ascend-data-filters missing from access-accept

Christopher Carver ccarver at pennswoods.net
Fri Apr 21 04:23:16 CEST 2006 

Hi,

I'm having some trouble getting all the Ascend-Data-Filter attributes I 
set in the users file returned in an access-accept packet.  Its strange 
because some of the filters get returned, but others do not.  Its 
creating a real problem for me.  Here is the stanza where I match and 
attach the attributes.  Note that there is no other area in my users 
file where Ascend-Data-Filters are being used.

DEFAULT Huntgroup-Name == xxxyyyzzz
        Ascend-Data-Filter += "ip out drop udp dstport = 135",
        Ascend-Data-Filter += "ip out drop udp dstport = 136",
        Ascend-Data-Filter += "ip out drop udp dstport = 137",
        Ascend-Data-Filter += "ip out drop udp dstport = 138",
        Ascend-Data-Filter += "ip out drop udp dstport = 139",
        Ascend-Data-Filter += "ip out drop udp dstport = 445",
        Ascend-Data-Filter += "ip out drop udp dstport = 587",
        Ascend-Data-Filter += "ip out drop udp dstport = 1433",
        Ascend-Data-Filter += "ip out drop udp dstport = 1434",
        Ascend-Data-Filter += "ip out drop udp dstport = 4444",
        Ascend-Data-Filter += "ip out drop tcp dstport = 135",
        Ascend-Data-Filter += "ip out drop tcp dstport = 136",
        Ascend-Data-Filter += "ip out drop tcp dstport = 137",
        Ascend-Data-Filter += "ip out drop tcp dstport = 138",
        Ascend-Data-Filter += "ip out drop tcp dstport = 139",
        Ascend-Data-Filter += "ip out drop tcp dstport = 445",
        Ascend-Data-Filter += "ip out drop tcp dstport = 587",
        Ascend-Data-Filter += "ip out drop tcp dstport = 1433",
        Ascend-Data-Filter += "ip out drop tcp dstport = 1434",
        Ascend-Data-Filter += "ip out drop tcp dstport = 4444",
        Ascend-Data-Filter += "ip out forward 0",
        Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/32",
        Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/32",
        Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/32",
        Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/30",
        Ascend-Data-Filter += "ip in forward 0 dstip xxx.xxx.xxx.xxx/30",
        Ascend-Data-Filter += "ip in drop tcp dstport = 25",
        Ascend-Data-Filter += "ip in drop tcp dstport = 587",
        Ascend-Data-Filter += "ip in forward 0",
        Fall-Through = no

Here is the output using radclient on an auth packet that matches that 
huntgroup:

su-2.05b# radclient -f auth localhost:6969 auth nas41v29
Received response ID 72, code 2, length = 1004
        Ascend-Data-Filter = "ip output drop udp dstport = 135"
        Ascend-Data-Filter = "ip output drop udp dstport = 136"
        Ascend-Data-Filter = "ip output drop udp dstport = 137"
        Ascend-Data-Filter = "ip output drop udp dstport = 138"
        Ascend-Data-Filter = "ip output drop udp dstport = 139"
        Ascend-Data-Filter = "ip output drop udp dstport = 445"
        Ascend-Data-Filter = "ip output drop udp dstport = 587"
        Ascend-Data-Filter = "ip output drop udp dstport = 1433"
        Ascend-Data-Filter = "ip output drop udp dstport = 1434"
        Ascend-Data-Filter = "ip output drop udp dstport = 4444"
        Ascend-Data-Filter = "ip output drop tcp dstport = 135"
        Ascend-Data-Filter = "ip output drop tcp dstport = 136"
        Ascend-Data-Filter = "ip output drop tcp dstport = 137"
        Ascend-Data-Filter = "ip output drop tcp dstport = 138"
        Ascend-Data-Filter = "ip output drop tcp dstport = 139"
        Ascend-Data-Filter = "ip output drop tcp dstport = 445"
        Ascend-Data-Filter = "ip output drop tcp dstport = 587"
        Ascend-Data-Filter = "ip output drop tcp dstport = 1433"
        Ascend-Data-Filter = "ip output drop tcp dstport = 1434"
        Ascend-Data-Filter = "ip output drop tcp dstport = 4444"
        Ascend-Data-Filter = "ip output forward 0"
        Ascend-Data-Filter = "ip input drop tcp dstport = 25"
        Ascend-Data-Filter = "ip input drop tcp dstport = 587"
        Ascend-Data-Filter = "ip input forward 0"
        Idle-Timeout = 1800
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Framed-IP-Netmask = 255.255.255.255

There's no other place Ascend-Data-Filter is used in the users file, so, 
there's no chance of that messing it up.  This is confusing because it 
seems to add some but not others.  Basically it causes email not to work 
for the users because the drop rule for port 25 traffic gets added but 
the allow rule to our mail server does not.  Any ideas?

Thanks!

Chris Carver

More information about the Freeradius-Users mailing list