(ASCEND) Max/TNT/APX 8000 Ascend-Data-Filter [to prevent SPAM SMTP servers]

[Alan Spicer <aspicer@ifxcorp.com>]

Max/TNT/APX 8000 Ascend-Data-Filter [to prevent SPAM SMTP servers]

* Is anyone using Radius Profile Settings "Ascend-Data-Filter" to prevent the
now common SPAM user from running their own SMTP Server, either Linux/Windows
NT or otherwise sending direct SMTP to destination servers?

For example, for a particular site we'd need to allow SMTP connections to the
normal MAIL SERVER (or sometimes 2 or 3 servers) that we provide for our users.
But we would want to block sending SMTP to any servers other than that.

It seems that we can block by destination ip and port, and also 0.0.0.0
destination would cover all.

What I don't understand is if it is possible, and if so, how to order such
filter rules to allow one or a few servers ... and block all others? Or will
the CATCH-ALL 0.0.0.0 rule flush the others and block all packets to that port?

(is there such a thing as an "allow out quick" like in IP Firewall that would
allow the connections to the authorized servers to skip any remaining rules,
but the rest of the server ip's not authorized would be caught by the 0.0.0.0?)

e.g.
# -----------------------------------------------
Ascend-Filter = "ip out forward dstip 192.168.10.2 dstport = 25"
Ascend-Filter = "ip out forward dstip 192.168.10.3 dstport = 25"
Ascend-Filter = "ip out forward dstip 192.168.10.4 dstport = 25"
Ascend-Filter = "ip out drop dstip 0.0.0.0 dstport = 25"
# -----------------------------------------------

Forget about the fact that I used 192.x.x.x as example, the authorized MAIL
servers could be on several different internetworks, e.g. out-sourced mail
services, local POP mail servers, ...

--
Alan Spicer (InterNIC:AGS14)
Systems/Network Administration
aspicer@ifxcorp.com
Tel: +1 305-512-1100 x134
Cel: +1 305-525-5914
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>