how can i count firewall dynamic rules

gyoztes · May 6, 2008, 5:53am

Hi,

I use a radius server (freeradius) which can insert dynamic rules to ppp filter chain and I would like to have a return rule at the end of the ppp chain (to forward chain) but the radius put the dynamic rules at the end of the ppp chain (after the static return rule). I can drag the return rule (with a find command for moving) but can’t move it at all as i can’t count dynamic rules.

Example: 2 user = 4 dynamic rules + 1 static (return to forward chain)
The static rule has been created. When both 2 users logging in 4 dynamic rules has been created by the mt (command from freeradius), after the static rules. It is wrong because static rule must be at the end of the ppp chain.

Does anybody have an idea about counting dynamic rules or any other solution for the above? Is it possible to send rules to be taken at the beginning of the chain from freeradius to mt? Alternatively, can I change mt firewall settings that drop all packets which don’t get accept command or can I count active pppoe sessions from interface list?

Thanks for your help in advance

gyoztes

changeip · May 6, 2008, 4:27pm

can you just delete your ‘return’ rule and things will fall out back to the forward chain automatically ?

gyoztes · May 6, 2008, 7:47pm

It not returns. Why? There is no end. It checks the rules, and if nothing is good, it accept the packages, and finish the filter.

Step-by-step:

Now i use dhcp server for this interface. Actualy firewall filter list:

(forward) in-interface=users → jump to users_in
(forward) out-interface=users → jump to users_out

(users_in) src-address-list=user1 → accept
(users_in) src-address-list=user2 → accept
(users_in) drop (other ip from this interface)
(users_in) return (to forward)

So I check all enabled ip address in and out to this interface, and the others are drop. I write the ip addresses to the address list, and I use just the usernames in the filter.

But I like to activate radius auth. I get AAA infos more intelligent (and easy) from pppoe rather than dhcp.

Planned firewall filters:

(forward) src-address-list=users (for example x.x.x.0/24 pppoe pool) → jump to ppp

[ppp is the dynamic chain generated by mt using freeradius infos]

(ppp) [dynamic] in-interface=user1_pppoe_interface → jump to “enabled”

[I can send “enabled” chain name from freeradius]

The problem: there is no end of ppp chain!

The question: where can i drop wrong packages?

I think that I insert a return (to the forward list) at the end of the ppp chain, and in forward chain I drop packages where src-address-list=users.

But I can’t insert a rule at the end of a dynamic ppp rules!

I think it is easy, but if anybody has easier way, I use that…

Thanks

gyoztes

changeip · May 6, 2008, 8:36pm

the default action at the end of a chain is to return to where it came from. If thats the last chain it will accept / reject based on the last rule. Are you saying your not jumping to the ppp chain from the forward chain? If so, then the fallout of the ppp chain will be returned to the forward chain. It works this way on L2TP / PPTP, not sure about pppoe. You can then drop packets based on the pppoe ip ranges possibly.

Sam