Re: (PM) Concerning email only filters

Paul Gregg (pgregg@niweb.com)
2 Feb 1998 09:25:03 GMT

Administrator <admin@qwis.net> wrote:
| Hi all,
|
| I am trying to put together a set of filters to apply to a user so that he
| can only access his local email through us, but not do anything else like
| browsing or ftp, etc..... I have searched out the archives and found lots
| of great suggestions to use and based on those emails that I found, I went
| throught the PM3 manuals, carefully studied on how to put together my own
| filters, and then wrote two filters on our PM3. The filters that I created
| are below
|
| Filter MAILONLY.IN
|
| 1 permit 0.0.0.0/0 0.0.0.0/0 icmp
| 2 permit 0.0.0.0/0 0.0.0.0/0 udp dst eq 53
| 3 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 53

Allow's DNS queries.

| 4 deny 0.0.0.0/0 0.0.0.0/0 udp dst gt 33500
| 5 permit 0.0.0.0/0 0.0.0.0/0 udp dst gt 33433

huh? What has udp ports 33433-33499 to do with email ?

| 6 permit 0.0.0.0/0 208.154.178.0/24 tcp dst eq 25

Good, permits smtp tcp to your netblock 'class C'

| 7 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 113

Of dubious value. ident queries rarely work on the internet, let alone your
dialup user.

| 8 permit 0.0.0.0/0 208.154.178.0/24 tcp dst eq 110

Good, allows access to any Pop3 ports on your network.

| .....and filter MAILONLY.OUT
|
| 1 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 20
| 2 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 21
| 3 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 23
| 4 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 69
| 5 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 80
| 6 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 119

? Why, if there is a filter everything is denied by default.
Use:
<allow DNS>
1 permit 0.0.0.0/0 0.0.0.0/0 udp dst eq 53
2 permit 0.0.0.0/0 0.0.0.0/0 udp src eq 53
<allow traffic from your pop3 port to any port on the dialup>
3 permit 208.154.178.0/24 0.0.0.0/0 tcp src eq 110 estab
<allow traffic from your smtp port>
4 permit 208.154.178.0/24 0.0.0.0/0 tcp src eq 25 estab
<allow connections to the dialup users smtp port - may not be needed>
5 permit 208.154.178.0/24 0.0.0.0/0 tcp dst eq 25

| We are using RADIUS 2.0 for NT and in the users file I created a test entry
| like such:
|
| test Password = "test"
| Service-Type = Framed-User,
| Framed-Protocol = PPP,
| Framed-IP-Address = 255.255.255.254,
| Framed-Routing = None,
| Framed-MTU = 1500,
| Framed-Compression = Van-Jacobson-TCP-IP,
| Idle-Timeout = 900,
| Session-Timeout = 21600,
| Filter-Id = "mailonly.out",
| Filter-Id = "mailonly.in"

Just use one Filter-Id = "mailonly" - the PM tacks on the appropriate in/out
for the connection.

| When I dialed in and got connected it seems as though my filters have not
| even taken effect since I could browse, ftp, and telnet to where ever I
| wanted. I did save the filters on the PM3 and I did save the users file
| after adding the new user, but I am not quite sure where I have gone wrong
| with this. I must admit that I am a novice when it comes to this and this
| is my first time at putting my hand to writing filters, but could someone
| out there please comment on this message and help me find where I have gone
| wrong, so I can get these filters working? Thanks in advance for your time
| and patience!!!

Paul Gregg
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.