4 |
- |
1 |
#
|
|
|
2 |
# Configuration file for the rlm_attr_filter module.
|
|
|
3 |
# Please see rlm_attr_filter(5) manpage for more information.
|
|
|
4 |
#
|
34 |
- |
5 |
# $Id: 76c644b100656f8bd45e768b13cbcf140ce5a770 $
|
4 |
- |
6 |
#
|
|
|
7 |
# This file contains security and configuration information
|
|
|
8 |
# for each realm. The first field is the realm name and
|
|
|
9 |
# can be up to 253 characters in length. This is followed (on
|
|
|
10 |
# the next line) with the list of filter rules to be used to
|
|
|
11 |
# decide what attributes and/or values we allow proxy servers
|
|
|
12 |
# to pass to the NAS for this realm.
|
|
|
13 |
#
|
|
|
14 |
# When a proxy-reply packet is received from a home server,
|
|
|
15 |
# these attributes and values are tested. Only the first match
|
|
|
16 |
# is used unless the "Fall-Through" variable is set to "Yes".
|
|
|
17 |
# In that case the rules defined in the DEFAULT case are
|
|
|
18 |
# processed as well.
|
|
|
19 |
#
|
|
|
20 |
# A special realm named "DEFAULT" matches on all realm names.
|
|
|
21 |
# You can have only one DEFAULT entry. All entries are processed
|
|
|
22 |
# in the order they appear in this file. The first entry that
|
|
|
23 |
# matches the login-request will stop processing unless you use
|
|
|
24 |
# the Fall-Through variable.
|
|
|
25 |
#
|
|
|
26 |
# Indented (with the tab character) lines following the first
|
|
|
27 |
# line indicate the filter rules.
|
|
|
28 |
#
|
|
|
29 |
# You can include another `attrs' file with `$INCLUDE attrs.other'
|
|
|
30 |
#
|
|
|
31 |
|
|
|
32 |
#
|
|
|
33 |
# This is a complete entry for realm "fisp". Note that there is no
|
|
|
34 |
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
|
|
35 |
# server will NOT allow any other a/v pairs other than the ones
|
|
|
36 |
# listed here.
|
|
|
37 |
#
|
|
|
38 |
# These rules allow:
|
|
|
39 |
# o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
|
|
|
40 |
# o PPP sessions ( no SLIP, CSLIP, etc. )
|
|
|
41 |
# o dynamic ip assignment ( can't assign a static ip )
|
|
|
42 |
# o an idle timeout value set to 600 seconds (10 min) or less
|
|
|
43 |
# o a max session time set to 28800 seconds (8 hours) or less
|
|
|
44 |
#
|
|
|
45 |
#fisp
|
|
|
46 |
# Service-Type == Framed-User,
|
|
|
47 |
# Framed-Protocol == PPP,
|
|
|
48 |
# Framed-IP-Address == 255.255.255.254,
|
|
|
49 |
# Idle-Timeout <= 600,
|
|
|
50 |
# Session-Timeout <= 28800
|
|
|
51 |
|
|
|
52 |
#
|
|
|
53 |
# This is a complete entry for realm "tisp". Note that there is no
|
|
|
54 |
# Fall-Through entry so that no DEFAULT entry will be used, and the
|
|
|
55 |
# server will NOT allow any other a/v pairs other than the ones
|
|
|
56 |
# listed here.
|
|
|
57 |
#
|
|
|
58 |
# These rules allow:
|
|
|
59 |
# o Only Login-User Service-Type ( no framed/ppp sessions )
|
|
|
60 |
# o Telnet sessions only ( no rlogin, tcp-clear )
|
|
|
61 |
# o Login hosts of either 192.168.1.1 or 192.168.1.2
|
|
|
62 |
#
|
|
|
63 |
#tisp
|
|
|
64 |
# Service-Type == Login-User,
|
|
|
65 |
# Login-Service == Telnet,
|
|
|
66 |
# Login-TCP-Port == 23,
|
|
|
67 |
# Login-IP-Host == 192.168.1.1,
|
|
|
68 |
# Login-IP-Host == 192.168.1.2
|
|
|
69 |
|
|
|
70 |
#
|
|
|
71 |
# The following example can be used for a home server which is only
|
|
|
72 |
# allowed to supply a Reply-Message, a Session-Timeout attribute of
|
|
|
73 |
# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
|
|
|
74 |
# Acct-Interim-Interval attribute between 300 and 3600.
|
|
|
75 |
# All other attributes sent back will be filtered out.
|
|
|
76 |
#
|
|
|
77 |
#strictrealm
|
|
|
78 |
# Reply-Message =* ANY,
|
|
|
79 |
# Session-Timeout <= 86400,
|
|
|
80 |
# Idle-Timeout <= 600,
|
|
|
81 |
# Acct-Interim-Interval >= 300,
|
|
|
82 |
# Acct-Interim-Interval <= 3600
|
|
|
83 |
|
|
|
84 |
#
|
|
|
85 |
# This is a complete entry for realm "spamrealm". Fall-Through is used,
|
|
|
86 |
# so that the DEFAULT filter rules are used in addition to these.
|
|
|
87 |
#
|
|
|
88 |
# These rules allow:
|
|
|
89 |
# o Force the application of Filter-ID attribute to be returned
|
|
|
90 |
# in the proxy reply, whether the proxy sent it or not.
|
|
|
91 |
# o The standard DEFAULT rules as defined below
|
|
|
92 |
#
|
|
|
93 |
#spamrealm
|
|
|
94 |
# Framed-Filter-Id := "nosmtp.in",
|
|
|
95 |
# Fall-Through = Yes
|
|
|
96 |
|
|
|
97 |
#
|
|
|
98 |
# The rest of this file contains the DEFAULT entry.
|
|
|
99 |
# DEFAULT matches with all realm names. (except if the realm previously
|
|
|
100 |
# matched an entry with no Fall-Through)
|
|
|
101 |
#
|
|
|
102 |
|
|
|
103 |
DEFAULT
|
|
|
104 |
Service-Type == Framed-User,
|
|
|
105 |
Service-Type == Login-User,
|
|
|
106 |
Login-Service == Telnet,
|
|
|
107 |
Login-Service == Rlogin,
|
|
|
108 |
Login-Service == TCP-Clear,
|
|
|
109 |
Login-TCP-Port <= 65536,
|
|
|
110 |
Framed-IP-Address == 255.255.255.254,
|
|
|
111 |
Framed-IP-Netmask == 255.255.255.255,
|
|
|
112 |
Framed-Protocol == PPP,
|
|
|
113 |
Framed-Protocol == SLIP,
|
|
|
114 |
Framed-Compression == Van-Jacobson-TCP-IP,
|
|
|
115 |
Framed-MTU >= 576,
|
|
|
116 |
Framed-Filter-ID =* ANY,
|
|
|
117 |
Reply-Message =* ANY,
|
|
|
118 |
Proxy-State =* ANY,
|
|
|
119 |
EAP-Message =* ANY,
|
|
|
120 |
Message-Authenticator =* ANY,
|
|
|
121 |
MS-MPPE-Recv-Key =* ANY,
|
|
|
122 |
MS-MPPE-Send-Key =* ANY,
|
|
|
123 |
MS-CHAP-MPPE-Keys =* ANY,
|
|
|
124 |
State =* ANY,
|
|
|
125 |
Session-Timeout <= 28800,
|
|
|
126 |
Idle-Timeout <= 600,
|
34 |
- |
127 |
Calling-Station-Id =* ANY,
|
|
|
128 |
Operator-Name =* ANY,
|
4 |
- |
129 |
Port-Limit <= 2
|