Hi all! I have a freeradius 1.0.1 setup with PAM and Ascend-Data-Filter in production. I have configured /etc/raddb/users to include a DEFAULT section for all users and a user-specific section for the one-offs. I use Ascend-Data-Filter for the purpose of configuring packet filtering with GlobalPops. I need to be able to set unique packet filter settings for each of certain users. Specifically, I want to disallow all users from sending out destination tcp 25 except to my mail server, but allow one user to send out to my mail server and one other mail server.
The problem is that freeradius when one of my specified users authenticates, freeradius is sending the DEFAULT section and then the user-specific section. I want it to either send only the user-specific section and not the DEFAULT section, or else be able to clear the packet filter settings first. The relevant section from /etc/raddb/users is here: DEFAULT Auth-Type = PAM Fall-Through = 1, X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip x.x.x.x/32", X-Ascend-Data-Filter += "ip in drop tcp dstport = 25", X-Ascend-Data-Filter += "ip in forward" user Auth-Type = PAM Fall-Through = 1, X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip x.x.x.x/32", X-Ascend-Data-Filter += "ip in forward tcp est", X-Ascend-Data-Filter += "ip in forward dstip y.y.y.y/32", X-Ascend-Data-Filter += "ip in drop tcp dstport = 25", X-Ascend-Data-Filter += "ip in forward", Reply-Message = "Hello, %u" I know that GlobalPops is not interfering, and they are only using my server's response. I know that because if I move that Reply-Message to the DEFAULT section, the output moves accordingly in the response. My server's logs, as well as output from GlobalPops's web-based radius tester, show that it is responding to [EMAIL PROTECTED] by sending the DEFAULT response (which ends in blocking all other smtp, nullifying the user response) plus the user response. >From GlobalPops's web-based radius tester, it looks like this: Ascend-Data-Filter = ip in forward tcp est Ascend-Data-Filter = ip in forward dstip x.x.x.x/32 Ascend-Data-Filter = ip in drop tcp dstport = 25 Ascend-Data-Filter = ip in forward Ascend-Data-Filter = ip in forward dstip x.x.x.x/32 Ascend-Data-Filter = ip in forward tcp est Ascend-Data-Filter = ip in forward dstip y.y.y.y/32 Ascend-Data-Filter = ip in drop tcp dstport = 25 Ascend-Data-Filter = ip in forward Reply-Message = "Hello, [EMAIL PROTECTED]" Session-Timeout = 28800 Idle-Timeout = 600 Service-Type = Framed-User Framed-Protocol = PPP So how do I get freeradius to not concatenate the two, or how do I set the user response to first clear the DEFAULT packet filter? Thanks! __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html