| 1 | # |
|---|
| 2 | # Configuration file for the rlm_attr_filter module. |
|---|
| 3 | # Please see rlm_attr_filter(5) manpage for more information. |
|---|
| 4 | # |
|---|
| 5 | # $Id: attrs,v 1.4.8.1 2005/06/11 22:20:40 nbk Exp $ |
|---|
| 6 | # |
|---|
| 7 | # This file contains security and configuration information |
|---|
| 8 | # for each realm. The first field is the realm name and |
|---|
| 9 | # can be up to 253 characters in length. This is followed (on |
|---|
| 10 | # the next line) with the list of filter rules to be used to |
|---|
| 11 | # decide what attributes and/or values we allow proxy servers |
|---|
| 12 | # to pass to the NAS for this realm. |
|---|
| 13 | # |
|---|
| 14 | # When a proxy-reply packet is received from a home server, |
|---|
| 15 | # these attributes and values are tested. Only the first match |
|---|
| 16 | # is used unless the "Fall-Through" variable is set to "Yes". |
|---|
| 17 | # In that case the rules defined in the DEFAULT case are |
|---|
| 18 | # processed as well. |
|---|
| 19 | # |
|---|
| 20 | # A special realm named "DEFAULT" matches on all realm names. |
|---|
| 21 | # You can have only one DEFAULT entry. All entries are processed |
|---|
| 22 | # in the order they appear in this file. The first entry that |
|---|
| 23 | # matches the login-request will stop processing unless you use |
|---|
| 24 | # the Fall-Through variable. |
|---|
| 25 | # |
|---|
| 26 | # Indented (with the tab character) lines following the first |
|---|
| 27 | # line indicate the filter rules. |
|---|
| 28 | # |
|---|
| 29 | # You can include another `attrs' file with `$INCLUDE attrs.other' |
|---|
| 30 | # |
|---|
| 31 | |
|---|
| 32 | # |
|---|
| 33 | # This is a complete entry for realm "fisp". Note that there is no |
|---|
| 34 | # Fall-Through entry so that no DEFAULT entry will be used, and the |
|---|
| 35 | # server will NOT allow any other a/v pairs other than the ones |
|---|
| 36 | # listed here. |
|---|
| 37 | # |
|---|
| 38 | # These rules allow: |
|---|
| 39 | # o Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear ) |
|---|
| 40 | # o PPP sessions ( no SLIP, CSLIP, etc. ) |
|---|
| 41 | # o dynamic ip assignment ( can't assign a static ip ) |
|---|
| 42 | # o an idle timeout value set to 600 seconds (10 min) or less |
|---|
| 43 | # o a max session time set to 28800 seconds (8 hours) or less |
|---|
| 44 | # |
|---|
| 45 | #fisp |
|---|
| 46 | # Service-Type == Framed-User, |
|---|
| 47 | # Framed-Protocol == PPP, |
|---|
| 48 | # Framed-IP-Address == 255.255.255.254, |
|---|
| 49 | # Idle-Timeout <= 600, |
|---|
| 50 | # Session-Timeout <= 28800 |
|---|
| 51 | |
|---|
| 52 | # |
|---|
| 53 | # This is a complete entry for realm "tisp". Note that there is no |
|---|
| 54 | # Fall-Through entry so that no DEFAULT entry will be used, and the |
|---|
| 55 | # server will NOT allow any other a/v pairs other than the ones |
|---|
| 56 | # listed here. |
|---|
| 57 | # |
|---|
| 58 | # These rules allow: |
|---|
| 59 | # o Only Login-User Service-Type ( no framed/ppp sessions ) |
|---|
| 60 | # o Telnet sessions only ( no rlogin, tcp-clear ) |
|---|
| 61 | # o Login hosts of either 192.168.1.1 or 192.168.1.2 |
|---|
| 62 | # |
|---|
| 63 | #tisp |
|---|
| 64 | # Service-Type == Login-User, |
|---|
| 65 | # Login-Service == Telnet, |
|---|
| 66 | # Login-TCP-Port == 23, |
|---|
| 67 | # Login-IP-Host == 192.168.1.1, |
|---|
| 68 | # Login-IP-Host == 192.168.1.2 |
|---|
| 69 | |
|---|
| 70 | # |
|---|
| 71 | # The following example can be used for a home server which is only |
|---|
| 72 | # allowed to supply a Reply-Message, a Session-Timeout attribute of |
|---|
| 73 | # maximum 86400, a Idle-Timeout attribute of maximum 600 and a |
|---|
| 74 | # Acct-Interim-Interval attribute between 300 and 3600. |
|---|
| 75 | # All other attributes sent back will be filtered out. |
|---|
| 76 | # |
|---|
| 77 | #strictrealm |
|---|
| 78 | # Reply-Message =* ANY, |
|---|
| 79 | # Session-Timeout <= 86400, |
|---|
| 80 | # Idle-Timeout <= 600, |
|---|
| 81 | # Acct-Interim-Interval >= 300, |
|---|
| 82 | # Acct-Interim-Interval <= 3600 |
|---|
| 83 | |
|---|
| 84 | # |
|---|
| 85 | # This is a complete entry for realm "spamrealm". Fall-Through is used, |
|---|
| 86 | # so that the DEFAULT filter rules are used in addition to these. |
|---|
| 87 | # |
|---|
| 88 | # These rules allow: |
|---|
| 89 | # o Force the application of Filter-ID attribute to be returned |
|---|
| 90 | # in the proxy reply, whether the proxy sent it or not. |
|---|
| 91 | # o The standard DEFAULT rules as defined below |
|---|
| 92 | # |
|---|
| 93 | #spamrealm |
|---|
| 94 | # Framed-Filter-Id := "nosmtp.in", |
|---|
| 95 | # Fall-Through = Yes |
|---|
| 96 | |
|---|
| 97 | # |
|---|
| 98 | # The rest of this file contains the DEFAULT entry. |
|---|
| 99 | # DEFAULT matches with all realm names. (except if the realm previously |
|---|
| 100 | # matched an entry with no Fall-Through) |
|---|
| 101 | # |
|---|
| 102 | |
|---|
| 103 | DEFAULT |
|---|
| 104 | Service-Type == Framed-User, |
|---|
| 105 | Service-Type == Login-User, |
|---|
| 106 | Login-Service == Telnet, |
|---|
| 107 | Login-Service == Rlogin, |
|---|
| 108 | Login-Service == TCP-Clear, |
|---|
| 109 | Login-TCP-Port <= 65536, |
|---|
| 110 | Framed-IP-Address == 255.255.255.254, |
|---|
| 111 | Framed-IP-Netmask == 255.255.255.255, |
|---|
| 112 | Framed-Protocol == PPP, |
|---|
| 113 | Framed-Protocol == SLIP, |
|---|
| 114 | Framed-Compression == Van-Jacobson-TCP-IP, |
|---|
| 115 | Framed-MTU >= 576, |
|---|
| 116 | Framed-Filter-ID =* ANY, |
|---|
| 117 | Reply-Message =* ANY, |
|---|
| 118 | Proxy-State =* ANY, |
|---|
| 119 | Session-Timeout <= 28800, |
|---|
| 120 | Idle-Timeout <= 600, |
|---|
| 121 | Port-Limit <= 2 |
|---|
