Real Time Ascend Maling List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: (ASCEND) Adding Filters to TNT MAX
On Wed, 2 Feb 2000, Buckner, John wrote:
> Ken - Did you ever get your filters to work?
>
> I am trying to do something similar and am having problems. Any tips for a
> beginner in Ascend filters. I am familiar w/ Cisco filters, but is the mask
> 'backwards' on the Ascend? I am trying to limit a users ability to go do
> other subnets using an Ethernet filter.
>
> I am using RADIUS to pass the Filter-ID Attribute to the Ascend. I guess
> that this is working.
Yes, John, I did finally get the filters working properly. The netmask
is not backwards like I suspected. My problem was that I misunderstood
how the port comparison worked. I believe Ethernet filters will be
backwards as compared to user filters, which is what I am doing. I think
you need to flip-flop the input/output rules for ethernet. Anyway, we did
not apply it to the ethernet since that would exclude myself or our
employees from that dial-up pool. Doing it on a per user basis let's us
do many things.
Tip number one...
------------------------------------------------------------------------
If you are going to make ip packet comparisions based on port, you
!!MUST!! specify a protocol value of either TCP (6) or UDP (17). If you
do not specify a TCP or UDP protocol then whatever is in the dst-comp or
src-comp fields is IGNORED.
------------------------------------------------------------------------
and another tip...
-------------------------------------------------------------------------
At the end of EVERY filter you make there is an IMPLICIT DENY ALL. So make
your last rule forward everything unless a deny all is what you want.
-------------------------------------------------------------------------
If I had found that first one in the manual sooner it sure would have
saved me some headaches. After reading and comprehending that little
nugget of info, all I had to do was specify a filter forwarding all TCP
packets on a port greater than 1023 and then another filter doing the same
for UDP packets.
Since I just love examples:
Let's say we want to allow only telnet access to our machines on the
192.168.1.0 network and allow anything above port 1023 (like quake2!) or
on another network to pass through. There is no provision for DNS (port
53) so in this filter you could only use IP's unless you had a local hosts
file to do the look-up.
Here's whats happening in each filter rule (remember, ordering of each
rule is extremely important):
1. If it's heading for port 23 on our network, forward it.
2. If it's a TCP packet on a port >1023, forward it.
3. If it's a UDP packet on a port >1023, forward it.
4. If it's any other packet heading for our network, drop it.
5. Allow all other packets to their destination.
And now the filter:
(This is a MAX TNT running 7.2.23 btw)
[in FILTER/telnet.in:input-filters[1]]
valid-entry = yes
forward = yes
Type = ip-filter
ip-filter:
protocol = 6
source-address-mask = 0.0.0.0
source-address = 0.0.0.0
dest-address-mask = 255.255.255.0
dest-address = 192.168.1.0
Src-Port-Cmp = none
source-port = 0
Dst-Port-Cmp = none
dest-port = 23
tcp-estab = no
[in FILTER/telnet.in:input-filters[2]]
valid-entry = yes
forward = yes
Type = ip-filter
ip-filter:
protocol = 6
source-address-mask = 0.0.0.0
source-address = 0.0.0.0
dest-address-mask = 255.255.255.0
dest-address = 192.168.1.0
Src-Port-Cmp = none
source-port = 0
Dst-Port-Cmp = gtr
dest-port = 1023
tcp-estab = no
[in FILTER/telnet.in:input-filters[3]]
valid-entry = yes
forward = yes
Type = ip-filter
ip-filter:
protocol = 17
source-address-mask = 0.0.0.0
source-address = 0.0.0.0
dest-address-mask = 255.255.255.0
dest-address = 192.168.1.0
Src-Port-Cmp = none
source-port = 0
Dst-Port-Cmp = none
dest-port = 1023
tcp-estab = no
[in FILTER/telnet.in:input-filters[4]]
valid-entry = yes
forward = no
Type = ip-filter
ip-filter:
protocol = 0
source-address-mask = 0.0.0.0
source-address = 0.0.0.0
dest-address-mask = 255.255.255.0
dest-address = 192.168.1.0
Src-Port-Cmp = none
source-port = 0
Dst-Port-Cmp = none
dest-port = 0
tcp-estab = no
[in FILTER/telnet.in:input-filters[5]]
valid-entry = yes
forward = yes
Type = ip-filter
ip-filter:
protocol = 0
source-address-mask = 0.0.0.0
source-address = 0.0.0.0
dest-address-mask =0.0.0.0
dest-address = 0.0.0.0
Src-Port-Cmp = none
source-port = 0
Dst-Port-Cmp = none
dest-port = 0
tcp-estab = no
There are other things that could be added, such as making the first rule
allow all established TCP connections, that would be cleaner and cause
less latency. I am not sure how many filters you can insert before
getting any noticable amount of latency. To protect our core network
from scanning and such, each of our users will have up to 20 comparisons
to go through for each packet. We have ordered our filters with the most
used services towards the top to keep things as fast as possible (web and
mail are the big ones). Dont forget about required services like DNS
(UDP port 53).
As for RADIUS, since the MAX TNT limits me to 12 comparisons per filter, I
had to split it up into two filters. It's easy enough to add to the
default user's profile though. Just add:
Filter-Id = "filter1.in"
Filter-Id = "filter2.in"
Name them whatever you want. I just put the '.in' on the end to let me
know which direction I am using.
I hope this helps all of you who e-mailed me and asked for any info I got.
I hope I didnt screw up the example. :-)
-----
.~.
Ken Kirchner /V\ L I N U X
Asst SysAdmin // \\ > Don't fear the penguin <
ShreveNet, Inc. /( )\
^^-^^
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>