Re: (ASCEND) Max/TNT/APX 8000 Ascend-Data-Filter [to prevent SPAMSMTP servers]

[Peter Lalor <plalor@infoasis.com>]

>From: Alan Spicer <aspicer@ifxcorp.com>
>
>* Is anyone using Radius Profile Settings "Ascend-Data-Filter" to prevent the
>now common SPAM user from running their own SMTP Server, either Linux/Windows
>NT or otherwise sending direct SMTP to destination servers?

We're doing this with a TNT with locally-defined filters being 
applied to RADIUS profiles. It should make no difference if you 
define the filter in RADIUS too.

>For example, for a particular site we'd need to allow SMTP connections to the
>normal MAIL SERVER (or sometimes 2 or 3 servers) that we provide for 
>our users.
>But we would want to block sending SMTP to any servers other than that.

This is a _very_ good idea.

>It seems that we can block by destination ip and port, and also 0.0.0.0
>destination would cover all.
>
>What I don't understand is if it is possible, and if so, how to order such
>filter rules to allow one or a few servers ... and block all others? Or will
>the CATCH-ALL 0.0.0.0 rule flush the others and block all packets to 
>that port?

The basic idea for the filter is:
1. Allow SMTP to your servers. Use one rule per server.
2. Disallow SMTP anywhere else.
3. Allow everything else.

That's all there is to it.

>(is there such a thing as an "allow out quick" like in IP Firewall that would
>allow the connections to the authorized servers to skip any remaining rules,
>but the rest of the server ip's not authorized would be caught by 
>the 0.0.0.0?)

Every packet is compared against each filter rule. When a packet 
matches a rule, the appropriate action is taken and no further rules 
are examined for that packet.
-- 

Peter Lalor           Infoasis
plalor@infoasis.com   http://www.infoasis.com/

"Where's my burrito?" -- Homer
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>