Lucent ChoiceNet (TM) Notes
This document covers the following:
Dynamic Filters allow filters to be stored on a server off of the Lucent PortMaster (TM). Packet filters are configured to be applied to an interface.
The PortMaster will call for a filter whenever an interface configured for an input or output filter is created or reset. These interfaces take filter changes at different points...
When the PortMaster calls for a filter the PortMaster first checks its own local filter table for the filter that is being used. If found on the PortMaster's local table then that filter is used. If the filter is not found and a ChoiceNet server is configured then the PortMaster will make a single request to the ChoiceNet server for the filter. (This request is issued to the server on socket UDP/1647.) If the ChoiceNet server has the filter then it is sent to the PortMaster on socket TCP/1643 with a one-time password which is the same socket used by Lucent PMconsole (TM) utilities.
Dynamic filters are stored on the ChoiceNet server under the filters sub directory as an ASCII text file. The filenames are the same as the names of the filters as they are referred to on the PortMaster. Within the dynamic filter files are the filter rules just as they would appear in PMconsole, that is without rule numbers.
Example: If your PortMaster is on the same Ethernet LAN as your ChoiceNet server then do not use a Dynamic Filter on the ether0 interface.
A Site Access List is a list of qualified host names or IP address of hosts. This list is stored as an ASCII file in the lists sub directory. These files have one host name or IP address per line.
Site Access Lists are used within filter rules.
Example: To block all traffic coming from a list of hosts in a Site Access List named testlist it is necessary to include a rule in the filter similar to that shown in the following command:
Command> deny =testlist 0.0.0.0/0
The =testlist holds the position for the source address (where the packet is coming from). The equal sign '=' indicates to the PortMaster that testlist is a Site Access List.
Example: To change the filter to prevent any packets from going to a list of sites change the rule with the following command:
Command> deny 0.0.0.0/0 =testlist
In this example the Site Access Filter is specified as the destination address (where the packet is going).
This is a sample Site Access List. Each host is represented as an IP address or a qualified host name. The list files are stored in the lists sub directory. We've named our example file to be testlist
# Sample Site Access List # Filename: testlist www.ra.lucent.com 192.168.1.2 mail.insertname.com 10.0.34.5 www.insertname.net
NOTE: To use ChoiceNet you MUST have ComOS release 3.5 or higher and the ChoiceNet server for your platform. There is no support for ChoiceNet beta releases.
This tells the PortMaster where to look for the Choicenet server. Do NOT set this parameter if you do not have a ChoiceNet server since it takes a long time to time out.
Command> set choicenet 192.168.1.2
Choicenet secrets work similarly to RADIUS secrets. The secret is matched with a secret found in the ChoiceNet server configuration in the clients file. The secret can be up to 15 characters long and is case sensitive.
Command> set choicenet-secret insertasecret
ChoiceNet transfers the dynamic filters to the PortMaster using Transmission Control Protocol (TCP) port 1643. This is the same port that PMconsole uses. By default PortMasters allow one connection at a time on this port. When using ChoiceNet you need to increase this number as shown in the example below to prevent running out of allowed connections.
Command> set maximum pmconsole 5
Lucent PMinstall (TM) will have an option to install ChoiceNet onto your host. If you do not have this version of PMinstall you can install ChoiceNet manually.
For more details see the ChoiceNet Administrator's Guide
umask 022 mkdir /etc/choicenet chmod 700 /etc/choicenet
choicenet 1647/udp filterd
/etc/choicenet/ /filterd /buildlist /dumplist /clients /lists/ /filters/ /lists.dbm/
/etc/choicenet - By default this is where all the ChoiceNet server files,
configuration, Dynamic Filters and site Access Lists are stored.
buildlist - Converts Site Access Lists in the lists sub directory into dbm databases in the lists.dbm sub directory.
/clients - Works much like the RADIUS clients file. It lists each PortMaster (by host name or by IP) that is allowed to access the ChoiceNet server. Separated by spaces or tabs from the name or IP of each PortMaster is an encryption key that matches the choice-net secret set on the PortMaster. The encryption key is case sensitive and can be up to 15 characters long.
In the clients file the PortMaster can be represented as an IP address or as a
qualified host name. DO NOT use both. If both are used you may see error
messages in either ChoiceNet or Radius such as "unable to cache clients file".
© 2000 Lucent Technologies. Use of this site indicates you accept the