As was mentioned, a big problem (this should be a RFE) is that the 'log'
keyword in a filter does not syslog the interface(port) or user that sourced
the packet- this makes the filter rule logs useless after-the-fact.
> I think the problem is that PMs lack the ability to filter users from
> being able to spoof source addresses in the first place. Lucington
> would have you use choicenet and a seperate filter for each customer.
>
> Why not have the PMs automatically filter users based on Framed-Address
> & Framed-Route information received from RADIUS?
To the same end, I've got a little perl program that will generate the
individual ChoiceNet(tm) filters from the RADIUS 'users' file.
This works great for anybody that you have assigned a Framed-Address and even
Framed-Route, but there's still the problem of dynamic-IP users.
> Solutions I've heard from Lucington in the past consisted of applying
> filters only allowing source addresses within the assigned pool.
What I'd really like to see (and this has been an RFE for many months) would
be for me to be able to make a filter on the portmaster with a 'magic' address,
that the portmaster replaces with the assigned-IP when evaluating the filter
against each user's packets.
To be useful to me, this magic-ip -> assigned-ip _MUST_ be done in the
portmaster as the filters are applied to each packet, doing it as some sort
of Choicenet 'generate filters on the fly as each dynamic-IP user logs in'
race condition won't cut it.
With the one little bit of magic in ComOS, I could put in a single
anti-spoofing filter on all of my Portmasters and use it for all of my
customers who have just one assigned or dynamic IP address. That would
make me happy.
> Strikes me as a half-assed solution, still allowing customers to source
> packets they shouldn't be able to (albeit to a lesser extent), while
> breaking static addressing and the routing of networks. Sometimes I
> wonder about Lucington's priorities.
The "special address in rule gets replaced by assigned address automagically"
request has been brought up here time and time again, I'd rather see
Lucent come out with that before something extraneous like NAT.
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>