1) allows DNS zone transfer to occur. (dump all entries from your DNS)
2) allows individual DNS lookup to occur. (lookup your http server)
3) allows HTTP exclusively to the server you desire.
What you might try adding to the END of this filter set is:
4) deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 80
So, if the user tries to get to your http server, it is allowed when rule 3
but, if the user tries to access the world, rule 4 denies ALL browsing
including your server, but the expectation is that rule 3 passes his request
before rule 4 is invoked, and hopefully you get the desired result.
You might make that deny rule a deny of ALL TCP and UDP, why let the user use
FTP or anything else?
Ed Miller wrote:
> We are using Emerald 2.5.227 and the PM3's w/3.8.2 OS as our RAS.
> >What we are trying to do is to set up an online signup system that will let
> >anyone to access our RAS with a set username and password (for example
> >username : newcustomer and password : newcustomer). Those who are dialing
> >with this username and password will be told to go to our subscription page
> >(for example subscribe.abcnet.com w/IP 18.104.22.168)to fill out the
> >relevant pages and get a membership online.
> >To achieve this we added a filter named online to the PM3 as below. Our aim
> >is to prevent people to go anywhere else other than the subscription page.
> >Let's assume that our DNS server is at 22.214.171.124 :
> >Filtername : online
> > 1 permit 0.0.0.0/0 126.96.36.199/32 tcp dst eq 53
> > 2 permit 0.0.0.0/0 188.8.131.52/32 udp dst eq 53
> > 3 permit 0.0.0.0/0 184.108.40.206/32 tcp dst eq 80
> >Once this was accomplished we created a service account (name : online
> >subsciption) in Emerald and added as the service default Framed-Filter :
> >Guess what? It didn't work. People acessing the RAS with the above filter
> >and username/password can still go anywhere they want.
> >We found out that the Rad Attribute should be Framed-Filter-Id for PM3 and
> >changed that accordingly. But still it let's everyone through.
> >What are we doing wrong here ? Should we add the rad attribute as a VSA ?
> >Is something wrong with the filter ?
> >Any help will be appreciated.
> I have no answer to this but I do have a question. Why RAS? Arn't you using
> RadiusNT with the Emerald? Do you mean NAS?
> For more information about this list, including removal,
> please see http://www.iea-software.com/maillist.html
For more information about this list, including removal,
please see http://www.iea-software.com/maillist.html