So I'm still struggling to understand how to properly implement IP filters in my modem configs. To make matters worse, we had a seriously compromised customer machine spewing SPAM of global proportions last Monday that landed us on just about every blacklist and rep database known to man, hence a desperate desire to set up filtering for port 25 now that the horse was already out of the barn. Problem was, I had yet to successfully get ANY IP filters to work -- period. Modems simply would not take a config file with IP filters.
Started from scratch again using PacketACE this time around to create a port 25 filter in a DOCSIS 1.0 file and got a modem to load it. Yay!!!
Tried adding one for port 67 and it wouldn't take it. Same for 135-139, 445, 161. Tried them all individually as the only filter designated Index 1 and no dice -- except the one for port 25.
Also, should 25 be the destination port, or source port? I've seen examples of both.
Any ideas or working examples from PacketACE out there? I'm getting pretty frustrated and beginning to have way too many unfiltered DOCSIS modems out in the network as we transition away from our old LANcity platform.
As usual, TIA for any help.
Poge
Working config of filters.
SnmpMibObject docsDevNmAccessIp.1 IPAddress 10.35.0.1 ;
SnmpMibObject docsDevNmAccessIpMask.1 IPAddress 255.255.255.255 ;
SnmpMibObject docsDevNmAccessCommunity.1 String "kr-rw" ;
SnmpMibObject docsDevNmAccessControl.1 Integer 3; /* readWrite */
SnmpMibObject docsDevNmAccessInterfaces.1 String "@" ;
SnmpMibObject docsDevNmAccessStatus.1 Integer 4; /* createAndGo */
SnmpMibObject docsDevNmAccessIp.2 IPAddress 10.35.0.1 ;
SnmpMibObject docsDevNmAccessIpMask.2 IPAddress 255.255.255.255 ;
SnmpMibObject docsDevNmAccessCommunity.2 String "kr" ;
SnmpMibObject docsDevNmAccessControl.2 Integer 2; /* read */
SnmpMibObject docsDevNmAccessStatus.2 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpDefault.0 Integer 2; /* accept */
SnmpMibObject docsDevFilterIpStatus.1 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.1 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.1 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.1 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.1 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.1 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.1 Integer 6 ;
SnmpMibObject docsDevFilterIpSourcePortLow.1 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.1 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.1 Integer 135 ;
SnmpMibObject docsDevFilterIpDestPortHigh.1 Integer 139 ;
SnmpMibObject docsDevFilterIpStatus.2 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.2 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.2 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.2 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.2 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.2 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.2 Integer 17 ;
SnmpMibObject docsDevFilterIpSourcePortLow.2 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.2 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.2 Integer 135 ;
SnmpMibObject docsDevFilterIpDestPortHigh.2 Integer 139 ;
SnmpMibObject docsDevFilterIpStatus.3 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.3 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.3 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.3 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.3 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.3 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.3 Integer 6 ;
SnmpMibObject docsDevFilterIpSourcePortLow.3 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.3 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.3 Integer 445 ;
SnmpMibObject docsDevFilterIpDestPortHigh.3 Integer 445 ;
SnmpMibObject docsDevFilterIpStatus.4 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpControl.4 Integer 1; /* discard */
SnmpMibObject docsDevFilterIpIfIndex.4 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.4 Integer 3; /* both */
SnmpMibObject docsDevFilterIpBroadcast.4 Integer 2; /* false */
SnmpMibObject docsDevFilterIpSaddr.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpSmask.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDaddr.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpDmask.4 IPAddress 0.0.0.0 ;
SnmpMibObject docsDevFilterIpProtocol.4 Integer 17 ;
SnmpMibObject docsDevFilterIpSourcePortLow.4 Integer 0 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.4 Integer 65535 ;
SnmpMibObject docsDevFilterIpDestPortLow.4 Integer 445 ;
SnmpMibObject docsDevFilterIpDestPortHigh.4 Integer 445 ;
See any reason these don't work?
NetworkAccess = 1
ClassOfService =
ClassId = 1
MaxDownstreamRate = 2048000
MaxUpstreamRate = 1024000
UpstreamChannelPriority = 7
MinUpstreamRate = 3044
MaxUpstreamBurst = 0
CoSPrivacyEnable = 0
SnmpMib = docsDevFilterIpDefault.0 accept
SnmpMib = docsDevFilterIpStatus.1 createAndGo
SnmpMib = docsDevFilterIpControl.1 discard
SnmpMib = docsDevFilterIpIfIndex.1 1
SnmpMib = docsDevFilterIpDirection.1 outbound
SnmpMib = docsDevFilterIpBroadcast.1 false
SnmpMib = docsDevFilterIpSaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpSmask.1 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpDmask.1 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.1 6
SnmpMib = docsDevFilterIpSourcePortLow.1 25
SnmpMib = docsDevFilterIpSourcePortHigh.1 25
SnmpMib = docsDevFilterIpDestPortLow.1 0
SnmpMib = docsDevFilterIpDestPortHigh.1 65535
SnmpMib = docsDevFilterIpStatus.2 createAndGo
SnmpMib = docsDevFilterIpControl.2 discard
SnmpMib = docsDevFilterIpIfIndex.2 0
SnmpMib = docsDevFilterIpDirection.2 both
SnmpMib = docsDevFilterIpBroadcast.2 false
SnmpMib = docsDevFilterIpSaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpSmask.2 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpDmask.2 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.2 6
SnmpMib = docsDevFilterIpSourcePortLow.2 0
SnmpMib = docsDevFilterIpSourcePortHigh.2 65535
SnmpMib = docsDevFilterIpDestPortLow.2 137
SnmpMib = docsDevFilterIpDestPortHigh.2 139
SnmpMib = docsDevFilterIpStatus.3 createAndGo
SnmpMib = docsDevFilterIpControl.3 discard
SnmpMib = docsDevFilterIpIfIndex.3 0
SnmpMib = docsDevFilterIpDirection.3 both
SnmpMib = docsDevFilterIpBroadcast.2 false
SnmpMib = docsDevFilterIpSaddr.3 0.0.0.0
SnmpMib = docsDevFilterIpSmask.3 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.3 0.0.0.0
SnmpMib = docsDevFilterIpDmask.3 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.3 17
SnmpMib = docsDevFilterIpSourcePortLow.3 0
SnmpMib = docsDevFilterIpSourcePortHigh.3 65535
SnmpMib = docsDevFilterIpDestPortLow.3 137
SnmpMib = docsDevFilterIpDestPortHigh.3 139
SnmpMib = docsDevFilterIpStatus.4 createAndGo
SnmpMib = docsDevFilterIpControl.4 discard
SnmpMib = docsDevFilterIpIfIndex.4 0
SnmpMib = docsDevFilterIpDirection.4 outbound
SnmpMib = docsDevFilterIpBroadcast.4 false
SnmpMib = docsDevFilterIpSaddr.4 0.0.0.0
SnmpMib = docsDevFilterIpSmask.4 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.4 0.0.0.0
SnmpMib = docsDevFilterIpDmask.4 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.4 6
SnmpMib = docsDevFilterIpSourcePortLow.4 67
SnmpMib = docsDevFilterIpSourcePortHigh.4 69
SnmpMib = docsDevFilterIpDestPortLow.4 0
SnmpMib = docsDevFilterIpDestPortHigh.4 65535
MaxCpeAllowed = 3
UpgradeServer = 10.10.1.3
PrivacyEnable = 0
Been there, tried that.
Still no joy. BTW, 'SnmpMibObject docsDevNmAccessInterfaces.1 String "@" ;' doesn't play nice with PacketACE.
FWIW, I have been able to successfully implement NM Access Objects along with LLC Objects, but when I add an IP filter, no dice loading a config file to a modem. And shouldn't I be able to just implement IP filtering without NM or LLC components being involved at all?
Can still only implement a single IP filter into a DOCSIS 1.0 config file. Add a second one and configgy file no load.
Anyone?
Poge
here is a docsis 1.0 config
here is a docsis 1.0 config with multiple filters that works for me
not much difference except that SnmpMib = docsDevFilterIpDefault.0 accept is at the end of the filters rather than the beginning like yours, not sure if that is the difference maker or not.
NetworkAccess = 1
ClassOfService =
ClassId = 1
MaxDownstreamRate = 1000000
MaxUpstreamRate = 256000
UpstreamChannelPriority = 1
CoSPrivacyEnable = 1
MinUpstreamRate = 0
BaselinePrivacy =
AuthorizeWaitTimeout = 10
ReauthorizeWaitTimeout = 10
KekGraceTime = 600
OpWaitTimeout = 10
RekeyWaitTimeout = 10
TekGraceTime = 600
AuthorizeRejectWaitTimeout = 60
MaxCpeAllowed = 3
SnmpMib = docsDevFilterIpStatus.1 createAndGo
SnmpMib = docsDevFilterIpControl.1 discard
SnmpMib = docsDevFilterIpIfIndex.1 0
SnmpMib = docsDevFilterIpDirection.1 both
SnmpMib = docsDevFilterIpBroadcast.1 false
SnmpMib = docsDevFilterIpSaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpSmask.1 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpDmask.1 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.1 6
SnmpMib = docsDevFilterIpSourcePortLow.1 0
SnmpMib = docsDevFilterIpSourcePortHigh.1 65535
SnmpMib = docsDevFilterIpDestPortLow.1 137
SnmpMib = docsDevFilterIpDestPortHigh.1 139
SnmpMib = docsDevFilterIpStatus.2 createAndGo
SnmpMib = docsDevFilterIpControl.2 discard
SnmpMib = docsDevFilterIpIfIndex.2 0
SnmpMib = docsDevFilterIpDirection.2 both
SnmpMib = docsDevFilterIpBroadcast.2 false
SnmpMib = docsDevFilterIpSaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpSmask.2 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpDmask.2 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.2 6
SnmpMib = docsDevFilterIpSourcePortLow.2 0
SnmpMib = docsDevFilterIpSourcePortHigh.2 65535
SnmpMib = docsDevFilterIpDestPortLow.2 445
SnmpMib = docsDevFilterIpDestPortHigh.2 445
SnmpMib = docsDevFilterIpDefault.0 accept
'preciate the help...
...but it still only works if I remove the second filter. FWIW, I get the same result with Arris402's as with SB5120's.
Poge
Please attach *bin* file
I'll try to decode it with docsis then we'll see, ok?
Thanks, but actual .bin files
Thanks, but actual .bin files aren't acceptable. Here's one with a .png extension if that'll work when you change it back to .bin.
BTW, never could get docsis to work on CentOS or would have tried that already.
Poge
Filtering mail cpe -> internet
If you want to prevent a customer from sending mail on port 25, you need to block dst port 25
Heres some example filter config :
(only allow IPv4 and ARP protocols)
SnmpMibObject docsDevFilterLLCUnmatchedAction.0 Integer 1; /* discard */
SnmpMibObject docsDevFilterLLCIfIndex.1 Integer 0 ;
SnmpMibObject docsDevFilterLLCProtocolType.1 Integer 1; /* ethertype */
SnmpMibObject docsDevFilterLLCProtocol.1 Integer 2048 ;
SnmpMibObject docsDevFilterLLCStatus.1 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterLLCIfIndex.2 Integer 0 ;
SnmpMibObject docsDevFilterLLCProtocolType.2 Integer 1; /* ethertype */
SnmpMibObject docsDevFilterLLCProtocol.2 Integer 2054 ;
SnmpMibObject docsDevFilterLLCStatus.2 Integer 4; /* createAndGo */
(IP filtering section, allow everything by default)
SnmpMibObject docsDevFilterIpDefault.0 Integer 2; /* accept */
(block microsoft networking ports)
SnmpMibObject docsDevFilterIpIfIndex.1 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.1 Integer 3; /* both */
SnmpMibObject docsDevFilterIpProtocol.1 Integer 6 ;
SnmpMibObject docsDevFilterIpDestPortLow.1 Integer 135 ;
SnmpMibObject docsDevFilterIpDestPortHigh.1 Integer 135 ;
SnmpMibObject docsDevFilterIpStatus.1 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpIfIndex.2 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.2 Integer 3; /* both */
SnmpMibObject docsDevFilterIpProtocol.2 Integer 6 ;
SnmpMibObject docsDevFilterIpDestPortLow.2 Integer 137 ;
SnmpMibObject docsDevFilterIpDestPortHigh.2 Integer 139 ;
SnmpMibObject docsDevFilterIpStatus.2 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpIfIndex.3 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.3 Integer 3; /* both */
SnmpMibObject docsDevFilterIpProtocol.3 Integer 17 ;
SnmpMibObject docsDevFilterIpDestPortLow.3 Integer 137 ;
SnmpMibObject docsDevFilterIpDestPortHigh.3 Integer 139 ;
SnmpMibObject docsDevFilterIpStatus.3 Integer 4; /* createAndGo */
SnmpMibObject docsDevFilterIpIfIndex.4 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.4 Integer 3; /* both */
SnmpMibObject docsDevFilterIpProtocol.4 Integer 6 ;
SnmpMibObject docsDevFilterIpDestPortLow.4 Integer 445 ;
SnmpMibObject docsDevFilterIpDestPortHigh.4 Integer 445 ;
SnmpMibObject docsDevFilterIpStatus.4 Integer 4; /* createAndGo */
(block customer operated dhcp servers)
SnmpMibObject docsDevFilterIpIfIndex.11 Integer 1 ;
SnmpMibObject docsDevFilterIpDirection.11 Integer 1; /* inbound */
SnmpMibObject docsDevFilterIpProtocol.11 Integer 17 ;
SnmpMibObject docsDevFilterIpSourcePortLow.11 Integer 67 ;
SnmpMibObject docsDevFilterIpSourcePortHigh.11 Integer 67 ;
SnmpMibObject docsDevFilterIpDestPortLow.11 Integer 68 ;
SnmpMibObject docsDevFilterIpDestPortHigh.11 Integer 68 ;
SnmpMibObject docsDevFilterIpStatus.11 Integer 4; /* createAndGo */
(block mail in both directions - sending mail or recv mail to a mail server)
SnmpMibObject docsDevFilterIpIfIndex.31 Integer 0 ;
SnmpMibObject docsDevFilterIpDirection.31 Integer 3; /* both */
SnmpMibObject docsDevFilterIpProtocol.31 Integer 6 ;
SnmpMibObject docsDevFilterIpDestPortLow.31 Integer 25 ;
SnmpMibObject docsDevFilterIpDestPortHigh.31 Integer 25 ;
SnmpMibObject docsDevFilterIpStatus.31 Integer 4; /* createAndGo */
(or if you just want to block the customer from only sending mail you would make these changes)
SnmpMibObject docsDevFilterIpIfIndex.31 Integer 1 ;
SnmpMibObject docsDevFilterIpDirection.31 Integer 1; /* inbound */
And thanks for all the detail, mbowe.
Have tried all of the above in various iterations with various editors and can still only achieve success with a single filter. Add a second one and the config file will not load into a modem.
Poge