[rbak-nsp] Policy access-list

Анатолий Соломатин solomatin.av at gmail.com
Mon Jul 15 04:49:26 EDT 2019 

Your configuration should work. The context in the formard policy is
probably incorrect or in AСL there are rules 1-95, where traffic from srсIP
to port 8080

92

Forward-Policy

No

Yes

Yes

String. Attaches an in or out forward policy to the subscriber session. The
forward policy is in the following format

*in:forward-policy-name*

out:forward-policy-name
OR
 radius service profile BALANCE
  parameter value URL
  accounting in circuit
  seq 10 attribute HTTP-Redirect-url $URL
  *seq 20 attribute Forward-Policy in UNPAID*
  seq 200 attribute Service-Interim-Accounting 1800

But I do not understand why use Forward-policy ...
If it is necessary to prohibit, then AСL should be used. If you need a
forward, it is not configured where to send traffic.

P.S. Google translation


пн, 15 июл. 2019 г. в 11:21, Bartek Mickiewicz <bmtych at gmail.com>:

> Maybe my question was not clear enough.
> My client use pppoe for Internet access, radius assigns forward policy
> which uses ip access-group.
>
> forward policy FP-DEFAULT
>  ip access-group ACL-DEFAULT r01
>   class Permit
>   class Deny
>    drop
>
>
>  policy access-list ACL-DEFAULT
>   seq 96 permit tcp host xxx.xxx.xxx.xxx any eq 8080 class Permit
>   seq 97 permit tcp host yyy.yyy.yyy.yyy any eq 8080 class Permit
>   seq 98 permit tcp any any eq 8080 class Deny
>
> On Fri, 12 Jul 2019, 10:59 Анатолий Соломатин, <solomatin.av at gmail.com>
> wrote:
>
>> Redbuk traffic is controlled by the ACL or/and QoS policy.
>> Example
>> 1) ACL
>>  ip access-list CONTROL_DNS_NTP_USER
>>   seq 1000 deny udp any neq domain any eq domain
>>   seq 1001 deny udp any neq ntp any eq ntp
>>   seq 1100 permit ip any any
>> !
>>  subscriber default
>>    ip access-group  CONTROL_DNS_NTP_USER   out
>> !
>> 2) QoS Policy (policing or metering)
>> context USER
>>  policy access-list REDBACK_IN
>>   seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>   seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>   seq 98 permit tcp any any eq 88 class Deny
>>  exit
>> exit
>> !
>> (config)#qos policy  REDBACK_IN  policing
>>  ip access-group REDBACK_IN USER
>>   class Permit
>>   class Deny
>>    drop
>>   exit
>> !
>> context USER
>> subscriber default
>>  qos policy policing REDBACK_IN
>>
>> пт, 12 июл. 2019 г. в 12:53, Bartek Mickiewicz <bmtych at gmail.com>:
>>
>>> I've used your acl but without effect, still can access port 88 from
>>> other IP's than x and y. Those three statements are my first three in ACL.
>>>
>>> On Fri, 12 Jul 2019, 09:36 Анатолий Соломатин, <solomatin.av at gmail.com>
>>> wrote:
>>>
>>>> HI,
>>>> seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>>> seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>>> seq 98 permit tcp any any eq 88 class Deny
>>>>
>>>> "
>>>> 1.1.2   IP ACL Statements (Rules)
>>>> <http://localhost:9032/alexserv?AC=LINK&ID=26857&FN=35_1543-CRA1191170_1-V1Uen.M.html&PA=access-list&ST=FULLTEXT#TOP>
>>>> In IP ACLs, each rule defines the action, either permit or deny, to be
>>>> taken for a packet if the packet satisfies the rule. A *permit*
>>>> statement causes any packet matching the criteria to be accepted. A
>>>> *deny* statement causes any packet matching the criteria to be
>>>> dropped. A packet that does not match the criteria of the first statement
>>>> is subjected to the criteria of the second statement, and so on, until the
>>>> end of the IP ACL is reached; at which point, the packet is dropped
>>>> due to an implicit *deny any any* statement at the end of every IP ACL
>>>> ."
>>>>
>>>> пт, 12 июл. 2019 г. в 11:49, Bartek Mickiewicz <bmtych at gmail.com>:
>>>>
>>>>> Hi,
>>>>> I'm having problem with policy access-list. I want to block all
>>>>> incoming connections to port 88 and allow two IP addresses to access that
>>>>> port.
>>>>> I've tried:
>>>>> seq 98 permit tcp any any eq 88 class Deny
>>>>> seq 103 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>>>> seq 103 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>>>> _______________________________________________
>>>>> redback-nsp mailing list
>>>>> redback-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20190715/69818278/attachment-0001.htm>

More information about the redback-nsp mailing list