Re: telnet filter and ftp filter

Carl Rigney ((no email))
Fri, 25 Apr 1997 02:52:48 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tobie Van Schalwkyk: "Desporte Parallel"
Previous message: Purple: "users online - pm3 - mrtg - snmp"
Maybe in reply to: Drew C Morone: "telnet filter and ftp filter"
Next in thread: Jeffrey J. Mountin: "Re: telnet filter and ftp filter"

Drew C Morone <drew@j51.com> asks:
> I would like to set up a filter that blocks the world from ftp'ing to and
> from a dialin user with a static IP address. I would like to do the same
> to keep the world from telnetting into this address. Anybody have a filter
> like that?

The following output filter will keep anyone connecting to the ftp,
telnet, and http ports (which someone else asked for) on the dial-in
user's host, but allow any other kind of access. Note that a clever
user can change the ports these services listen on.

add filter noftp.out
set filter noftp.out 1 permit tcp established
set filter noftp.out 2 deny tcp dst eq 21
set filter noftp.out 3 deny tcp dst eq 23
set filter noftp.out 4 deny tcp dst eq 80
set filter noftp.out 5 permit
save all

In the RADIUS entry for that noftp, include the attribute

Filter-Id = "noftp"

(RADIUS 1.16 calls this Framed-Filter-Id instead of Filter-Id.)

The PortMaster will look for noftp.in as an input filter (and not find
it) and look for noftp.out as an output filter, and apply that to the
interface it creates for the dial-in user. All packets to be sent out
on that interface (from the PortMaster to the user) will first go
through the filter.

--
Carl Rigney
cdr@livingston.com

Next message: Tobie Van Schalwkyk: "Desporte Parallel"
Previous message: Purple: "users online - pm3 - mrtg - snmp"
Maybe in reply to: Drew C Morone: "telnet filter and ftp filter"
Next in thread: Jeffrey J. Mountin: "Re: telnet filter and ftp filter"