Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(ASCEND) Re: Couple ideas on how to filter spoofed addresses on Maxen
I said you can start a CLEC without legal help, I did not say it was a
good thing to do. I did not say that is how I am doing it.
><>
Nathan Stratton Telecom & ISP Consulting
www.robotics.net nathan@robotics.net
On Thu, 30 Apr 1998, Aaron Nabil wrote:
>
> ObVendorComplaint: There should be a "no spoofing" flag. The first
> vendor to create one is also the next vendor to get my business.
>
> There appear to be a couple easy ways to do this at the ISP end, the
> first sending back a data filter attribute like "ip in forward srcip
> 1.2.3.4/32" along with the authentication (you replace the 1.2.3.4 with
> the Framed-Address the max send you with the authentication). I seem to
> have sucessfully hacked abinary support in Livingston radius 2.0, I
> might give the a shot first.
>
> Another way is to enable the radius server on the max, and use the cexample
> program to send a filter to each user after loggin in. I've hacked the
> /etc/raddb/online stuff into Livingston radius 2.0, it would a simple
> matter to have a cron job look there every 5 minutes and add filters to
> anyone who has recently logged in. Even with the esva hacks, you could
> probably get a list of active ip addresses/users via SNMP and loop
> through them one at a time. Cexample works like this...
>
> ./cexample -H yourmax -K topsecret -P 1700 -i 1.2.3.4 -d "ip in forward srcip 1.2.3.4/32"
>
> Has anyone implemented either technique? On any platform? We have
> Maxen, Portmaster, and both flavors of USR chassis here, so any idea
> on how to do the same for them would be welcome.
>
> --
> Aaron Nabil
>
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
References: