<div dir="auto">I've tried to use ACL like this:<div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">seq 30 permit tcp host xx.xx.xx.xx any eq 88</span><br style="font-family:sans-serif;font-size:12.8px">With two combinations of denying traffic to port 88<br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 40 deny tcp any any eq 88- does nothing, all incoming traffic is allowed </span><br style="font-family:sans-serif;font-size:12.8px"><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 40 deny tcp any eq 888 - blocks all traffic from everywhere. </span><br></div><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">There is no acl from 1-29. </span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 15 Jul 2019, 10:49 Анатолий Соломатин, <<a href="mailto:solomatin.av@gmail.com">solomatin.av@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Your configuration should work. The context in the formard policy is probably incorrect or in AСL there are rules 1-95, where traffic from srсIP to port 8080 <br></div><div><table class="m_804898308933883393gmail-tblcnt"><tbody><tr valign="top"><td width="46" align="left"><p style="font-size:8pt">92</p></td><td width="104" align="left"><p style="font-size:8pt">Forward-Policy</p></td><td width="52" align="left"><p style="font-size:8pt">No</p></td><td width="56" align="left"><p style="font-size:8pt">Yes</p></td><td width="55" align="left"><p style="font-size:8pt">Yes</p></td><td width="152" align="left"><p style="font-size:8pt">String. Attaches an in or out forward policy to the subscriber session. The forward policy is in the following format</p><p style="font-size:8pt"><u><b><font color="#ff0000"><tt class="m_804898308933883393gmail-input" style="font-size:8pt">in:</tt><tt class="m_804898308933883393gmail-input" style="font-size:8pt"><i class="m_804898308933883393gmail-var">forward-policy-name</i></tt></font></b></u></p><p style="font-size:8pt"><tt class="m_804898308933883393gmail-input" style="font-size:8pt">out:</tt><tt class="m_804898308933883393gmail-input" style="font-size:8pt"><span class="m_804898308933883393gmail-var">forward-policy-name</span></tt></p></td></tr></tbody></table>OR</div><div><div> radius service profile BALANCE</div><div> parameter value URL</div><div> accounting in circuit</div><div> seq 10 attribute HTTP-Redirect-url $URL</div><div> <b><u><i><font color="#ff0000">seq 20 attribute Forward-Policy in UNPAID</font></i></u></b></div><div> seq 200 attribute Service-Interim-Accounting 1800</div></div><div><br></div><div>But I do not understand why use Forward-policy ...</div><div>If it is necessary to prohibit, then AСL should be used. If you need a forward, it is not configured where to send traffic.</div><div><br></div><div>P.S. Google translation</div><div><br></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пн, 15 июл. 2019 г. в 11:21, Bartek Mickiewicz <<a href="mailto:bmtych@gmail.com" target="_blank" rel="noreferrer">bmtych@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Maybe my question was not clear enough. <div dir="auto">My client use pppoe for Internet access, radius assigns forward policy which uses ip access-group.</div><div dir="auto"><br></div><div dir="auto"><p style="font-family:sans-serif;font-size:12.8px">forward policy FP-DEFAULT<br> ip access-group ACL-DEFAULT r01<br> class Permit<br> class Deny<br> drop</p><p style="font-family:sans-serif;font-size:12.8px"><br></p><p style="font-family:sans-serif;font-size:12.8px"> policy access-list ACL-DEFAULT<br> seq 96 permit tcp host xxx.xxx.xxx.xxx any eq 8080 class Permit<br> seq 97 permit tcp host yyy.yyy.yyy.yyy any eq 8080 class Permit<br> seq 98 permit tcp any any eq 8080 class Deny</p></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 12 Jul 2019, 10:59 Анатолий Соломатин, <<a href="mailto:solomatin.av@gmail.com" rel="noreferrer noreferrer" target="_blank">solomatin.av@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Redbuk traffic is controlled by the ACL or/and QoS policy.<br><div>Example</div><div>1) ACL</div><div> ip access-list CONTROL_DNS_NTP_USER<br> seq 1000 deny udp any neq domain any eq domain<br> seq 1001 deny udp any neq ntp any eq ntp<br> seq 1100 permit ip any any<br>!<br></div><div> subscriber default<br> ip access-group
CONTROL_DNS_NTP_USER out<br></div><div>!</div><div>2) QoS Policy (policing or metering)</div><div>context USER</div><div> policy access-list REDBACK_IN<br></div><div><span style="font-family:sans-serif;font-size:12.8px"> seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px"> seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit</span> <span class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-im"><br><div style="color:rgb(80,0,80)"><span style="font-family:sans-serif;font-size:12.8px"> seq 98 permit tcp any any eq 88 class Deny</span></div><div style="color:rgb(80,0,80)"><font face="sans-serif"><span style="font-size:12.8px"> exit</span></font></div><div style="color:rgb(80,0,80)"><font face="sans-serif"><span style="font-size:12.8px">exit</span></font></div><div style="color:rgb(80,0,80)">!</div><div style="color:rgb(80,0,80)">(config)#qos policy
<span style="color:rgb(34,34,34)">REDBACK_IN</span> policing <font face="sans-serif"><span style="font-size:12.8px"><br></span></font></div><div style="color:rgb(80,0,80)"> ip access-group <span style="color:rgb(34,34,34)">REDBACK_IN USER</span></div><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)"> </span><span style="color:rgb(34,34,34)">class </span><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)">Permit</span></div><div style="color:rgb(80,0,80)"><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)"> class Deny</span></div><div style="color:rgb(80,0,80)"><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)"> drop</span></div><div><font face="sans-serif"><span style="font-size:12.8px"> exit</span></font></div><div><font face="sans-serif"><span style="font-size:12.8px">!</span></font></div><div><font face="sans-serif"><span style="font-size:12.8px">context USER</span></font></div><div style="color:rgb(80,0,80)"><span style="color:rgb(34,34,34)">subscriber default</span> </div><div style="color:rgb(80,0,80)"> qos policy policing <span style="color:rgb(34,34,34)">REDBACK_IN</span><span style="font-family:sans-serif;font-size:12.8px;color:rgb(34,34,34)"><br></span></div></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пт, 12 июл. 2019 г. в 12:53, Bartek Mickiewicz <<a href="mailto:bmtych@gmail.com" rel="noreferrer noreferrer noreferrer" target="_blank">bmtych@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">I've used your acl but without effect, still can access port 88 from other IP's than x and y. Those three statements are my first three in ACL. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 12 Jul 2019, 09:36 Анатолий Соломатин, <<a href="mailto:solomatin.av@gmail.com" rel="noreferrer noreferrer noreferrer" target="_blank">solomatin.av@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">HI,<div><span style="font-family:sans-serif;font-size:12.8px">seq 96 permit tcp host xx.xx.xx.xx any eq 88 class Permit</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 97 permit tcp host yy.yy.yy.yy any eq 88 class Permit</span> <br><div><span style="font-family:sans-serif;font-size:12.8px">seq 98 permit tcp any any eq 88 class Deny</span><br style="font-family:sans-serif;font-size:12.8px"><br></div><div>"</div><div class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-body-content" id="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-content"><h3><a name="m_804898308933883393_m_-1507251193546730150_m_7727310341030765860_m_3039358166065797888_m_-1111375434278736934_m_1102287158426943113_i1138843" rel="noreferrer noreferrer noreferrer noreferrer"></a><a name="m_804898308933883393_m_-1507251193546730150_m_7727310341030765860_m_3039358166065797888_m_-1111375434278736934_m_1102287158426943113__C4" rel="noreferrer noreferrer noreferrer noreferrer"></a><span class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-CHAPNUMBER">1.1.2 </span><span class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-CHAPTITLE"><a name="m_804898308933883393_m_-1507251193546730150_m_7727310341030765860_m_3039358166065797888_m_-1111375434278736934_m_1102287158426943113_id_eovj" rel="noreferrer noreferrer noreferrer noreferrer"></a><a name="m_804898308933883393_m_-1507251193546730150_m_7727310341030765860_m_3039358166065797888_m_-1111375434278736934_m_1102287158426943113_CHAPTER1.1.2" class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-CHAPLINK" href="http://localhost:9032/alexserv?AC=LINK&ID=26857&FN=35_1543-CRA1191170_1-V1Uen.M.html&PA=access-list&ST=FULLTEXT#TOP" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">IP ACL Statements (Rules)</a></span></h3></div><div>In <a title="Internet Protocol" class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer noreferrer noreferrer noreferrer">IP</a> <a title="Access Control List" class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer noreferrer noreferrer noreferrer">ACLs</a>, each rule defines the action, either permit or deny, to be taken for a packet if the packet satisfies the rule. A <tt class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-input"><b>permit</b></tt> statement causes any packet matching the criteria to be accepted. A <tt class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-input"><b>deny</b></tt> statement causes any packet matching the criteria to be dropped. A packet that does not match the criteria of the first statement is subjected to the criteria of the second statement, and so on, until the end of the <a title="Internet Protocol" class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer noreferrer noreferrer noreferrer">IP</a> <a title="Access Control List" class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer noreferrer noreferrer noreferrer">ACL</a> is reached; at which point, the packet is dropped due to an implicit <tt class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-input"><b>deny any any</b></tt> statement at the end of every <a title="Internet Protocol" class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer noreferrer noreferrer noreferrer">IP</a> <a title="Access Control List" class="m_804898308933883393gmail-m_-1507251193546730150m_7727310341030765860m_3039358166065797888gmail-m_-1111375434278736934m_1102287158426943113gmail-glossexpansion" rel="noreferrer noreferrer noreferrer noreferrer">ACL</a>."</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пт, 12 июл. 2019 г. в 11:49, Bartek Mickiewicz <<a href="mailto:bmtych@gmail.com" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">bmtych@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hi,<div dir="auto">I'm having problem with policy access-list. I want to block all incoming connections to port 88 and allow two IP addresses to access that port. </div><div dir="auto">I've tried:</div><div dir="auto"><span style="font-family:sans-serif;font-size:12.8px">seq 98 permit tcp any any eq 88 class Deny</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 103 permit tcp host xx.xx.xx.xx any eq 88 class Permit</span><br style="font-family:sans-serif;font-size:12.8px"><span style="font-family:sans-serif;font-size:12.8px">seq 103 permit tcp host yy.yy.yy.yy any eq 88 class Permit</span><br></div></div>
_______________________________________________<br>
redback-nsp mailing list<br>
<a href="mailto:redback-nsp@puck.nether.net" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">redback-nsp@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/redback-nsp" rel="noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/redback-nsp</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>