Man, I wish I would have seen this email before I spent all day building the filters. Anyhow, Just as a heads up, My TNT"s where crashing throughout the day. I have ethernet2 cards in the majority of my NAS's and they were FATAL 2'ing pretty much all day. I've put the filters up and so far so good. Kinda sad that by just passing port scanning traffic caused the cards to crash. I sent forth a bunch of coredumps and I'm looking forward to see what lucent says was the issue. Not happy :( Jason Nealis RCN On Thu, Aug 14, 2003 at 01:00:43PM -0500, Arnold Cavazos Jr. stated > the filters, in your Radius Reply, or statically on the APX/TNT/MAX. > If you define them statically, you will have to activate them for each > call. This can be done by passing the > > Filter-Id = > > attribute in your radius reply, or by using the "Answer-Defaults" > facility of the NAS itself. Details are below. > > YMMV use at your own risk... > > BTW.. The ports are based on CERT advisory: > > http://www.cert.org/advisories/CA-2003-20.html > > -- > Arnold Cavazos, Jr. abcjr at abcjr . net > > > Here is the ruleset for a Radius Reply: > > Ascend-Data-Filter = ip in drop udp dstport = 69, > Ascend-Data-Filter = ip in drop udp dstport = 135, > Ascend-Data-Filter = ip in drop udp dstport = 139, > Ascend-Data-Filter = ip in drop udp dstport = 445, > Ascend-Data-Filter = ip in drop tcp dstport = 135, > Ascend-Data-Filter = ip in drop tcp dstport = 139, > Ascend-Data-Filter = ip in drop tcp dstport = 445, > Ascend-Data-Filter = ip in drop tcp dstport = 4444, > Ascend-Data-Filter = ip in forward, > Ascend-Data-Filter = ip out drop udp dstport = 69, > Ascend-Data-Filter = ip out drop udp dstport = 135, > Ascend-Data-Filter = ip out drop udp dstport = 139, > Ascend-Data-Filter = ip out drop udp dstport = 445, > Ascend-Data-Filter = ip out drop tcp dstport = 135, > Ascend-Data-Filter = ip out drop tcp dstport = 139, > Ascend-Data-Filter = ip out drop tcp dstport = 445, > Ascend-Data-Filter = ip out drop tcp dstport = 4444, > Ascend-Data-Filter = ip out forward, > > Here is the ruleset for a 6096 config file: > > START=FILT=900=3 > Name=blaster > In filter 01...Valid=Yes > In filter 01...Type=IP > In filter 01...Ip...Protocol=17 > In filter 01...Ip...Dst Port Cmp=Eql > In filter 01...Ip...Dst Port #=69 > In filter 02...Valid=Yes > In filter 02...Type=IP > In filter 02...Ip...Protocol=17 > In filter 02...Ip...Dst Port Cmp=Eql > In filter 02...Ip...Dst Port #=135 > In filter 03...Valid=Yes > In filter 03...Type=IP > In filter 03...Ip...Protocol=17 > In filter 03...Ip...Dst Port Cmp=Eql > In filter 03...Ip...Dst Port #=139 > In filter 04...Valid=Yes > In filter 04...Type=IP > In filter 04...Ip...Protocol=17 > In filter 04...Ip...Dst Port Cmp=Eql > In filter 04...Ip...Dst Port #=445 > In filter 05...Valid=Yes > In filter 05...Type=IP > In filter 05...Ip...Protocol=6 > In filter 05...Ip...Dst Port Cmp=Eql > In filter 05...Ip...Dst Port #=135 > In filter 06...Valid=Yes > In filter 06...Type=IP > In filter 06...Ip...Protocol=6 > In filter 06...Ip...Dst Port Cmp=Eql > In filter 06...Ip...Dst Port #=139 > In filter 07...Valid=Yes > In filter 07...Type=IP > In filter 07...Ip...Protocol=6 > In filter 07...Ip...Dst Port Cmp=Eql > In filter 07...Ip...Dst Port #=445 > In filter 08...Valid=Yes > In filter 08...Type=IP > In filter 08...Ip...Protocol=6 > In filter 08...Ip...Dst Port Cmp=Eql > In filter 08...Ip...Dst Port #=4444 > In filter 09...Valid=Yes > In filter 09...Type=IP > In filter 09...Generic...Forward=Yes > In filter 09...Ip...Forward=Yes > In filter 09...Ipx...Forward=Yes > Out filter 01...Valid=Yes > Out filter 02...Type=IP > Out filter 01...Ip...Protocol=17 > Out filter 01...Ip...Dst Port Cmp=Eql > Out filter 01...Ip...Dst Port #=69 > Out filter 02...Valid=Yes > Out filter 02...Type=IP > Out filter 02...Ip...Protocol=17 > Out filter 02...Ip...Dst Port Cmp=Eql > Out filter 02...Ip...Dst Port #=135 > Out filter 03...Valid=Yes > Out filter 04...Type=IP > Out filter 03...Ip...Protocol=17 > Out filter 03...Ip...Dst Port Cmp=Eql > Out filter 03...Ip...Dst Port #=139 > Out filter 04...Valid=Yes > Out filter 04...Type=IP > Out filter 04...Ip...Protocol=17 > Out filter 04...Ip...Dst Port Cmp=Eql > Out filter 04...Ip...Dst Port #=445 > Out filter 05...Valid=Yes > Out filter 05...Type=IP > Out filter 05...Ip...Protocol=6 > Out filter 05...Ip...Dst Port Cmp=Eql > Out filter 05...Ip...Dst Port #=135 > Out filter 06...Valid=Yes > Out filter 06...Type=IP > Out filter 06...Ip...Protocol=6 > Out filter 06...Ip...Dst Port Cmp=Eql > Out filter 06...Ip...Dst Port #=139 > Out filter 07...Valid=Yes > Out filter 07...Type=IP > Out filter 07...Ip...Protocol=6 > Out filter 07...Ip...Dst Port Cmp=Eql > Out filter 07...Ip...Dst Port #=445 > Out filter 08...Valid=Yes > Out filter 08...Type=IP > Out filter 08...Ip...Protocol=6 > Out filter 08...Ip...Dst Port Cmp=Eql > Out filter 08...Ip...Dst Port #=4444 > Out filter 09...Valid=Yes > Out filter 09...Type=IP > Out filter 09...Generic...Forward=Yes > Out filter 09...Ip...Forward=Yes > Out filter 09...Ipx...Forward=Yes > END=FILT=900=3 > > To Apply the filter: > > Option #1 Use the MAX to apply the filter to all calls: > > Ethernet-> Answer-> Session Options -> Data Filter -> [blaster] > > > Option #2 Use Radius Reply attributes to apply the filter: > > Filter-Id = "blaster" > > > And the same for a TNT/APX: > > new FILTER > set filter-name = blaster > set input-filters 1 valid-entry = yes > set input-filters 1 Type = ip-filter > set input-filters 1 ip-filter protocol = 17 > set input-filters 1 ip-filter Dst-Port-Cmp = eql > set input-filters 1 ip-filter dest-port = 69 > set input-filters 2 valid-entry = yes > set input-filters 2 Type = ip-filter > set input-filters 2 ip-filter protocol = 17 > set input-filters 2 ip-filter Dst-Port-Cmp = eql > set input-filters 2 ip-filter dest-port = 135 > set input-filters 3 valid-entry = yes > set input-filters 3 Type = ip-filter > set input-filters 3 ip-filter protocol = 17 > set input-filters 3 ip-filter Dst-Port-Cmp = eql > set input-filters 3 ip-filter dest-port = 139 > set input-filters 4 valid-entry = yes > set input-filters 4 Type = ip-filter > set input-filters 4 ip-filter protocol = 17 > set input-filters 4 ip-filter Dst-Port-Cmp = eql > set input-filters 4 ip-filter dest-port = 445 > set input-filters 5 valid-entry = yes > set input-filters 5 Type = ip-filter > set input-filters 5 ip-filter protocol = 6 > set input-filters 5 ip-filter Dst-Port-Cmp = eql > set input-filters 5 ip-filter dest-port = 135 > set input-filters 6 valid-entry = yes > set input-filters 6 Type = ip-filter > set input-filters 6 ip-filter protocol = 6 > set input-filters 6 ip-filter Dst-Port-Cmp = eql > set input-filters 6 ip-filter dest-port = 139 > set input-filters 7 valid-entry = yes > set input-filters 7 Type = ip-filter > set input-filters 7 ip-filter protocol = 6 > set input-filters 7 ip-filter Dst-Port-Cmp = eql > set input-filters 7 ip-filter dest-port = 445 > set input-filters 8 valid-entry = yes > set input-filters 8 Type = ip-filter > set input-filters 8 ip-filter protocol = 6 > set input-filters 8 ip-filter Dst-Port-Cmp = eql > set input-filters 8 ip-filter dest-port = 4444 > set input-filters 9 valid-entry = yes > set input-filters 9 forward = yes > set input-filters 9 Type = ip-filter > set output-filters 1 valid-entry = yes > set output-filters 1 Type = ip-filter > set output-filters 1 ip-filter protocol = 17 > set output-filters 1 ip-filter Dst-Port-Cmp = eql > set output-filters 1 ip-filter dest-port = 69 > set output-filters 2 valid-entry = yes > set output-filters 2 Type = ip-filter > set output-filters 2 ip-filter protocol = 17 > set output-filters 2 ip-filter Dst-Port-Cmp = eql > set output-filters 2 ip-filter dest-port = 135 > set output-filters 3 valid-entry = yes > set output-filters 3 Type = ip-filter > set output-filters 3 ip-filter protocol = 17 > set output-filters 3 ip-filter Dst-Port-Cmp = eql > set output-filters 3 ip-filter dest-port = 139 > set output-filters 4 valid-entry = yes > set output-filters 4 Type = ip-filter > set output-filters 4 ip-filter protocol = 17 > set output-filters 4 ip-filter Dst-Port-Cmp = eql > set output-filters 4 ip-filter dest-port = 445 > set output-filters 5 valid-entry = yes > set output-filters 5 Type = ip-filter > set output-filters 5 ip-filter protocol = 6 > set output-filters 5 ip-filter Dst-Port-Cmp = eql > set output-filters 5 ip-filter dest-port = 135 > set output-filters 6 valid-entry = yes > set output-filters 6 Type = ip-filter > set output-filters 6 ip-filter protocol = 6 > set output-filters 6 ip-filter Dst-Port-Cmp = eql > set output-filters 6 ip-filter dest-port = 139 > set output-filters 7 valid-entry = yes > set output-filters 7 Type = ip-filter > set output-filters 7 ip-filter protocol = 6 > set output-filters 7 ip-filter Dst-Port-Cmp = eql > set output-filters 7 ip-filter dest-port = 445 > set output-filters 8 valid-entry = yes > set output-filters 8 Type = ip-filter > set output-filters 8 ip-filter protocol = 6 > set output-filters 8 ip-filter Dst-Port-Cmp = eql > set output-filters 8 ip-filter dest-port = 4444 > set output-filters 9 valid-entry = yes > set output-filters 9 forward = yes > set output-filters 9 Type = ip-filter > write -f > > To Apply: > > Option #1 Use the TNT to apply the filter to all calls: > > read answer-defaults > set use-answer-for-all-defaults = yes > set session-info data-filter = blaster > set session-info filter-required = no > write -f > > Option #2 Use Radius Reply attributes to apply the filter: > > Filter-Id = "blaster" > ++ Ascend Users Mailing List ++ > To unsubscribe: send unsubscribe to ascend-users-request at bungi.com > Archives: http://www.nexial.com/mailinglists/ -- ------ Jason Nealis Internet Systems and Services RCN (NASDAQ) RCNC ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request at bungi.com Archives: http://www.nexial.com/mailinglists/