[rbak-nsp] Policy access-list

Bartek Mickiewicz bmtych at gmail.com
Mon Jul 15 05:58:24 EDT 2019 

I've tried to use ACL like this:
seq 30 permit tcp host xx.xx.xx.xx any eq 88
With two combinations of denying traffic to port 88
seq 40 deny tcp any any eq 88- does nothing, all incoming traffic is
allowed

seq 40 deny tcp any eq 888 - blocks all traffic from everywhere.
There is no acl from 1-29.

On Mon, 15 Jul 2019, 10:49 Анатолий Соломатин, <solomatin.av at gmail.com>
wrote:

> Your configuration should work. The context in the formard policy is
> probably incorrect or in AСL there are rules 1-95, where traffic from srсIP
> to port 8080
>
> 92
>
> Forward-Policy
>
> No
>
> Yes
>
> Yes
>
> String. Attaches an in or out forward policy to the subscriber session.
> The forward policy is in the following format
>
> *in:forward-policy-name*
>
> out:forward-policy-name
> OR
>  radius service profile BALANCE
>   parameter value URL
>   accounting in circuit
>   seq 10 attribute HTTP-Redirect-url $URL
>   *seq 20 attribute Forward-Policy in UNPAID*
>   seq 200 attribute Service-Interim-Accounting 1800
>
> But I do not understand why use Forward-policy ...
> If it is necessary to prohibit, then AСL should be used. If you need a
> forward, it is not configured where to send traffic.
>
> P.S. Google translation
>
>
> пн, 15 июл. 2019 г. в 11:21, Bartek Mickiewicz <bmtych at gmail.com>:
>
>> Maybe my question was not clear enough.
>> My client use pppoe for Internet access, radius assigns forward policy
>> which uses ip access-group.
>>
>> forward policy FP-DEFAULT
>>  ip access-group ACL-DEFAULT r01
>>   class Permit
>>   class Deny
>>    drop
>>
>>
>>  policy access-list ACL-DEFAULT
>>   seq 96 permit tcp host xxx.xxx.xxx.xxx any eq 8080 class Permit
>>   seq 97 permit tcp host yyy.yyy.yyy.yyy any eq 8080 class Permit
>>   seq 98 permit tcp any any eq 8080 class Deny
>>
>> On Fri, 12 Jul 2019, 10:59 Анатолий Соломатин, <solomatin.av at gmail.com>
>> wrote:
>>
>>> Redbuk traffic is controlled by the ACL or/and QoS policy.
>>> Example
>>> 1) ACL
>>>  ip access-list CONTROL_DNS_NTP_USER
>>>   seq 1000 deny udp any neq domain any eq domain
>>>   seq 1001 deny udp any neq ntp any eq ntp
>>>   seq 1100 permit ip any any
>>> !
>>>  subscriber default
>>>    ip access-group  CONTROL_DNS_NTP_USER   out
>>> !
>>> 2) QoS Policy (policing or metering)
>>> context USER
>>>  policy access-list REDBACK_IN
>>>   seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>>   seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>>   seq 98 permit tcp any any eq 88 class Deny
>>>  exit
>>> exit
>>> !
>>> (config)#qos policy  REDBACK_IN  policing
>>>  ip access-group REDBACK_IN USER
>>>   class Permit
>>>   class Deny
>>>    drop
>>>   exit
>>> !
>>> context USER
>>> subscriber default
>>>  qos policy policing REDBACK_IN
>>>
>>> пт, 12 июл. 2019 г. в 12:53, Bartek Mickiewicz <bmtych at gmail.com>:
>>>
>>>> I've used your acl but without effect, still can access port 88 from
>>>> other IP's than x and y. Those three statements are my first three in ACL.
>>>>
>>>> On Fri, 12 Jul 2019, 09:36 Анатолий Соломатин, <solomatin.av at gmail.com>
>>>> wrote:
>>>>
>>>>> HI,
>>>>> seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>>>> seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>>>> seq 98 permit tcp any any eq 88 class Deny
>>>>>
>>>>> "
>>>>> 1.1.2   IP ACL Statements (Rules)
>>>>> <http://localhost:9032/alexserv?AC=LINK&ID=26857&FN=35_1543-CRA1191170_1-V1Uen.M.html&PA=access-list&ST=FULLTEXT#TOP>
>>>>> In IP ACLs, each rule defines the action, either permit or deny, to
>>>>> be taken for a packet if the packet satisfies the rule. A *permit*
>>>>> statement causes any packet matching the criteria to be accepted. A
>>>>> *deny* statement causes any packet matching the criteria to be
>>>>> dropped. A packet that does not match the criteria of the first statement
>>>>> is subjected to the criteria of the second statement, and so on, until the
>>>>> end of the IP ACL is reached; at which point, the packet is dropped
>>>>> due to an implicit *deny any any* statement at the end of every IP ACL
>>>>> ."
>>>>>
>>>>> пт, 12 июл. 2019 г. в 11:49, Bartek Mickiewicz <bmtych at gmail.com>:
>>>>>
>>>>>> Hi,
>>>>>> I'm having problem with policy access-list. I want to block all
>>>>>> incoming connections to port 88 and allow two IP addresses to access that
>>>>>> port.
>>>>>> I've tried:
>>>>>> seq 98 permit tcp any any eq 88 class Deny
>>>>>> seq 103 permit tcp host xx.xx.xx.xx any eq 88 class Permit
>>>>>> seq 103 permit tcp host yy.yy.yy.yy any eq 88 class Permit
>>>>>> _______________________________________________
>>>>>> redback-nsp mailing list
>>>>>> redback-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/redback-nsp
>>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20190715/bcb68179/attachment.htm>

More information about the redback-nsp mailing list