My understanding (albeit it's been a while since I've played with arc filters) is that you DO need to apply the filter(s) to the interfaces whereas you're saying you don't. For BOTH user level and interface level filters you must apply the filter: i.e. set interface slot:1/mod:[1-24] filter_access on Also...my understanding is that if you swap out a DSP or card or even possibly drop power to a card you will need to reapply the filter. Todd ----- Original Message ----- From: "Lee Terrell" <leet@directcon.net> To: <usr-tc@mailman.xmission.com> Sent: Tuesday, January 14, 2003 8:27 PM Subject: [USR-TC] IP Filtering
Hi All,
I've been going around in circles with this scenario for awhile now and I think I've finally re-read the HiperARC manual enough to scramble my thoughts, so I thought I would check here to see if anyone might be able offer some simplification.
Since we got our first total control unit 4 yrs ago, we've always had issues when it comes to giving access to users with a specified Filter-Id assigned in RADIUS. Rather than try to figure them out, the previous admin here just let them slide out of the way, and now they have fallen to my list. What we want to accomplish is to force customers that have requested to use a content filter proxy service through the proxy, or else they can't pull up any sites at all. Filters on the Ascend gear we have work great, but I've been over the 3com setup so much now I've confused my thoughts.
What we do is assign a Filter-Id = 04 in RADIUS. Then on the HiperARC I have copied over my filter, and saved as both 04 and 04.in.
I've executed "add filter 04" and "add filter 04.in" followed with "set interface slot:1/mod:[1-23] filter_access on" for each slot, and also "enable ip address_pool_filtering"
Here is what my filter looks like:
#filter IP: 001 AND src-addr = 0.0.0.0/0; 011 ACCEPT dst-addr = 10.1.1.28; 021 AND dst-addr = 0.0.0.0/0; 031 REJECT tcp-src-port = 80; 041 AND dst-addr = 0.0.0.0/0; 051 REJECT tcp-src-port = 70; 061 AND dst-addr = 0.0.0.0/0; 071 REJECT tcp-src-port = 21; 081 AND dst-addr = 0.0.0.0/0; 091 REJECT tcp-src-port = 20; 101 AND dst-addr = 0.0.0.0/0; 111 REJECT tcp-src-port >= 1024;
When users with the Filter-Id assigned try to connect, syslog shows:
Facility "IP", Level "CRITICAL":: IP, FILTER_APPLY_RSP failed (ES_NOT_PROC)
Searching through the manual, it says this message happens when a filter is not defined in the HiperARC table, but I can see them listed. I added the .in filter since the manual seemed to reference using RADIUS based filters with ..in and .out extensions.
If I understand the process right, I should not be assigning the filters to each interface on the TC, since that would force all users connected to go through the proxy, and instead the Filter-Id from RADIUS should tell the TC which filter to assign to the user. Is this logic correct or do I have something wrong?
If anyone could offer some info as to what the proper name for the filter file should be either on the HiperARC or in RADIUS, or if you see others parts in my procedure that could stand to be changed, I would greatly appreciate the help.
Thanks for your time, Lee Terrell
_______________________________________________ USR-TC mailing list USR-TC@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc