Hi all! I have a freeradius 1.0.1 setup with PAM and Ascend-Data-Filter in
production. I have configured /etc/raddb/users to include a DEFAULT section
for all users and a user-specific section for the one-offs. I use
Ascend-Data-Filter for the purpose of configuring packet filtering with
GlobalPops. I need to be able to set unique packet filter settings for each of
certain users. Specifically, I want to disallow all users from sending out
destination tcp 25 except to my mail server, but allow one user to send out to
my mail server and one other mail server.
The problem is that freeradius when one of my specified users authenticates,
freeradius is sending the DEFAULT section and then the user-specific section.
I want it to either send only the user-specific section and not the DEFAULT
section, or else be able to clear the packet filter settings first.
The relevant section from /etc/raddb/users is here:
DEFAULT Auth-Type = PAM
Fall-Through = 1,
X-Ascend-Data-Filter += "ip in forward tcp est",
X-Ascend-Data-Filter += "ip in forward dstip x.x.x.x/32",
X-Ascend-Data-Filter += "ip in drop tcp dstport = 25",
X-Ascend-Data-Filter += "ip in forward"
user Auth-Type = PAM
Fall-Through = 1,
X-Ascend-Data-Filter += "ip in forward tcp est",
X-Ascend-Data-Filter += "ip in forward dstip x.x.x.x/32",
X-Ascend-Data-Filter += "ip in forward tcp est",
X-Ascend-Data-Filter += "ip in forward dstip y.y.y.y/32",
X-Ascend-Data-Filter += "ip in drop tcp dstport = 25",
X-Ascend-Data-Filter += "ip in forward",
Reply-Message = "Hello, %u"
I know that GlobalPops is not interfering, and they are only using my server's
response. I know that because if I move that Reply-Message to the DEFAULT
section, the output moves accordingly in the response. My server's logs, as
well as output from GlobalPops's web-based radius tester, show that it is
responding to [EMAIL PROTECTED] by sending the DEFAULT response (which ends in
blocking all other smtp, nullifying the user response) plus the user response.
>From GlobalPops's web-based radius tester, it looks like this:
Ascend-Data-Filter = ip in forward tcp est
Ascend-Data-Filter = ip in forward dstip x.x.x.x/32
Ascend-Data-Filter = ip in drop tcp dstport = 25
Ascend-Data-Filter = ip in forward
Ascend-Data-Filter = ip in forward dstip x.x.x.x/32
Ascend-Data-Filter = ip in forward tcp est
Ascend-Data-Filter = ip in forward dstip y.y.y.y/32
Ascend-Data-Filter = ip in drop tcp dstport = 25
Ascend-Data-Filter = ip in forward
Reply-Message = "Hello, [EMAIL PROTECTED]"
Session-Timeout = 28800
Idle-Timeout = 600
Service-Type = Framed-User
Framed-Protocol = PPP
So how do I get freeradius to not concatenate the two, or how do I set the user
response to first clear the DEFAULT packet filter? Thanks!
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
