcp dstport = 587",
Ascend-Data-Filter += "ip out drop tcp dstport = 1433",
Ascend-Data-Filter += "ip out drop tcp dstport = 1434",
Ascend-Data-Filter += "ip out drop tcp dstport = 4444",
Ascend-Data-Filter += "ip out forward 0",
Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/32",
Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/32",
Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/32",
Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/30",
Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/30",
Ascend-Data-Filter += "ip in drop tcp dstport = 25",
Ascend-Data-Filter += "ip in drop tcp dstport = 587",
Ascend-Data-Filter += "ip in forward 0",
Fall-Through = no
Here is the output using radclient on an auth packet that matches that
huntgroup:
su-2.05b# radclient -f auth localhost:6969 auth nas41v29
Received response ID 72, code 2, length = 1004
Ascend-Data-Filter = "ip output drop udp dstport = 135"
Ascend-Data-Filter = "ip output drop udp dstport = 136"
Ascend-Data-Filter = "ip output drop udp dstport = 137"
Ascend-Data-Filter = "ip output drop udp dstport = 138"
Ascend-Data-Filter = "ip output drop udp dstport = 139"
Ascend-Data-Filter = "ip output drop udp dstport = 445"
Ascend-Data-Filter = "ip output drop udp dstport = 587"
Ascend-Data-Filter = "ip output drop udp dstport = 1433"
Ascend-Data-Filter = "ip output drop udp dstport = 1434"
Ascend-Data-Filter = "ip output drop udp dstport = 4444"
Ascend-Data-Filter = "ip output drop tcp dstport = 135"
Ascend-Data-Filter = "ip output drop tcp dstport = 136"
Ascend-Data-Filter = "ip output drop tcp dstport = 137"
Ascend-Data-Filter = "ip output drop tcp dstport = 138"
Ascend-Data-Filter = "ip output drop tcp dstport = 139"
Ascend-Data-Filter = "ip output drop tcp dstport = 445"
Ascend-Data-Filter = "ip output drop tcp dstport = 587"
Ascend-Data-Filter = "ip output drop tcp dstport = 1433"
Ascend-Data-Filter = "ip output drop tcp dstport = 1434"
Ascend-Data-Filter = "ip output drop tcp dstport = 4444"
Ascend-Data-Filter = "ip output forward 0"
Ascend-Data-Filter = "ip input drop tcp dstport = 25"
Ascend-Data-Filter = "ip input drop tcp dstport = 587"
Ascend-Data-Filter = "ip input forward 0"
Idle-Timeout = 1800
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.255
There's no other place Ascend-Data-Filter is used in the users file, so,
there's no chance of that messing it up. This is confusing because it
seems to add some but not others. Basically it causes email not to work
for the users because the drop rule for port 25 traffic gets added but
the allow rule to our mail server does not. Any ideas?
Thanks!
Chris Carver
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
