InterNetworking Systems, Lucent Technologies Lucent Technologies

Tech Corner

Lucent ChoiceNet (TM) Notes

This document covers the following: 

ChoiceNet does two things


  1. Dynamic Filter Downloads 
  2. Dynamic Filters allow filters to be stored on a server off of the Lucent PortMaster (TM). Packet filters are configured to be applied to an interface. 

    The PortMaster will call for a filter whenever an interface configured for an input or output filter is created or reset. These interfaces take filter changes at different points... 

    • For an ethernet port the change takes affect immediately. 
    • For a dealt location profile the change takes affect the next time the location profile is used. 
    • For a hardwired connection the change takes affect when the port is reset. 

When the PortMaster calls for a filter the PortMaster first checks its own local filter table for the filter that is being used. If found on the PortMaster's local table then that filter is used. If the filter is not found and a ChoiceNet server is configured then the PortMaster will make a single request to the ChoiceNet server for the filter. (This request is issued to the server on socket UDP/1647.) If the ChoiceNet server has the filter then it is sent to the PortMaster on socket TCP/1643 with a one-time password which is the same socket used by Lucent PMconsole (TM) utilities. 

Dynamic filters are stored on the ChoiceNet server under the filters sub directory as an ASCII text file. The filenames are the same as the names of the filters as they are referred to on the PortMaster. Within the dynamic filter files are the filter rules just as they would appear in PMconsole, that is without rule numbers. 


  • show filter <dynamic_filter_name> - will show the dynamically loaded filter. 
  • show table filter - will NOT include dynamically loaded filters. 
  • ChoiceNet is for Packet filters only, not for access filters. Access filters are filters applied to login (shell) users. 
  • Do not load a dynamic filter for the interface that the PortMaster needs to access the ChoiceNet server. 
  • Example:  If your PortMaster is on the same Ethernet LAN as your ChoiceNet server then do not use a Dynamic Filter on the ether0 interface. 

  • Dynamic ChoiceNet filters and normal filters stored on the PortMaster can both be used at the same time. 
  • There is no setting for a secondary ChoiceNet server since the PortMaster will not re-issue a ChoiceNet request. 
  • Do not configure the PortMaster for a ChoiceNet server if one does not exist. 

Access lists 

  • Site Access Lists 

A Site Access List is a list of qualified host names or IP address of hosts. This list is stored as an ASCII file in the lists sub directory. These files have one host name or IP address per line. 


Site Access Lists are used within filter rules. 

         Example:  To block all traffic coming from a list of hosts in a Site Access List named testlist it is        necessary to include a rule in the filter similar to that shown in the following command: 

  Command> deny =testlist

The =testlist holds the position for the source address (where the packet is coming from). The equal sign '=' indicates to the PortMaster that testlist is a Site Access List. 

         Example:  To change the filter to prevent any packets from going to a list of sites change the rule with the following command: 

  Command> deny =testlist

In this example the Site Access Filter is specified as the destination address (where the packet is going). 


  • Site Access Lists can be substituted for the Source Address OR the Destination Address in a filter rule,  not both. 
  • Site Access Lists can be used for packet filters  not for Access Filters. Access Filters are applied to users with shell accounts (rlogin, telnet, PortMaster). 
  • Site Access Lists are cached in the PortMaster. 
  • The host names and IP address in the list files are considered to be a single host (32 bit IP address). Network addresses, entire domains, etc. cannot be represented in the list files in a single line. 

Example Of A Site Access List File Sample

This is a sample Site Access List. Each host is represented as an IP address or a qualified host name. The list files are stored in the lists sub directory. We've named our example file to be testlist 

# Sample Site Access List
# Filename:  testlist

Configuring the PortMaster

NOTE: To use ChoiceNet you MUST have ComOS release 3.5 or higher and the ChoiceNet server for your platform. There is no support for ChoiceNet beta releases. 

  1. set choicenet <IP_ADDRESS_OF_CHOICENET_SERVER> 
  2. This tells the PortMaster where to look for the Choicenet server. Do NOT set this parameter if you do not have a ChoiceNet server since it takes a long time to time out. 


    Command> set choicenet


  3. set choicenet-secret <CHOICENET ENCRYPTION KEY> 
  4. Choicenet secrets work similarly to RADIUS secrets. The secret is matched with a secret found in the ChoiceNet server configuration in the clients file. The secret can be up to 15 characters long and is case sensitive. 


    Command> set choicenet-secret insertasecret
  5. set maximum pmconsole <NUMBER OF PMCONSOLE SESSIONS ALLOWED> 
  6. ChoiceNet transfers the dynamic filters to the PortMaster using Transmission Control Protocol (TCP) port 1643. This is the same port that PMconsole uses. By default PortMasters allow one connection at a time on this port.  When using ChoiceNet you need to increase this number as shown in the example below to prevent running out of allowed connections. 


    Command> set maximum pmconsole 5

Configuring the Server

Lucent PMinstall (TM) will have an option to install ChoiceNet onto your host. If you do not have this version of PMinstall  you can install ChoiceNet manually. 

Manually Installing ChoiceNet Server

For more details see the ChoiceNet Administrator's Guide 

  1. Download ChoiceNet from Lucent  FTP site @ 
  2. Un-tar the ChoiceNet server. 
  3. Create a sub directory for ChoiceNet. 
  4.    umask 022
       mkdir /etc/choicenet
       chmod 700 /etc/choicenet
  5. Copy ChoiceNet files to that directory. 
  6. Configure the /etc/choicenet/clients file. 
  7. Add the filterd executable to your host's startup file. 
  8. Add the following line the /etc/services file. 
  9.    choicenet    1647/udp        filterd

Server Files


/etc/choicenet - By default this is where all the ChoiceNet server files, configuration, Dynamic Filters and site Access Lists are stored. 
/filterd - This is the ChoiceNet server executable. Flags... 

  • -x Displays detailed debug information to console. 
  • -v Displays current ChoiceNet server version. 

buildlist - Converts Site Access Lists in the lists sub directory into dbm databases in the lists.dbm sub directory. 

/clients - Works  much like the RADIUS clients file.  It lists each PortMaster (by host name or by IP) that is allowed to access the ChoiceNet server. Separated by spaces or tabs from the name or IP of each PortMaster is an encryption key that matches the choice-net secret set on the PortMaster. The encryption key is case sensitive and can be up to 15 characters long. 

In the clients file the PortMaster can be represented as an IP address or as a qualified host name. DO NOT use both.  If both are used you may see error messages in either ChoiceNet or Radius such as "unable to cache clients file"
listsdir lists - This is the sub directory where the Site Access Lists are stored. Each list is stored as an ASCII text file with a filename equal the site name referred to in filter rules. 
filtersdir filters - This is the sub directory where dynamically loaded filters are stored as ASCII text files. Each filter goes by a filename equal to the filter name that is used by the PortMaster. 
lists.dbm - dbm versions of the site access lists found under the lists sub directory are stored here after being created by the buildlist executable. 


  • ChoiceNet is only available in binary form. Source code for the ChoiceNet server is not available. 

Copyright © 2000 Lucent Technologies. Use of this site indicates you accept the Terms of Use and the Privacy Statement. For comments or questions about this site, contact us.